Windows Privilege Escalation Tutorial For Beginners

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video and welcome back to the penetration testing boot camp in this video we're going to be taking a look at windows penetration testing and privilege escalation so the objective of this video is to introduce you and familiarize you with the methodology behind you know performing a pen test on a windows on a windows target and we're going to be exploring the various ways of gaining access firstly but i really want to focus on what happens after you've gained initial access and how to enumerate information from the target system so on and so forth now for the purpose of this video i'm going to be using the metasploitable 3 virtual machine again this video is not going to be focused on getting the flags or in this particular case the cards we are only interested in in getting you know full administrative access on the target system so anti-authority privileges right so that's our objective and we're going to gather as much information as possible now the reason i've decided to use metasploitable 3 is primarily because it offers or it provides us with a robust uh environment to work in and in my opinion you know provides users with a good understanding of how a windows server is typically set up so you know it has tons of services running on it and there's multiple ways of of you know gaining access and of elevating your privileges if i can if i can actually use that word uh without you know saying anything else let's uh let's get started so the first step as you know is going to involve scanning right and there's multiple ways you can go about performing your scans and again it'll typically you'll typically be using nmap and you may also be dealing with the firewall so there's tons of stuff you need to be considering now in my particular case i already have the results saved out and we'll just go through them as i said this video is not going to be focused on finding flags we're going to be trying to get access as quickly as possible so we're going for the low hanging fruit right so in my particular case you can see mind map scan here if you want to learn more about nmap you can check out our nmap series it's within the penetration testing bootcamp playlist so for the services we can see that we have ftp running on port 21 as well as openssh now remember this is a windows system so if we click if we quickly take a glance at the operating system detection here we can see that we're it's we're pretty much guaranteed to be running windows server 2008 r2 to 2012 all right so we have an idea of what we're dealing with we're dealing with windows server as opposed to a standard windows desktop installation we also have a web server that's running the microsoft iis you know it's running on microsoft is which is the default microsoft web server right over there and we also have our msrpc and we also have smb running as well as a mysql server now the mysql server and the mysql info nmap script provides us with more information regarding the actual server version and any of the other capabilities that it could actually enumerate so in our particular case we're going to be looking for interesting capabilities but we will get to mysql when we reach there however we can we can actually see that the auth plugin name that's being used is mysql native password which doesn't give us an idea of the hashing algorithm being used but we'll get to that when we get there we also discover a service running on port 3389 which is rdp or the remote desktop protocol which allows us to access computers remotely or you know just get a live desktop session remotely either on the same network or on an external network we also have a few other services running here but one of the interesting ones that i wanted to point out here is if i can just find it right over here well it doesn't actually give us the banner but we'll take a look at them as we move along all right so the first thing that i want to cover is something called banner grabbing now whenever you're dealing with a service like like this one here where it doesn't give you a full banner or version numbers then in that partic in that case you really should be using something like netcat right and i can just type in the ip here and i provide the uh the port and it and then you can see it tells us it's microsoft ftp service now it may be a little bit more difficult to enumerate more information uh from this especially given the various versions that that exist on the various server stacks if we do this with port 22 or ssh we should see the exact version which we were already able to get which is exactly what nmap did but if you're if you're not getting the service versions or you're not familiar with what a service is like for example if we take a look at a service that is you know we can't really recognize uh like 4848 which tells us it's uh ssl app serve http you know with a question mark so it's not really sure um what we can do is run that on port 4848 which i think requires ssl but we know we can just test it out just to see what's going on there so we don't get anything back which is understandable given the fact that it requires ssl but you get the idea right um so we also have a glassfish server we also have a glass fish server running which actually gives us the version number which is 4.0 and let's see what else we have here we have various other services running which are providing you know some sort of services or are hosting some sort of services we also have apache running which is on port 8383 um so we can actually explore some of these so i'm just going to open up my browser here and we'll say 10.10.10.11 that's the ip it's being hosted on and this is the initial this is the web server being hosted right over here on port 80 and it's microsoft is 7.5 if we view the source here um we can see that we get a value here which we have already gone through this i think before and this this value is essentially base64 code that when decoded will give us the content uh the file content of a a png or a jpg file which is a flag as i said we're not going through that we're primarily interested in getting initial access right um so if we turn uh and if we try and enumerate more information from some of the other services that are running for example on port um let's see port 80 22 let's run access and let's see what's running on that so 80 22 we can see we have a manage engine desktop central 9 server running so desktop central as far as i remember allows you to manage a large amount of desktop and computers remotely so you know it's a really great tool for administrators on a larger network and if they're providing support and managing these computers uh this can be facilitated through desktop central so we can perform some enumeration regarding vulnerabilities for desktop central version nine so we can use search exploit uh so search exploit and we just say desktop central and we hit enter and we have what it looks like right over here we have a vulnerability and a metasploit module right we also have the art arbitrary file upload vulnerability which is also a mini split module however uh the one we're interested in is for the version nine here so we can test this out right over here so uh what we'll do is we'll just fire up our minisplite or the metasploit console and we'll try and test that and see whether that works out all right so excellent um so that's one service that we have running there we also have the service running on port 8031 which also requires an ssl certificate or is using https so 80 31 my bad that is an incorrect url right over there so 80 31 and it's not working if we provide https let's see if that works out yeah that doesn't give us anything there so it looks like this certificate isn't working or has expired which is to be expected um we also have a glass fish server as i said running which is on port 8080 we can also check that out as well we hit enter and i think that does not require that so you can see we have the glassfish server running there which is great we also have another service running on port 8181 and 8383 which i think we already explored we also have eight four four three so let's try out that one first eight four four three and that isn't working right um let's try and access that in ssl yep that doesn't work as well all right so we can't access any of those other services we also have another service running on port 9200 and then microsoft rpc microsoft windows rpc running on the rest of the ports and in this particular case we can see that from the wap wsb service we get what seems to be an api that provides us with you know various details here or just a public public-facing service we can actually try and explore it manually so port 9200 yeah so it just gives us the status or inform information pertaining to a particular service and the build hash so let's actually take a look at metasploit here and what we'll do is we will search for desktop central so desktop central and you we can do a bit more um research on the particular exploit that we're using which in this case is going to be the file upload serv the up file upload servlet connection id module which we can actually try and locate here so file upload is that the one here desktop central i think agent upload uh no that's not the one file upload servlet this is the one right over here all right so we'll use this particular module and no payload is configured i'm just going to set the payload to windows x64 interpreter based on the target architecture right in in most cases windows server is going to be running on a 64 bit uh it's better to do to actually set the payload now so that we don't have to migrate and do it um or to actually get a 64-bit meter procession after after the fact so show options we can see we need to set the r hosts and this is for desktop central which i believe was running on port um let's see if we can actually find it here because i don't remember the exact port so 80 22 right so we set um our hosts to 10 point uh 10.10.10.11 and then we set our port to 80 22 right and the target uri i believe is fine and we also have the payload options which are set uh correctly i believe uh if i can just check that one more time just to make sure my ip address is correct that is correct so i think this should be fine so let's hit run and let's see whether we're able to get a meterpreter session all right so it's executing the stager and it deleted or performed a cleanup of the actual uh jsp file that was uploaded and if we um if we actually list out the system information here we can see we're running on um on windows 2008 r2 6.1 build 7601 service pack one all right the architecture is x64 and we have an x64 interpreter session or a 64-bit interpreter session all right so i'm just going to clear this out and the first thing we want to do is perform a little bit of local enumeration right uh and of course i'm guessing i'm not really sure what our privileges are you can see our privileges are anti-authority however that might be something you you might get confused with anti-authority uh system is where we have you know control over the entire system anti-authority local service means we have uh essentially anti-authority over a particular service in this particular case it's uh it's going to be the um the desktop central uh service that's running right or the desktop central server so we can actually confirm this if i list out the if i type in the get privs command here you can see that the various access tokens that we have sort of tell us what we can and cannot do on the system so we can see we have sc assigned primary token privilege which means we can perform some impersonation attacks but we'll get to that we also have the sc impersonate privilege which is great it means that if we can list out the various other access tokens on the system uh we can impersonate them to elevate our privileges that way because we currently are not in an end in an elevated state although that that may seem like the case right so we also have um a few other access tokens here so set the time zone privilege so you know these are just basic access tokens uh that sort of control what user has access to what and that's what access tokens are used for on windows right um so uh we we can we can explore various ways of of elevating our privileges the first thing we need to do is again you know is to perform some some local enumeration so i'll just get a shell session so we have access on the shell here and i'll just move into the c drive or the root of the c drive and we can list out the directories here so we have the glassfish server we have the flags here which as i said we're not really interested in we have inet pub which is microsoft is uh you know the web directory we also have wamp a wamp stack installed which is interesting and yeah so let's perform some enumeration first thing we want to do if we want to learn more about the system is we typed in system info right so system info will give us essentially a rundown of of the system and how it's configured so for example we have the host name the operating system name the version but when it comes down to privilege escalation what you're going to be looking for are the hotfixes installed and the hotfixes installed will give you an idea of what kernel level exploits or kernel exploits you can run against this target successfully so if a kernel exploit has been patched it's going to have a hotfix code or a hotfix id and these ids can help you determine what exploit to use and what exploit not to use right so that's that's what you can use this for um the other thing we want to do is we we can use the net user command right so the net user command will essentially list out all the users on the system in this case we can see we have a various uh users um user accounts that uh you know are a tribute to to star wars so you know you have uh chewbacca and uh you have the skywalker etc right so it's been configured that way we also have the administrator account right which is where we want to get essentially we also have the vagrant user which is sort of the the default use on the system we can also list out the privileges that we have as i said similar to what we did with within meterpreter so if we list this out this will give us uh the access tokens that we that our our current account has access to uh and the description of what it uh of what this particular access token does um so in our case it said we're interested primarily in sc impersonate privilege which allows us to impersonate a client after authentication right and you know we can get more information about various groups on the system so who am i uh groups and this will list out all the groups so you can see we have nt authority uh authenticated users this organization service for these services right so on and so forth and um we also have the you know some of the default uh groups enabled over there if we list out the host names or the host name of the machine that again gives us an idea of what we're dealing with in terms of the host name and we if we are you know we want to list out a list of tasks running within a shell as opposed to interpreter session we can do this using uh the svc command right so if i hit enter so task list svc this gives us the various tasks and the process ids here and this can be very helpful in determining what service to migrate to or if a kernel exploit or an exploit utilizes a particular service and starts up or actually utilizes a particular exe here it also gives us an understanding of what's running on the server at this very moment and we can see all the services that are running we have a postgresql database for example we also have a we also have tomcat 8 running which i believe i saw but we will take a look at that shortly all right now when it comes down to uh privilege escalation as i said manually manual enumeration is great but uh in most cases you typically want to use an automated script that will uh that will enumerate important information in the context of privilege escalation and that will give you an idea of what exploits you can use to elevate your privileges now great tool that i like using and that works consistently for me is the windows exploit suggester right you can just perform a quick google search on this and i'll just see uh i'll just open this up and yep this is the the actual script so this script works really simply i'll actually show you how to use it right now it's a python script you do need to have python 2 installed and it you know these various uh dependencies installed i think i already have it on my on my system here so let me just um windows windows enum and windows exploit suggester there we are so the way this tool works is uh you need to first of all run the script with the update flag and once you once you click on update it's going to generate an xlsx or a spreadsheet file that contains a list of vulnerabilities so that's your database right so that's what you're going to be using to scan vulnerabilities for based on the system information the next thing you need to do is you need to create a file containing the system information uh of your target system so the way you do this is you just type in system info and you then want to copy all of this information here from the command system info and you want to save this in a file i'll just save it right now right in front of you guys um so there we are and i'll save this as we'll go into my desktop and windows enum windows exploit suggester and i'll just call this ms3.txt right so that's the system information for the metabolitable3 system okay and then you just need to provide the following flag so you specify the database and then the system info file and then it's going to scan the system information and give you an idea of what exploits you can actually use to elevate your privileges right so we can do that right now so i'm just going to run the windows exploitation suggest a script and then specify the database which in my case is right over here so 2021 i recommend updating it as frequently as possible and then we type in system info and ms3.txt you're going to run that and it's going to give us a list of of all the latest exploits the reason i've not updated my database is because we're targeting windows server 2008 and there aren't any new vulnerabilities that we can potentially use so the script will give us a list of all of all vulnerabilities or all you know potential exploits that we can use that this server might be vulnerable to and the ones sorted at the top here are pretty much going to be your best bet so for example you can see we have ms16 it gives us the cv the cve here so ms 16 135 security update for windows kernel gives us the hotfix id and the microsoft reference to this particular exploit and then it gives us the exploit db links as well as the github repository to where you can find the exploit code that you can download compile and then run on the target right so uh when it comes down to you know kernel level exploits it's pretty much going to be a case of trial and error right and um in our particular case we can use any one of these and run tests on it and for example we have ms-16032 you can perform a bit more research on these exploits so for example ms-16 or 32 um and this will you know just performing research on exploit will tell you exactly what exactly what this exploit is used for right so in our particular case here we have the rapid seven link which pretty much means we have a metasploit module associated with it so there we are um so this module exploits the lack of sanitization of standard handles in the windows secondary logon service the vulnerability is known to affect wind versions of windows 7 to 10 and windows server 2008 to 2012 32-bit and 64-bit all right and it's going to only going to work on on versions of windows with powershell version 2 and later and systems with two or more cpu calls so that's important information that you need to take into consideration here now given the fact we already have the module here we can try it out it might not work but uh you know we can try out and uh and we can actually try it and see whether it works all right so i'll just exit from this and it's gonna take me back into my interpreter session i'll just put this in the background there we are and i can list out my sessions like so and then i can just say you know use put in the exploit name there and then we want to set the payload so set payload this is very important um x64 and then interpreter and then reverse tcp right and we then want to show the options and we simply need to set the session id right over here and because our current material session is running on port four four four four we also need to change that so let's set the session uh session to one and then we set the l port you know to something like one two three four just something basic of course you know this is a very simple scenario and then i hit run and it's going to start it and let's see whether we get a metabolic session back right so it looks like the exploit is run all right there we go and um it's going to sniff out a system shell and it tells us holy handle leak batman we have a system shell and it's executed on the target system let's see whether we get anything in response or any interpreter session because we set the payload options there so what it does it writes a payload into a partial script under the temp uh directory there it's going to execute the exploit script the operating system core count is as uh as required and then it's going to sniff out a privileged impulse impersonation token um in this particular case uh you can see that it's this is a token impersonation attack and it i it gives us uh it says duplicating system token and then starting token ray starting the process race holy angle uh so what what i'm guessing if we go into the first session and then we say get privs um we can see that our previous haven't changed but i'm guessing that this exploit actually gives us a system impersonation token so that means we can perform an impersonation attack here and now it might it might not seem that way but what it's done is it's actually given us an access token that we can impersonate to get anti-authority system privileges because right now you can see we have very very few uh access tokens or privileges assigned to our account so to do this we're going to need to leverage a tool a built-in interpreter tool called incognito right so load incognito and it's going to work there we are and then we can list out the various tokens that we have and the appropriate users and you can see we we don't have any tokens which is again why i was a bit confused as to how this how this how this particular exploit worked um and in this particular case uh the only delegation tokens we have we don't have any impersonation tokens we only have the anti-authority local service which is fine uh so that means we need to do a little more a little bit more a little bit more stuff uh you know to actually get uh to actually elevate our privileges so let's take a look at our exploits again we also have the ms-16075 which is the hot potato attack here which we can actually learn more about it's hot potato attack i'll just open this right over here so rotten potato i think that is an updated version of this so local privilege escalation from windows service accounts to system right so um this is this is typically again going to require or is actually going to give us an access token a privileged access token that we can use and then we can impersonate it so to run this we simply need to get the url you can also compile it if you want yourself which is actually recommended um so i'm just going to download this script another script the actual binary right over here so we've downloaded that and we can upload it to the target using meterpreter um so on my current working directory uh let me just go back into my c drive and i'll just save it right over here you know because why not um so downloads and where rottenpotato.exe so that is denied so you can see that even though we have nd authority privileges we can't actually we we can't actually uh we can actually make or we can modify create or delete files if we don't have the ability to do that right so that pretty much means if we head over to our home directory you can see it's not going to find that which is understandable again um so if we go into the let's see if we can actually access the users directory sorry cd users there we are and you know we can try and access the vagrant user there we are and if we try and upload the file again you can see access is denied uh get use id again same thing right over there um so we pretty much i'm guessing need to go into the manage engine um directory so we'll just take a step back there there we are and we go into the manage engine directory and cd desktop central there we are and uh probably try and upload it here because these are the permissions that we currently have um there we are looks like that worked out and then to run it we simply type in rottenpotato.exe right and for some reason uh actually should do this in a shell session my bad and it got the actual um it got the actual access token here so i'll probably be making a video that covers exactly how hot potato attacks work it essentially involves performing in a man-in-the-middle attack on ntlm authentication and then intercepting the ntlm token and then using that token or using that particular privilege token to to to to complete authentication as i said i'll probably uh be be making a video on that that explains that process because hot potato attacks can be really powerful and uh you know elevating your privileges through token impersonation also works really really well all right so um we should have a an access token now again i'm not really sure let's actually take a look at how this exploit works although i should have done that before a new version is rotten potato ng which again works well i have used rotten potato this x this binary right over here which works well so compile get an interpreter session run the binary from step two and then impersonate the token right so we already we have already loaded that so i'm just gonna see whether we have an any token so you know we're going to interpret session and then a list tokens and uh we can hit enter and we do have the impersonation token now so to elevate our privileges all we need to do now is uh say impersonate sorry impersonate token and we'll put this in quotation marks and we have successfully impersonated nt authority system if i type in get privs it's still telling us we still have those particular privs but if i say get use id we now have anti-authority system and we can actually try and access the um let's see let's see if we can actually do that so cd users uh cd administrator there we are and we can access the administrator the the the actual administrator uh directory or the actual home directory for the administrator user um so we've elevated our privileges using token impersonation as i said there's multiple ways you can go about performing privilege escalation and there's multiple scripts you can use to perform a local system enumeration uh like for example win peas or the windows privilege escalation script which works really well but let's talk about a little bit more about getting more of it or more control over a system because we actually saw that we had in a really cool services uh on the system running like mysql and if we go back into our c directory right over here you can see that we have the wamp directory here right so let's try and access and see what's going on within the wamp directory all right so within the wamp directory uh we'll just get into a shell session just so that we can see what's going on um we have the local this is the web route so let's try and access the web route first uh we can see that we have a meterpreter.php session there which is really interesting although i did not expect that to be the case and we don't have we also have a uploads directory nothing else uh yeah all right so let's check out the other directories here we have an apps directory what we have in here we have phpmyadmin sql buddy and web grind let's see what else we have running here i'll just get into my interpreter session uh let's check out the folders within the uploads directory oh we also have a wordpress directory uh which is weird because i did not see that let's check out the wordpress directory um right so we have wordpress we can pretty much um we can pretty much get the contents or the credentials for logging in to the mysql database so that those are usually stored in wordpressconfig.php and because we already have access it's you know going to be pretty straightforward so we kept the contents there and it should give us the credentials here so mysql database username is root and the password is null which is uh again again we need to understand that this target is designed to be vulnerable but again there's no way of knowing that although you might have been lucky if you provided another password anyway so we can try and login remotely root and the password we will specify on our own the remote host is 10.10.10.11. we hit enter and we have access to the mysql database all right and show databases and looks like we have a wordpress database cards mysql etc and we now have access as i said to the to the wordpress database and uh you know if we use mysql uh show tables not there we are and we can pretty much um you know select from user to see what other users we have and it looks like it's listing it out in this real in this weird way uh which again it should actually we only have one user so that we are that's the root user and um they don't have uh we don't need to change the password because the password is set to null we can also create new users so on and so forth so you know we've been able to get um you know uh more control over the target by taking over the database uh what else can we do well the first the other thing we can do is try and crack the user password so if i type in hash dump in the meterpreter session you can see it gives us all the various hashes for the users on the system now of course in most cases the users that we're going to be interested in getting are going to be the administrator and any other privileged user so i'll copy this and i'll show you how to crack this hash using john the ripper now another interesting thing is if i uh before we we elevated our privileges we could have actually used this particular hash for the admin user and performed a pass the hash attack through smb using the psps exec utility and i'll show you how to do that right now but let me show you how to crack this password first because i believe we can actually log in using rdp if we crack this hash so i'll just open up another terminal session here we'll just exit from the mysql database and i'll just head over to my desktop and we'll just say hash.txt create a new file paste in the hash there well i actually need to paste in the entire hash let me just um copy the entire hash where is it it should be here there we are because we need it when cracking there we are and i'll paste that in there fantastic so in cracking windows hashes we say sudo john and then with the format is going to be nt because these are ntlm hashes uh i again will be making a video explaining the different uh the difference between landman hashes and ntlm hashes and explaining how ntlm hashes are structured so for example the uh the sid the identifier is similar to linux is 500. now whenever you get an sid with 500 that pretty much means that this is the administrator user so again i'll be making videos that cover this and this entire process and then hash.txt and i hit enter and that's going to begin the cracking password well it actually looks like i've cracked that before um so what i'll do is i'll just get rid of the john uh of my john cash well not my cache but the actual the previous hashes that i have there and i'll just rerun the command again all right so i cleared out my previous hashes that i had cracked and i ran the command again and were able to find the administrator password uh within a fairly short amount of time and again i you know used a word list the default uh word list used by john which is under user share john password dot list and the password for the administrator is vagrant which again is fairly simple but again i'll show you how to you know in the event you don't have a um or you're not able to crack the uh the actual ntlm hash how to use that hash to elevate your privileges manually right using the pass the hash attack all right so we can pretty much log in using romania now or an rdp protocol of your rdp client of your choice so 10.10.10.11 and the username is administrator the password is vagrant we don't have a domain hit okay we should be able to log in remotely there we are windows server 2008 r2 and uh yeah pretty much it we now have access you know remote access to the uh nt authority user account or the administrator account rather my bad and we can confirm this if i open up the start menu you can see administrator right over there and that's done all right so let's talk about the pasta hash attack um so all you need to do is really just copy the hash as so you're only copying the contents of the hash so the ntlm hash itself and um you're excluding the username and the s id uh i the s id or the r id i can't really remember i'll probably need to clarify on that but as i said i'll be making videos on this uh that being said uh we'll just put this in the background there we are and we will search for the ps exec exploit here which is a post exploitation module there we are it looks like this is the one so exploit windows smb psx so microsoft windows authenticated user code execution so again it uses the hash or it passes along the hash and authenticates using the hash as opposed to using a password and you know gives us access number temporary session so we will copy that and we'll say use put that in there and again set the payload to windows x64 uh interpreter first tcp show options and we'll set the l port to 443 like so and we then need to set the r host which is 10.10.10.11 and we then need to set the um the actual smb user and the smb pass so we set smb user to add administrator right that is correct and then we set the smb password which we're providing in hash format and let's actually copy that did i actually copy that there we are that's the one right over here and we copy that and we just provide that value there and that is set correctly and if there is a domain you can specify that as well as well as the share to connect to if that is required and let me just confirm the options are set correctly uh everything looks fine so i'll just hit run and it looks like it's working it'll authenticate successfully and we get a second interpreter session um and if i type in get use id or in the authority system and if i list out my privileges which is really weird there we are so now we've correctly elevated our privileges um and we we can pretty much do whatever we want uh because again we have authenticated uh you know we have actually authenticated successfully and we've performed we haven't really exploited anything uh the only thing we've done is you know authenticated and then we have a payload sent and then that payload is executed uh using the authenticated credentials and we now have stable access so yeah that's pretty much what i wanted to cover in this video just wanted to have a you know just a normal uh you know really really roughly structured video on how to move from exploitation to privilege escalation the various tools that you can use i want to i also wanted to cover token impersonation because that's a very important attack that a lot of people don't usually utilize or leverage because it can give you access really easily we've talked about dumping hashes there's other tools that you can use to dump hashes for example the windows credentials editor i'll just cover that right now because it's fairly simple to use i think i've made a video on that as well so upload user share windows i think it's in windows resources and it's under wce windows credentials editor and wce 64. so this is in the event you're not using materpreter you have a command shell session you can actually use the windows credentials editor which is just a binary that allows us to list logged on our user credentials so for example i can say let me just get into a shell session here and i just say wce64.exe and if we list out the help menu we can list the logon sessions in ntlm credentials so again we can just do that now uh using the list option and we get the uh the same hashes um the ntlm hashes uh for the for the users that are currently logged on which again is fairly simple uh to do and you can also use the mimikatz module for meterpreter which is again fairly simple to use i'll just take you through the process of using it right now because again it's it's really is very very simple and what that will do is it will dump the sam database so i'll just go back into my my temperature session and if i say load kiwi and that's going to load uh the um you know mimi cats the interpreter mimikatz module and then all i need to do is say lsa it uses the lsa dump and we're dumping the contents of the sam database and we get the ntlm hashes for all the users on the system so there's multiple ways you can do it i'll probably also be making videos on mimikats individually now you can use it to dump credentials and we'll also talk about kerberos tickets and other forms of windows authentication but i just wanted to introduce you to a few more techniques for privilege escalation that you know many people ignore really but can be very very helpful so that's going to be it for this video guys thank you very much for watching uh if you want to join into the the discussion regarding this video you can join our forum at forum.hackersploit.org and you can we can start up a discussion there if you have any feedback leave it in the comment section you can always reach me via the forum or on our social networks we're really really active on twitter so yeah that's gonna be it for this video and i'll be seeing you in the next video you

Info

Channel: HackerSploit

Views: 75,052

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, privilege escalation, penetration testing, ethical hacking, windows privilege escalation oscp, windows privilege escalation tryhackme, windows privilege escalation powershell, pentesting, windows privilege escalation, windows privilege escalation script, windows privilege escalation tools, windows privilege escalation for oscp & beyond, windows privilege escalation vulnerability, windows privilege escalation exploit

Id: aD_KlzVK834

Channel Id: undefined

Length: 43min 55sec (2635 seconds)

Published: Tue May 18 2021