1
00:00:00,810 --> 00:00:02,040
Instructor: Welcome back.

2
00:00:02,040 --> 00:00:05,550
Time to see how we can try to elevate our privileges

3
00:00:05,550 --> 00:00:06,753
on the target machine.

4
00:00:07,650 --> 00:00:08,670
But before we do that

5
00:00:08,670 --> 00:00:10,620
I just want to play you this recording

6
00:00:10,620 --> 00:00:14,010
that we recorded from the previous video using interpreter

7
00:00:14,010 --> 00:00:16,530
and the record mic command just to see

8
00:00:16,530 --> 00:00:19,020
that we indeed managed to record the sound

9
00:00:19,020 --> 00:00:21,303
on the target machine, see if we play it.

10
00:00:23,857 --> 00:00:25,320
"This will start recording

11
00:00:25,320 --> 00:00:27,810
and it should capture what I'm speaking

12
00:00:27,810 --> 00:00:30,537
at the moment to the microphone."

13
00:00:32,820 --> 00:00:34,740
You can see it did manage to record it.

14
00:00:34,740 --> 00:00:36,750
Now it is not that high quality of a sound

15
00:00:36,750 --> 00:00:40,110
but nonetheless we can hear what the target spoke

16
00:00:40,110 --> 00:00:42,180
on the microphone nonetheless,

17
00:00:42,180 --> 00:00:44,130
Let's get back to the privilege escalation.

18
00:00:44,130 --> 00:00:47,250
And privilege escalation is a big topic

19
00:00:47,250 --> 00:00:49,290
and a more advanced topic.

20
00:00:49,290 --> 00:00:51,540
There are many advanced techniques that can be

21
00:00:51,540 --> 00:00:53,460
used to try to elevate privileges.

22
00:00:53,460 --> 00:00:55,890
However, we're going to be covering the scripts

23
00:00:55,890 --> 00:00:59,040
we can use to automate those processes.

24
00:00:59,040 --> 00:01:01,140
All of those scripts we have available

25
00:01:01,140 --> 00:01:03,660
inside of our Metasploit framework.

26
00:01:03,660 --> 00:01:05,310
Now usually we don't know

27
00:01:05,310 --> 00:01:07,950
whether we can elevate privileges or not.

28
00:01:07,950 --> 00:01:09,060
Throughout the years

29
00:01:09,060 --> 00:01:11,760
there have been many exploits that got patched

30
00:01:11,760 --> 00:01:13,680
for the privilege escalation.

31
00:01:13,680 --> 00:01:16,590
However, maybe our target skipped some patch

32
00:01:16,590 --> 00:01:18,750
and is vulnerable to one of them.

33
00:01:18,750 --> 00:01:21,240
So what we are left is just to try all

34
00:01:21,240 --> 00:01:25,140
of those scripts out and see if some of them works.

35
00:01:25,140 --> 00:01:26,730
What we can do to search

36
00:01:26,730 --> 00:01:29,100
for the privileged escalation experts is we

37
00:01:29,100 --> 00:01:31,110
can first background this session

38
00:01:31,110 --> 00:01:33,300
that we got with our Windows 10 machine

39
00:01:33,300 --> 00:01:37,653
and we can type search bypass UAC.

40
00:01:39,150 --> 00:01:40,500
What does this mean?

41
00:01:40,500 --> 00:01:45,330
Well, UAC is user account control and this exploits

42
00:01:45,330 --> 00:01:47,670
that we will find are used to bypass it

43
00:01:47,670 --> 00:01:50,940
which could allow us to elevate our program privileges

44
00:01:50,940 --> 00:01:52,920
to the system level.

45
00:01:52,920 --> 00:01:56,640
Another thing I like to search is type search

46
00:01:56,640 --> 00:01:59,610
and then the year that we are currently in

47
00:01:59,610 --> 00:02:01,830
since we are at the end of 2020

48
00:02:01,830 --> 00:02:06,830
we can type 2020 or search 2020 and this will list

49
00:02:07,950 --> 00:02:11,580
out all the modules that came out this year.

50
00:02:11,580 --> 00:02:13,830
Inside of these modules, we will have everything.

51
00:02:13,830 --> 00:02:18,480
So what we want to search and filter out is Windows exploits

52
00:02:18,480 --> 00:02:21,750
and preferably local Windows exploits.

53
00:02:21,750 --> 00:02:25,620
As we can see right here, what does local mean?

54
00:02:25,620 --> 00:02:29,370
It means it's getting executed on the system itself.

55
00:02:29,370 --> 00:02:30,540
Usually these type

56
00:02:30,540 --> 00:02:33,630
of local exploits try to elevate privileges.

57
00:02:33,630 --> 00:02:35,700
For example, here we can see a few

58
00:02:35,700 --> 00:02:37,920
of them such as exploit Windows local

59
00:02:37,920 --> 00:02:41,490
and then this name up here we got another local exploit

60
00:02:41,490 --> 00:02:43,740
and many more are right here

61
00:02:43,740 --> 00:02:48,120
and we can also see the SMB Ghost exploit.

62
00:02:48,120 --> 00:02:49,680
Now I know what you're thinking.

63
00:02:49,680 --> 00:02:51,750
I did say that Matasploit Framework

64
00:02:51,750 --> 00:02:54,510
doesn't have SMB ghost module.

65
00:02:54,510 --> 00:02:56,490
Well, that wasn't true.

66
00:02:56,490 --> 00:03:00,780
However, this module is a local exploit and it's only useful

67
00:03:00,780 --> 00:03:03,090
after you're already on the target machine.

68
00:03:03,090 --> 00:03:05,280
As we can see, it is exploit for Windows

69
00:03:05,280 --> 00:03:07,593
but it is also a local exploit.

70
00:03:08,490 --> 00:03:10,950
The one that we covered is the same vulnerability

71
00:03:10,950 --> 00:03:14,910
inside the SMB version three, just we exploited it remotely

72
00:03:14,910 --> 00:03:17,550
from another computer to gain a shell.

73
00:03:17,550 --> 00:03:20,370
But let's test it out just to see whether we

74
00:03:20,370 --> 00:03:24,510
manage to elevate our privileges using this exploit.

75
00:03:24,510 --> 00:03:29,510
So to use it, we can type, use and paste the exploit.

76
00:03:30,060 --> 00:03:30,930
Just make sure

77
00:03:30,930 --> 00:03:34,020
that you got the active session with the target machine.

78
00:03:34,020 --> 00:03:36,360
As you can see right here, I got session one active

79
00:03:36,360 --> 00:03:39,870
on the user account of the Windows 10 machine.

80
00:03:39,870 --> 00:03:43,410
If I type show info for this exploit

81
00:03:43,410 --> 00:03:45,510
we can read that this is a vulnerability that exists

82
00:03:45,510 --> 00:03:49,680
within the Microsoft server message block 3.1.1

83
00:03:49,680 --> 00:03:52,470
protocol that can be leveraged to execute code

84
00:03:52,470 --> 00:03:54,870
on a vulnerable server.

85
00:03:54,870 --> 00:03:57,120
So we can see the targets right here

86
00:03:57,120 --> 00:04:01,440
and all we need to set is the session ID to do that,

87
00:04:01,440 --> 00:04:04,320
we can type the sessions command, check out the session ID

88
00:04:04,320 --> 00:04:08,160
that we got and type set session and then one

89
00:04:08,160 --> 00:04:13,160
if I type run to execute this local exploit well seems

90
00:04:14,820 --> 00:04:18,480
that it did something but we didn't get a shell back

91
00:04:18,480 --> 00:04:21,600
so we can assume it doesn't work.

92
00:04:21,600 --> 00:04:23,310
Let's try another one.

93
00:04:23,310 --> 00:04:27,630
If I type search 2020 and for example

94
00:04:27,630 --> 00:04:30,330
let us say I'm going to use this one

95
00:04:30,330 --> 00:04:35,310
which is exploit Windows local CVE 2020 service tracing.

96
00:04:35,310 --> 00:04:37,050
And the reason why I'm using this one is

97
00:04:37,050 --> 00:04:40,140
because down here it says privilege elevation vulnerability.

98
00:04:40,140 --> 00:04:42,240
So this can be used to elevate privileges

99
00:04:42,240 --> 00:04:44,580
in case our target machine is vulnerable.

100
00:04:44,580 --> 00:04:49,080
Let's check it out, press enter type show info just to check

101
00:04:49,080 --> 00:04:50,970
out what this module does.

102
00:04:50,970 --> 00:04:54,060
And this module leverages a trusted file override

103
00:04:54,060 --> 00:04:57,420
with the DLL hijacking vulnerability to gain system

104
00:04:57,420 --> 00:05:01,740
level access on vulnerable windows 10 64 with targets.

105
00:05:01,740 --> 00:05:03,510
So our targets do match

106
00:05:03,510 --> 00:05:05,970
and we do want to gain system level access.

107
00:05:05,970 --> 00:05:08,700
So let us see whether this will work.

108
00:05:08,700 --> 00:05:11,160
There is only one thing that we must test

109
00:05:11,160 --> 00:05:14,610
and that is required and that option is the session.

110
00:05:14,610 --> 00:05:19,170
So let's type set session and then one press enter

111
00:05:19,170 --> 00:05:23,340
and run the actually fail to validate LHOST.

112
00:05:23,340 --> 00:05:25,860
So let us type show options just to

113
00:05:25,860 --> 00:05:27,180
see which bailout we got.

114
00:05:27,180 --> 00:05:32,160
And we need to set LHOST to be 192.168.1.12

115
00:05:32,160 --> 00:05:35,700
which is the IP address of my Cal Linux machine.

116
00:05:35,700 --> 00:05:38,940
Now also make sure that the L port is different

117
00:05:38,940 --> 00:05:42,180
than the port that you got active inside of a session.

118
00:05:42,180 --> 00:05:46,410
Since I got port 5555 active in the current session

119
00:05:46,410 --> 00:05:48,502
I can specify right here 4444

120
00:05:48,502 --> 00:05:53,130
but if your Meterpreter session is running on port 4444

121
00:05:53,130 --> 00:05:55,890
you need to specify a different local port.

122
00:05:55,890 --> 00:05:58,590
Otherwise, none of these exploits will work.

123
00:05:58,590 --> 00:06:02,343
So I can leave it on 4444 and type run.

124
00:06:04,440 --> 00:06:07,890
And it seems that this one doesn't work either.

125
00:06:07,890 --> 00:06:10,860
Let's try from the UAC bypass exploits.

126
00:06:10,860 --> 00:06:15,330
So I will type search bypass UAC, and here I will see all

127
00:06:15,330 --> 00:06:18,330
of the exploits for user can't control bypass.

128
00:06:18,330 --> 00:06:20,550
Now you can go ahead and try all

129
00:06:20,550 --> 00:06:23,760
of these local Windows bypass UAC experts to

130
00:06:23,760 --> 00:06:25,290
see which ones work.

131
00:06:25,290 --> 00:06:27,120
Just make sure you read information

132
00:06:27,120 --> 00:06:29,820
about them first before running them.

133
00:06:29,820 --> 00:06:31,500
But what I'm going to use

134
00:06:31,500 --> 00:06:36,360
in this case is this fodhelper bypass UAC.

135
00:06:36,360 --> 00:06:39,840
It is from 2017 and it showed to work a lot

136
00:06:39,840 --> 00:06:42,030
of times in my personal experience.

137
00:06:42,030 --> 00:06:44,260
So I will copy the name type use

138
00:06:47,850 --> 00:06:51,090
and then I will paste the name right here.

139
00:06:51,090 --> 00:06:54,900
Press Enter, it configured the payload

140
00:06:54,900 --> 00:06:56,490
and let's give it a try.

141
00:06:56,490 --> 00:06:59,580
If I type show information just to see what it does

142
00:06:59,580 --> 00:07:01,950
it will tell me "This module will bypass Windows 10

143
00:07:01,950 --> 00:07:05,070
user account control by hijacking a special key

144
00:07:05,070 --> 00:07:07,950
in the registry under the current user hive

145
00:07:07,950 --> 00:07:11,490
and inserting a custom command that will get invoked when

146
00:07:11,490 --> 00:07:15,360
the Windows fodhelper.exe application is launched.

147
00:07:15,360 --> 00:07:20,360
It'll spawn a second shell that has the UAC flag turned off.

148
00:07:22,476 --> 00:07:23,309
Hmm. So let's see.

149
00:07:23,309 --> 00:07:25,390
What are our options that we must set

150
00:07:26,280 --> 00:07:27,780
and we need to set this session.

151
00:07:27,780 --> 00:07:29,640
In my case, it's session one

152
00:07:29,640 --> 00:07:32,310
and I can use the local port 4444.

153
00:07:32,310 --> 00:07:35,880
And if I type run, here it is

154
00:07:35,880 --> 00:07:39,990
we got another session open, we got the Meterpreter open

155
00:07:39,990 --> 00:07:41,340
and this is a different session.

156
00:07:41,340 --> 00:07:45,240
As you can see, it is running on port 4444

157
00:07:45,240 --> 00:07:49,140
so we got a shell back with this local exploit, but

158
00:07:49,140 --> 00:07:53,310
if we try to run the command, get user id, it'll

159
00:07:53,310 --> 00:07:56,292
say that we are still the same account that we were before.

160
00:07:56,292 --> 00:08:00,270
But remember it said in the module description

161
00:08:00,270 --> 00:08:04,170
that this exploit will spawn a second shell with

162
00:08:04,170 --> 00:08:07,830
the user account control flag turned off.

163
00:08:07,830 --> 00:08:09,120
What does this mean?

164
00:08:09,120 --> 00:08:12,120
Well, it means that if we try once again to run

165
00:08:12,120 --> 00:08:16,379
the command get system, that didn't work before

166
00:08:16,379 --> 00:08:20,670
now we are the system account.

167
00:08:20,670 --> 00:08:22,260
We did it right now

168
00:08:22,260 --> 00:08:25,920
we can say we fully owned this Windows 10 target machine

169
00:08:25,920 --> 00:08:29,370
since there is nothing that we can do on it right now.

170
00:08:29,370 --> 00:08:31,080
And just to prove to you, I will type

171
00:08:31,080 --> 00:08:32,580
get user ID once again

172
00:08:32,580 --> 00:08:36,090
and it'll tell me that I am authority system account.

173
00:08:36,090 --> 00:08:37,770
So feel free to test

174
00:08:37,770 --> 00:08:40,289
out other modules to see if they work or not.

175
00:08:40,289 --> 00:08:42,270
And you can also try these modules

176
00:08:42,270 --> 00:08:44,700
on our Windows seven virtual machine just to

177
00:08:44,700 --> 00:08:46,590
see how that would go.

178
00:08:46,590 --> 00:08:49,860
Great. Now that we elevated our privileges, let us check

179
00:08:49,860 --> 00:08:54,240
out other post exploitation modules that we can also run.

180
00:08:54,240 --> 00:08:55,540
See you in the next video.