Windows Enumeration With winPEAS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys hackersploit here back again with another video welcome back to the penetration testing boot camp uh in this video or in this set of videos we will be taking a look at the various windows privilege escalation uh techniques or vectors that you can use to elevate your privileges on a windows system and again this is part of the pen testing boot camp so we've covered post exploitation we're now moving on to priveesk we'll also be covering we will also be covering prives on linux so again i just want to make sure that we're uh we all have an understanding of where we are and where we're going now i've been getting a lot of messages regarding the log4j or the log for shell vulnerability and how to exploit it and i'm currently working on an in-depth video that covers the exploitation not just off you know of the vulnerability on minecraft servers but also on the various apache solutions out there so do stay tuned for that in this video we'll be focusing primarily on performing uh local enumeration with a a script or a tool called winbys which you guys have seen me use before the objective of this video is again to perform local enumeration on the system in order to identify uh the various vulnerabilities that we can essentially exploit to elevate our privileges and this uh the room that we'll be utilizing is the windows prives groom on tryhackme it's a free room and it's an intermediate room so the objective here is to essentially elevate our privileges to the highest level i've already started the actual machine here and let me just copy the ip there and as you can see there are various techniques that we'll be exploring and in my view this is pretty much one of the best rooms on tryhackme that goes over the various privilege escalation vectors on windows so without further ado uh the primary axis vector is via rdp so again we're not exploiting anything on the target system although that could be an option but we'll just copy the x3 rdp command here to essentially start up an rdp session you're free to use romina if you want as well so there we are that'll open up the rdp session for us and we'll give that a couple of seconds it looks like it's a windows server box so we'll just wait for that to load up looks like it's starting up cmd for some reason there we are windows server 2019 evaluation now if we take a look at the instructions here you can see that we're logging in as an unprivileged user so i just want you to take note of that because that's very important so again as i said we're going to be using a tool called win piece to perform enumeration in the previous set of videos within the post exploitation series i covered how to perform manual enumeration on windows and we were primarily focused on performing enumeration on an active directory environment but again the techniques are also uh in to some degree applicable on a standard windows system so what is win peace well win peace is essentially a binary or a tool that can be used to essentially automate all the you know traditional information gathering uh checks that you perform on a windows system and more specifically it actually gives you important diagnostic information regarding vulnerable services uh more to do with elevating your privileges but just basically it really gives you a comprehensive rundown of the system configuration any misconfigurations or vulnerabilities that we can take advantage of so on and so forth all right now the github repository will be in the description section and you can see that right over here we have the batch file as well as sorry the bat file as well as the exe binaries here so if i click on that uh you can see you have the source code so you can actually go through it and compile it yourself if you're not comfortable uh or if you're not you know if you don't feel safe you know just download downloading and executing a binary of the internet so i'll click on win peace here and you can see there we are that's the source code there so i'll just take a step back and if we take a look at the binaries we have the obfuscated releases which have been obfuscated so if you click on that you can see that you have the dot obfuscated binaries and then you have your obfuscated binaries here so uh they're sorted based on the target operating system architecture so you have 32-bit 64-bit as well as any architecture which will run on pretty much both 32-bit and 64-bit versions of windows in this case it looks like it's windows server so it's a it's a 64-bit system so we'll be utilizing the 64-bit binary there we are and again you can just download it onto your kali system and then in terms of transferring it you can transfer it onto the target system via cert util or through a interpreter session so as for the tasks here that's already done so we'll hit completed and if we move to the first or the second task here which essentially involves generating a reversal executable as our primary axis vector so uh the technique highlighted here essentially involves setting up an smb server and then transferring it over to the target via our our rdp session i i pretty much prefer utilizing a uh you know utilizing the web delivery metasplate module so that's what i'm going to be doing although you can also follow along with the techniques highlighted here all right so i'll start up my i'll open up a new tab here and i'll start up msf console and what we'll do is we will essentially generate a partial command that will then execute on the target system and that will provide us with a meterpreter session after which we can perform the enumeration uh with win peas all right so i'll give that a couple of seconds there all right there we are looks like it's starting up msf usually takes a few seconds there we are i'll search for the module and of course i covered how to use it so you should be familiar with it now um i'll just hit copy and we'll hit paste and then we want to set the target as uh powershell and we will use the binary option so there we are let me set that up correctly binary and then set the payload if we show the options now uh you can see we still need to need to set up the payload so i'm going to say set uh payload and then we can set up the powershell payload so i'm going to say powershell so that is not powershell but we're going to set the payload to windows and then we'll say powershell and we're using a non-staged module here so powershell reverse tcp show the options again and we're going to set the lhost option so let me just check up my ip here so iap config and tunnel 0 is the interface so i'll copy that there so i'll say set lhost and we'll we'll leave the l port as port 444 which is fine so show options and we then need to set up a few other options one of them is going to be an advanced option so show advanced there we are and the option we want to disable is the partial encode option so let me see if i can find that here so that's partial encoded command we're going to set that to false so i'm going to copy that sorry let me just get that done there and we're going to say set powershell encoded command to false there we go and if we now hit exploit we should get the partial code that we can then x uh we we can then execute on the target system so i'll give that a couple of seconds there there we are it's generated it for us and it starts up the handler so we'll copy that and we'll then head over here and we'll open up a command prompt so i'll give that a couple of seconds because you know this is a vm after all a lot of vm it's a cloud instance and of course resources are going to be uh scarce so i'll just paste that in there and of course you can get rid of the hidden option there so that it executes and doesn't close up the window if you want to actually know whether there are any errors i'll just hit enter and that should open up a powershell window here which means that it's executed successfully there we are and it should send the stage that we are delivering the payload and we'll give that a couple of seconds oh yeah it looks like that is done delivering payload is done um any errors there nothing there have we got a meterpreter session probably there we are partial session well sorry we actually need to upgrade the partial session into interpreter session so if we say sessions you can see we have the partial session there so i'm going to upgrade the command shell or the powershell shell uh into interpreter shell and that's that can be done by using the sessions u option and the session we want to upgrade is session one there we are don't worry if it gives you the error that this may not be compatible with this module that's simply just a message to to to actually inform you to keep you aware of that so uh there we are sending the stage and we should get a meterpreter session on the target system there we are interpreter session two opened sessions there we are and we get a 64-bit session so sessions two let's perform some basic enumeration so sysinfo uh you know get use id and then of course you can pop a native command shell and then essentially you know perform all of the commands that we had taken a look at previously in this case however we're just going to navigate to the root of the c drive and into the temp directory which is where i want to save the win piece binary and then i can upload it so i can say upload and in my case i've saved the win piece binary on my desktop under windows enum and then i of course i have win ps there we have there's the folder and then i'm going to upload uh winpeas x64 dot exe upload that there and it will give that a couple of seconds to actually complete there we are looks like it's completed and then of course we can pop a shell here and we're currently within the temp directory which is great and we can then execute the win piece executable so winpy's x64.exe however before you do that you can open up the help menu right over here now this is very important because if you run a win piece by default or just without any arguments or any other options it's going to go through all of the enumeration right so it's going to enumerate all of this information right over here so it's going to enumerate the domain information if it's part of a domain system information user information process service etc etc so if you're specifically looking for a specific set of information like the user information i can specify that so i can say win ps x64.exe and then i can say user information so user info hit enter that will only enumerate the user information here so we'll give that a couple of seconds there we are let's take a look at what information this will give us because this is quite important so first and foremost you can see that it'll go through the following checklist so it'll check if it's part of the domain getting the user account info the group list active user list disable users admin users and files or directories that we can essentially search so uh check if you have some admin equivalent equivalent privileges you can see that the current user is not part of the admin group so we don't have any elevated privileges we have an admin user that's part of the administrator group as well as the administrator account and then of course we have our current user account the rest are used our guest accounts and the default account which is disabled on you know modern versions of windows as for the other piece of information you can see you have your token privileges here and then of course logged on users it will only tell us that we are currently logged on which is very important then display information about the local users which we've already gone over but you can get the user id to identify whether that users administrator you know etc etc right okay so the users that have logged on to the system administrator admin user okay so on and so forth you get the idea now we can enumerate all the information as i said previously by simply saying win peas x64.exe right so i'll hit enter and in this particular context the reason why i'm using wind peas is because wind peas will actually help you identify all of these privilege escalation vectors and whether or not the system is vulnerable to any of them right so it'll tell you whether you have any insecure service permissions unquoted service parts weak registry permissions uh insecure service executables uh auto runs the always install elevated vulnerability uh weak registry uh permissions um so on and so forth right so let's go back here you can see it's still going through the check and i'm just going to wait for it to complete and then i'll take you through it step by step and that will pretty much conclude this video because we'll then move on to the first privilege escalation vector so if we take a look at the results from the beginning uh most of it is going to be diagnostic information pertinent to processes uh that are currently running the networking in information like the interfaces which can be useful if you're trying to pivot uh it'll also enumerate other information that can be quite useful but again we'll get to that in a few seconds right so there's quite a lot of information here and you can see we have path injection vulnerabilities that have been detected but let's take a look at the beginning here all right so there we are that's where it begun so first and foremost you'll get the system information so the host name uh the version of windows the release id of the build version of windows the architecture the the actual current version the time zone which can be quite important as well as the keyboard language and then whether or not it's a part of the domain the hotfix is installed etc now as for the vulnerabilities that it identifies with watson here these are going to be vulnerabilities pertinent to the kernel or you know parts of the windows operating system that can be exploited to elevate privileges and of course we'll be exploring kernel exploits in the next video as we progress but this is where you typically find that information so you get the exploit db code or reference link if there is a publicly available exploit and then you get the reference link which could contain the exploit code or a proof of concept all right so uh for the installed updates it will give you the hotfix id when it was installed uh and then of course the description and the title which is very important right so in this case you can see that the microsoft updates are pertinent to uh one of them is pertinent to windows antivirus or windows defender and then of course there's a driver install which is vmware which tells us that this is indeed a virtual machine okay the user environment variables we can which can be quite useful and then of course the system environment variable so you can see that the temp directory specified there the actual path and driver data directories are specified uh so on and so forth all right let's take a look at some of the other options here lsa protection right so this is very important so if enabled a driver is needed to read elsa's memory so again it tells us right over here that lsa protection is not enabled we'll get to why that is important and then of course credential guard is not enabled we don't have it looks like we have cached creds which tells us right via cash log on count is set to 10 right so credentials will be cashed in the registry and accessible by the system user so we'll only be able to access credentials you know once we've elevated our privileges no antivirus was detected so it tells us that windows defender has been disabled in this case it makes sense because we were able to execute the partial code natively without encoding it right user access control status or uac status it tells us that any local account can be used for lateral movement so we can pretty much elevate our privileges directly if we were to try that right now via uac and i'll cover that as well but that's very very important right because that's one of the most common windows privilege escalation vectors that you typically utilize is trying to bypass uac and of course there's various techniques or metasploit modules that can be used to do that let's take a look at some of the other options here that i can actually go through so let's take a look at an example check here if we are trying to look for maybe let's see insecure service permissions let's see if we can find information pertinent to that so again this is just the system configuration there user information which we enumerated uh there we are and then of course the home folders there rdp sessions uh the password policy which will tell you the minimum password the minimum and maximum password age the minimum and maximum password length or rather the minimum password length which again can be used to get an idea of uh you know of the length of the password if you're performing password cracking uh the print logon services interesting processes right so right over here you can see that it identifies wind peas as an interesting process that we can essentially perform dll hijacking although in this case that's really not relevant let's see if we can find their way are so services information we're looking for insecure service permissions there we are so this is where you identify the weak uh service permissions so for example the file the file permission service which is a vulnerable service that has been set up to demonstrate this vulnerability you can see that this particular service it gives you the actual path to the exe or the service the current status is stopped and we can start or stop it because the file permissions are set to everyone so any use on the system can access that service or interact uh with the service and we'll x uh we'll actually explore that for unquoted service parts or the yep there we are that's the vulnerability there you can see we have the aws light agent there so no quotes or spaces detected there and we can possibly uh exploit that and of course we have the actual unquoted service uh uh the actual unquoted service here that we will be exploiting so no quotes or spaces detected all right so um of course this is uh this will tell you whether you can modify uh any service or registry and in this case you can see that we can essentially modify the registry service which again has been set up to demonstrate this dll hijacking that's uh the win piece directory so that's really not relevant there unquoted service path so there we are it identifies that as well there and then of course we have an auto run program there uh so on and so forth so you can see already with win peas we've been able to identify the actual services that we can exploit uh in the case of you know the unquoted service path as well as insecure service permissions as well as the weak registry permissions and then of course you can go through it and you know enumerate as much information as possible uh regarding the type of privilege escalation vector you you want to use right so this is this is all path injection so on and so forth let's uh scroll right over here so it looks like we have unquoted and space detected there that doesn't look like it's vulnerable and let's just scroll here there we are we have the scheduled applications here so this is uh this will essentially check if you can modify other users schedule binaries so uh there we are looks like uh this is uh sick save credentials.bat and we can perform some dll hijacking there although that's not really important to us uh the other information here that i was trying to highlight because that's quite important there we are right so uh right over here this will look for kerberos tickets if you are on a an active directory environment and uh i'll then tell you the actual security package credential so it's you can see it's telling us that we're using net ntlm version two so keep that in mind if you're trying to perform password cracking now it's already given us our hash here so we can use these hashes in different ways and we'll also be exploring how to perform the pass the hash attack which i've explored previously so you really don't need to crack credentials unless it's necessary but we get you know passwords or credentials from other services or applications and in this case you can see that we get a putty session and we get the proxy username and proxy password so we've been able to gather information there cloud credentials nothing there unattended files we have the unattended.xml file which can possibly contain the windows administrator credentials if uh the file has not been uh redacted but in this case we get the administrator uh looks like the password there and this is of course for the you for the admin user so we can possibly try and authenticate because we've already got the credentials so let's actually try that now do i need to log out or can i just switch my current session there yeah so i'm just going to sign out of that and we'll give that a couple of seconds there and uh let me see if i can copy that i'm pretty sure that has been in base64 encoded but you can pretty much log in uh let's see if we can log in like so um yeah let's just sign out anyway we'll i think we might lose our we might lose our interpreter session but that's fine uh we can try the admin or administrator i think that's the correct user administrator and we can paste it in there this doesn't work then we can try and base you can try and decode it so i'll hit enter um looks like yep it looks like there's an issue with the authentication um so what we can do is let's try and base let's try and decode it so i'm just going to create a file here called hash and i'll paste in the hash there and we can then decode it using the base64 utility so base64 decode hash and it looks like the password is password123 right so let's just take a note of that there we are and we you can also utilize other tools if you want um so i'm just going to log in via rdp again let me just go back in here and let me just copy the command there and we can then log in as administrator and let's see whether that actually works because we pretty much have you know evaded any of this here so one two three and then we'll change that to administrator but of course we're not going to rely on this because the unattended file uh i'll get to that in a second and what it's used for um it looks like we have an issue there um let me just try and add uh sorry trying it and was that part of the password uh yeah so i think what i'll do we can also try the admin user because it's not specified what user within the unattended files uh is you know the user account for this particular password but we can check it it looks like it's the admin user so there we are we're able to log on as the admin user and we should have elevated our privileges right so again as i said win peas is an extremely powerful tool and that's really what i'm trying to demonstrate here this is one of the vectors that you can utilize and we pretty much explored it i believe it's covered somewhere here it may have been covered although i'm not really sure but there we are you can utilize that and that's something that i've covered in my book so you can actually learn more about that right so the unattended file if you're not familiar with it is a configuration file that's created to uh you know it's essentially created when you're mass installing uh windows systems uh you know on a network so let's say you've been tasked uh to actually install uh you know windows on more than five systems uh you can automate the account creation process through the unattended uh configuration file where you can specify the administrator credentials and then any other you know operating system specific configurations that you want set up during the installation process so again sometimes it's not cleaned up by administrators so if it's not cleaned up you can get the admin credentials from there and you don't have to go through the process of elevating your privileges manually and of course our interpreter session uh right over there died because we you know we signed out so we didn't set up persistence so we can just terminate that there and if we list out our sessions uh i think we've lost all our sessions do we have um there we are there we are okay so what we can do is generate a new um it looks like that job is still running yeah so jobs kill and we can then hit exploit again generate the powershell code execute it with the admin user and we'll then get a meterpreter session with administrative privileges all right so i think i've covered how to use win peas as i said you can take a look at the help menu if you're looking for specific sets of information but i would recommend you know running it at least at least once running it by the default configuration at least once and then going through all the information step by step because you really don't want to miss out anything there all right so now that we've taken a look at how to identify these vulnerabilities these privilege escalation vulnerabilities in the next set of set of videos we'll be exploring these privilege escalation attack vectors and taking a look at how they can be exploited in order to elevate our privileges uh we've already explored one of them but i didn't want to get into that but i just wanted to show you how powerful this tool is all right so that's going to be it as i said the log for shell video will be coming out so stay tuned for that it's going to be an in-depth video that covers exploitation as well as patching uh and yeah we'll be taking a look at that as well let me know what you guys think in the comment section if you want to reach out to me you can do so on our discord server uh the link to that is in the description section or you can contact me directly via twitter and yeah thank you very much for watching and i'll be seeing you guys in the next video a huge thank you to all of our patreons uh your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin on president michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you
Info
Channel: HackerSploit
Views: 1,939
Rating: undefined out of 5
Keywords: hackersploit, hacker exploit, hacking, kali linux, winpeas, winpeas tutorial, winpeas oscp, winpeas usage, enumeration with winpeas, winpeas enumeration, windows, windows enumeration, windows enumeration tool, windows enumeration oscp, windows post exploitation, windows post exploitation oscp, windows post exploitation metasploit, windows local enumeration, local enumeration, windows pentesting, windows pentesting tools, pentesting, hacker, ethical hacking, kali
Id: dSa_mdg3gCg
Channel Id: undefined
Length: 27min 36sec (1656 seconds)
Published: Tue Dec 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.