1 00:00:00,240 --> 00:00:02,009 Instructor: Okay, welcome back. 2 00:00:02,009 --> 00:00:06,180 Let's continue with our attacktive directory. 3 00:00:06,180 --> 00:00:09,720 So, what we did, for now, is we performed the two tasks 4 00:00:09,720 --> 00:00:12,480 of enumerating our attacktive directory 5 00:00:12,480 --> 00:00:15,930 and gathering users via "Kerberos". 6 00:00:15,930 --> 00:00:18,420 This is the interesting information that we found 7 00:00:18,420 --> 00:00:21,300 as we see admin gave us hash 8 00:00:21,300 --> 00:00:25,350 and we, also, noticed an unusual backup account, 9 00:00:25,350 --> 00:00:28,740 which had a valid username response. 10 00:00:28,740 --> 00:00:32,640 Okay, so, now, since, we answered all of these questions, 11 00:00:32,640 --> 00:00:35,280 let's move on to the task number five, 12 00:00:35,280 --> 00:00:39,807 which is exploitation or abusing "Kerberos". 13 00:00:40,770 --> 00:00:44,640 So, here, we could read the introduction. 14 00:00:44,640 --> 00:00:48,060 So, after the enumeration of user accounts is finished, 15 00:00:48,060 --> 00:00:51,390 we can attempt to abuse a feature within "Kerberos" 16 00:00:51,390 --> 00:00:55,127 with an attack method called "ASREPRoasting". 17 00:00:56,347 --> 00:01:00,217 "ASREPRoasting" occurs when a user has the privilege, 18 00:01:00,217 --> 00:01:04,440 "Does not require pre-authentication" set. 19 00:01:04,440 --> 00:01:06,690 This means that the account does not need 20 00:01:06,690 --> 00:01:09,300 to provide valid identification 21 00:01:09,300 --> 00:01:12,270 before requesting a "Kerberos" ticket 22 00:01:12,270 --> 00:01:15,090 on the specified user account. 23 00:01:15,090 --> 00:01:17,370 Now, if you read about active directory in "Kerberos", 24 00:01:17,370 --> 00:01:18,690 you will know, 25 00:01:18,690 --> 00:01:21,720 or you will notice the term "Kerberos" tickets. 26 00:01:21,720 --> 00:01:24,930 And in this exploitation part, 27 00:01:24,930 --> 00:01:27,810 we are going to need a tool called "Impacket" 28 00:01:27,810 --> 00:01:30,990 that will allow us to generate this attack. 29 00:01:30,990 --> 00:01:32,670 So, if you click on the "Impacket", 30 00:01:32,670 --> 00:01:34,890 it'll allow you to download the tool. 31 00:01:34,890 --> 00:01:36,750 I have already downloaded it, 32 00:01:36,750 --> 00:01:39,990 so, I have it on my "Calinix" machine. 33 00:01:39,990 --> 00:01:43,440 But if you didn't, you need to download it first. 34 00:01:43,440 --> 00:01:45,390 The tool that we will need for this lecture, 35 00:01:45,390 --> 00:01:48,390 is called "GetNPUsers.py", 36 00:01:48,390 --> 00:01:49,860 which is a part of the "Impacket" 37 00:01:49,860 --> 00:01:53,820 and it will be located wherever your "Impacket" is, 38 00:01:53,820 --> 00:01:54,900 slash examples 39 00:01:54,900 --> 00:01:57,390 and there, you will see the tool. 40 00:01:57,390 --> 00:02:00,510 This will allow us to query "ASReproastable" accounts 41 00:02:00,510 --> 00:02:02,850 from the key distribution center. 42 00:02:02,850 --> 00:02:05,220 The only thing that's necessary to query accounts, 43 00:02:05,220 --> 00:02:07,020 is a valid set of usernames, 44 00:02:07,020 --> 00:02:10,770 which we enumerated previously via "Kerbrute". 45 00:02:10,770 --> 00:02:14,400 Here, it gives us a note that "Impacket" may, also, need us 46 00:02:14,400 --> 00:02:18,600 to use the "Python" version that is above 3.7. 47 00:02:18,600 --> 00:02:21,000 And since, I, already, have that, 48 00:02:21,000 --> 00:02:22,860 that's good for me. 49 00:02:22,860 --> 00:02:25,890 We can go and proceed to the questions. 50 00:02:25,890 --> 00:02:27,930 So, "We have two user accounts 51 00:02:27,930 --> 00:02:30,810 that we could, potentially, query a ticket from. 52 00:02:30,810 --> 00:02:33,480 Which user account can you query a ticket from 53 00:02:33,480 --> 00:02:34,590 with no password?" 54 00:02:34,590 --> 00:02:38,310 And the answer is here, is "svc-admin", 55 00:02:38,310 --> 00:02:41,550 since, we got the hash for it. 56 00:02:41,550 --> 00:02:43,260 But let's, also, get it 57 00:02:43,260 --> 00:02:46,260 with a tool provided to us by "Impacket", 58 00:02:46,260 --> 00:02:48,090 we, already, got the hash from here. 59 00:02:48,090 --> 00:02:50,940 But if I go and change my directory 60 00:02:50,940 --> 00:02:55,590 to "/opt/impacket/examples" 61 00:02:55,590 --> 00:02:58,977 and I run the "python3 GetNPUsers", 62 00:02:59,878 --> 00:03:00,810 (typing on the keyboard) 63 00:03:00,810 --> 00:03:04,110 it should open the help menu. 64 00:03:04,110 --> 00:03:06,540 Here, we have the help menu 65 00:03:06,540 --> 00:03:10,920 and here, we have a small example of the commands 66 00:03:10,920 --> 00:03:11,753 that we can run. 67 00:03:11,753 --> 00:03:13,710 So, for example, "Get a TGT for a user", 68 00:03:13,710 --> 00:03:15,540 which is useful for us. 69 00:03:15,540 --> 00:03:16,920 Here, is how we can do that. 70 00:03:16,920 --> 00:03:18,990 So, "GetNPUsers.py", 71 00:03:18,990 --> 00:03:21,780 then, we provide the domain, the full domain 72 00:03:21,780 --> 00:03:23,160 to the active directory 73 00:03:23,160 --> 00:03:25,680 and then, the account that we are targeting. 74 00:03:25,680 --> 00:03:26,940 So, let's try that. 75 00:03:26,940 --> 00:03:30,930 We, also, need to use the "-no-pass" option, 76 00:03:30,930 --> 00:03:32,970 which is described, I think, right here. 77 00:03:32,970 --> 00:03:36,810 For this operation, you don't need the account's password. 78 00:03:36,810 --> 00:03:41,810 It is, however, important to specify this "-no-pass" option 79 00:03:41,820 --> 00:03:43,110 in the script. 80 00:03:43,110 --> 00:03:45,183 Okay, so, let's give it a try, 81 00:03:46,147 --> 00:03:48,890 "python3 GetNPUsers" 82 00:03:48,890 --> 00:03:50,460 (typing on the keyboard) 83 00:03:50,460 --> 00:03:55,410 and let me just clear the screen first. 84 00:03:55,410 --> 00:03:57,900 So, "python3 GetNPUsers" 85 00:03:57,900 --> 00:03:59,820 and, here, we want to use our domain, 86 00:03:59,820 --> 00:04:02,490 which is "spookysec.local". 87 00:04:02,490 --> 00:04:03,870 We want to target the account, 88 00:04:03,870 --> 00:04:07,470 we can do that by providing the slash and the account name 89 00:04:07,470 --> 00:04:09,300 after the domain. 90 00:04:09,300 --> 00:04:14,300 Then, as we were told, we can use the "-no-pass" option 91 00:04:14,460 --> 00:04:19,230 and I'll use the "-dc-ip", just to provide the "IP" address, 92 00:04:19,230 --> 00:04:24,230 in case, it can't find it on the network, or over "VPN". 93 00:04:24,414 --> 00:04:25,560 (clicks) 94 00:04:25,560 --> 00:04:27,480 Okay, awesome. 95 00:04:27,480 --> 00:04:29,550 So, this command should be complete. 96 00:04:29,550 --> 00:04:31,263 And if I run it, 97 00:04:32,640 --> 00:04:33,473 here, it is. 98 00:04:33,473 --> 00:04:36,600 We got the "TGT" for "svc-admin", 99 00:04:36,600 --> 00:04:40,980 the same output that we got once, running the "Kerbrute". 100 00:04:40,980 --> 00:04:43,680 In the previous lecture, we got the hash value 101 00:04:43,680 --> 00:04:44,850 of the password. 102 00:04:44,850 --> 00:04:46,170 And, now, all we need to do 103 00:04:46,170 --> 00:04:50,610 to get the password of the "svc-admin" account, 104 00:04:50,610 --> 00:04:52,860 is to crack this hash. 105 00:04:52,860 --> 00:04:56,130 Now, we do have the password list from the previous lecture 106 00:04:56,130 --> 00:04:56,963 that we downloaded, 107 00:04:56,963 --> 00:05:00,780 so, we're going to use that to crack the password. 108 00:05:00,780 --> 00:05:02,850 Now, you can, already, answer some of the questions, 109 00:05:02,850 --> 00:05:03,683 right here. 110 00:05:03,683 --> 00:05:05,910 The "svc-admin" is answered for the first question. 111 00:05:05,910 --> 00:05:07,860 And "Looking at the Hashcat example," 112 00:05:07,860 --> 00:05:09,630 now, this is not that important, 113 00:05:09,630 --> 00:05:10,980 these two are not that important. 114 00:05:10,980 --> 00:05:12,300 But if you want to answer, 115 00:05:12,300 --> 00:05:16,470 the answer is "Kerberos 5 AS-REP etype 23" 116 00:05:16,470 --> 00:05:18,360 And "What mode is the hash?" 117 00:05:18,360 --> 00:05:20,340 I didn't, really, search this, 118 00:05:20,340 --> 00:05:21,420 but you can give it a try. 119 00:05:21,420 --> 00:05:23,970 Try to search it and paste it right here. 120 00:05:23,970 --> 00:05:27,120 But once again, it's not that important. 121 00:05:27,120 --> 00:05:31,290 What is important, is for us to crack this hash. 122 00:05:31,290 --> 00:05:36,290 So, copy the entire hash and let's go to desktop, 123 00:05:38,070 --> 00:05:40,237 let's "nano hash.txt" 124 00:05:41,175 --> 00:05:44,250 (typing on the keyboard) 125 00:05:44,250 --> 00:05:47,790 and we can save it right here, "Paste Clipboard" 126 00:05:47,790 --> 00:05:52,320 and we can just save the hash, right? 127 00:05:52,320 --> 00:05:54,990 And now, you can use any tool that you want 128 00:05:54,990 --> 00:05:56,370 to crack this hash. 129 00:05:56,370 --> 00:05:58,650 The easiest one would, probably, be to use "john", 130 00:05:58,650 --> 00:06:00,120 since, all we need to do, 131 00:06:00,120 --> 00:06:04,100 is specify "john hash.txt --wordlist" 132 00:06:05,160 --> 00:06:08,340 and, here, we specify which wordlist we want to use 133 00:06:08,340 --> 00:06:09,570 and we want to use the one 134 00:06:09,570 --> 00:06:12,690 that's provided to us in this specific challenge, 135 00:06:12,690 --> 00:06:15,480 which is this "Passwordlist.txt". 136 00:06:15,480 --> 00:06:17,403 And once, I press enter, 137 00:06:18,360 --> 00:06:19,610 here it is. 138 00:06:19,610 --> 00:06:21,870 It managed to crack the password 139 00:06:21,870 --> 00:06:26,370 and the password is "management2005", 140 00:06:26,370 --> 00:06:30,753 which is, also, the answer to the last question, right here. 141 00:06:31,627 --> 00:06:34,260 "Crack the hash with modified password list provided, 142 00:06:34,260 --> 00:06:36,660 what is the user accounts password?" 143 00:06:36,660 --> 00:06:40,767 The user accounts password is "management2005". 144 00:06:42,150 --> 00:06:45,330 Okay, now, this can be considered 145 00:06:45,330 --> 00:06:47,400 as full exploitation being over, 146 00:06:47,400 --> 00:06:49,770 since, we managed to compromise the account. 147 00:06:49,770 --> 00:06:51,930 But let's see, what we can do 148 00:06:51,930 --> 00:06:55,230 with this password that we cracked. 149 00:06:55,230 --> 00:06:57,960 So, let's move on to the next part of the enumeration, 150 00:06:57,960 --> 00:07:00,600 which is right after the exploitation. 151 00:07:00,600 --> 00:07:04,080 And let's see, what things we can do, right here. 152 00:07:04,080 --> 00:07:06,270 So, with the user's account credentials 153 00:07:06,270 --> 00:07:10,470 we, now, have significantly more access within the domain. 154 00:07:10,470 --> 00:07:13,260 We can, now, attempt to enumerate any shares 155 00:07:13,260 --> 00:07:16,440 that the domain controller may be giving out. 156 00:07:16,440 --> 00:07:18,100 Okay, for this, 157 00:07:18,100 --> 00:07:18,933 (typing on the keyboard) 158 00:07:18,933 --> 00:07:21,810 to enumerate, we can use "smbclient". 159 00:07:21,810 --> 00:07:25,680 Now, "smbclient" will most likely need to be used 160 00:07:25,680 --> 00:07:27,696 with "sudo" (indistinct) type, 161 00:07:27,696 --> 00:07:30,300 "sudo smbclient", 162 00:07:30,300 --> 00:07:33,120 with "-U" option, we specified the domain 163 00:07:33,120 --> 00:07:36,180 with the account that we want to log into. 164 00:07:36,180 --> 00:07:40,830 So, let's specify "spookysec.local", 165 00:07:40,830 --> 00:07:43,140 we want to use "svc-admin" 166 00:07:43,140 --> 00:07:45,960 and we want to use "-L" option 167 00:07:45,960 --> 00:07:49,260 and "-L" option in the "smbclient" is used 168 00:07:49,260 --> 00:07:52,200 to list all the shares on the domain. 169 00:07:52,200 --> 00:07:54,270 All we need to do, is specify the "//" 170 00:07:54,270 --> 00:07:57,270 and then, the "IP" address of the domain. 171 00:07:57,270 --> 00:07:58,950 I think, we, already, have it copied, 172 00:07:58,950 --> 00:08:01,230 or no, we do have the hash copied now. 173 00:08:01,230 --> 00:08:05,114 So, let me just re-copy the domain, 174 00:08:05,114 --> 00:08:05,947 (clicks) 175 00:08:05,947 --> 00:08:06,843 paste it right here. 176 00:08:07,890 --> 00:08:09,840 And the first thing that it will ask, 177 00:08:09,840 --> 00:08:11,130 is for the "sudo" password 178 00:08:11,130 --> 00:08:14,550 and then, it'll ask for the "svc-admin" password. 179 00:08:14,550 --> 00:08:15,810 We, already, cracked it 180 00:08:15,810 --> 00:08:20,810 and we know, that the password is "management2000". 181 00:08:23,790 --> 00:08:25,140 Okay, so, for some reason, 182 00:08:25,140 --> 00:08:28,200 we get the "NT_STATUS_LOGON_FAILURE". 183 00:08:28,200 --> 00:08:30,150 So, I might have typed it incorrectly. 184 00:08:30,150 --> 00:08:31,115 Let me just- 185 00:08:31,115 --> 00:08:33,870 (typing on the keyboard) 186 00:08:33,870 --> 00:08:35,340 okay, here it is. 187 00:08:35,340 --> 00:08:38,860 Now, it worked and now, we can see all the shares 188 00:08:40,115 --> 00:08:41,700 that are in this domain. 189 00:08:41,700 --> 00:08:43,380 So, we can see there is six of them, 190 00:08:43,380 --> 00:08:46,470 we have "ADMIN$", we have this "backup", 191 00:08:46,470 --> 00:08:48,270 which, once again, is interesting to us, 192 00:08:48,270 --> 00:08:51,060 we have "C$", "IPC$", "NETLOGON" and "SYSVOL". 193 00:08:51,060 --> 00:08:53,100 And the reason why "backup" is interesting to us, 194 00:08:53,100 --> 00:08:55,770 is because it's not common to be here. 195 00:08:55,770 --> 00:08:57,240 Others are common to be here 196 00:08:57,240 --> 00:09:00,963 and "backup" is something that's sticking out, once again. 197 00:09:02,190 --> 00:09:04,387 So, to answer some of these questions, 198 00:09:04,387 --> 00:09:08,250 "What utility can we use to map remote SMB shares?" 199 00:09:08,250 --> 00:09:09,420 We, already, saw. 200 00:09:09,420 --> 00:09:10,980 It's "smbclient". 201 00:09:10,980 --> 00:09:13,110 We can provide it, right here, as answer. 202 00:09:13,110 --> 00:09:15,270 Which option we use to list the shares? 203 00:09:15,270 --> 00:09:18,150 So, we use the "-L" option 204 00:09:18,150 --> 00:09:20,857 and that will, also, be the correct answer. 205 00:09:20,857 --> 00:09:23,760 "How many remote shares is the server listing?" 206 00:09:23,760 --> 00:09:26,313 We counted that to be six, 207 00:09:27,720 --> 00:09:29,250 right here. 208 00:09:29,250 --> 00:09:33,120 And there is one particular share that we have access to 209 00:09:33,120 --> 00:09:34,680 that contains a text file. 210 00:09:34,680 --> 00:09:36,930 Now, we didn't really come up to here, yet. 211 00:09:36,930 --> 00:09:40,200 So, let's see, whether do we, indeed, have access 212 00:09:40,200 --> 00:09:42,390 to the backup share? 213 00:09:42,390 --> 00:09:47,220 Okay, so, we can, also, once again, use "smbclient" 214 00:09:47,220 --> 00:09:50,310 to access the shares, so, "sudo smbclient", 215 00:09:50,310 --> 00:09:54,660 we provide "-U" with the domain and the account, 216 00:09:54,660 --> 00:09:58,137 so, "svc-admin". 217 00:09:59,010 --> 00:10:00,770 And only thing we need to do, 218 00:10:00,770 --> 00:10:03,540 we no longer need to use the "-L" option, 219 00:10:03,540 --> 00:10:06,060 we just need to specify the "IP" address 220 00:10:06,060 --> 00:10:10,830 and, also, the share that we want to access. 221 00:10:10,830 --> 00:10:11,700 So, in our case, 222 00:10:11,700 --> 00:10:14,280 we want to access the backup share, 223 00:10:14,280 --> 00:10:16,872 which we should be able to, 224 00:10:16,872 --> 00:10:18,930 (typing on the keyboard) 225 00:10:18,930 --> 00:10:21,750 once, entering the "svc-admin" password. 226 00:10:21,750 --> 00:10:23,607 And here, if I type "dir", 227 00:10:24,750 --> 00:10:28,380 we get one file in the directory, 228 00:10:28,380 --> 00:10:30,720 which is the "backup_credentials", 229 00:10:30,720 --> 00:10:33,540 since, let me see, if "pwd" is working. 230 00:10:33,540 --> 00:10:37,740 So, "pwd" is working and the current directory is "backup". 231 00:10:37,740 --> 00:10:39,630 So, we successfully entered the backup share, 232 00:10:39,630 --> 00:10:41,160 or the backup directory 233 00:10:41,160 --> 00:10:45,930 and we have one file, which is "backup_credentials.txt", 234 00:10:45,930 --> 00:10:48,510 which, of course, will be interesting to us. 235 00:10:48,510 --> 00:10:52,860 So, let's use "get" command to get "backup_credentials". 236 00:10:52,860 --> 00:10:53,760 And we can see, 237 00:10:53,760 --> 00:10:55,860 it is downloaded, right here, on the desktop. 238 00:10:55,860 --> 00:10:57,210 And the reason, it's on the desktop, 239 00:10:57,210 --> 00:10:59,130 is because my terminal is, currently, 240 00:10:59,130 --> 00:11:00,570 in the desktop directory. 241 00:11:00,570 --> 00:11:03,033 So, that's where it got downloaded. 242 00:11:03,960 --> 00:11:06,030 Now, of course, 243 00:11:06,030 --> 00:11:08,610 I did not know this at the start 244 00:11:08,610 --> 00:11:10,680 that we, only, have access to the backup account. 245 00:11:10,680 --> 00:11:13,890 But if you give a try to some other share that we saw, 246 00:11:13,890 --> 00:11:15,870 such as, for example, "ADMIN$" 247 00:11:15,870 --> 00:11:17,395 and you type in the password, 248 00:11:17,395 --> 00:11:18,930 (typing on the keyboard) 249 00:11:18,930 --> 00:11:21,120 we will get "ACCESS_DENIED" error. 250 00:11:21,120 --> 00:11:21,953 And the only one 251 00:11:21,953 --> 00:11:23,460 that doesn't get "ACCESS_DENIED" error, 252 00:11:23,460 --> 00:11:25,740 is "backup" account. 253 00:11:25,740 --> 00:11:30,206 So, now, that we've downloaded our "backup_credentials", 254 00:11:30,206 --> 00:11:31,050 (typing on the keyboard) 255 00:11:31,050 --> 00:11:33,420 we can "cat" it to see the output 256 00:11:33,420 --> 00:11:37,680 and the output seems weird, right? 257 00:11:37,680 --> 00:11:39,420 Well, you will, eventually, find out 258 00:11:39,420 --> 00:11:41,880 that this is "Base64" 259 00:11:41,880 --> 00:11:43,590 and this can be decoded. 260 00:11:43,590 --> 00:11:47,250 But let's, first, answer the fifth question in this task, 261 00:11:47,250 --> 00:11:50,070 which is "What is the content of the file?" 262 00:11:50,070 --> 00:11:51,660 The content of the file is this, 263 00:11:51,660 --> 00:11:54,180 we just copy it and paste it, right here 264 00:11:54,180 --> 00:11:57,510 and we got the correct answer. 265 00:11:57,510 --> 00:12:01,650 Now, to decode this, we can use any online decoders. 266 00:12:01,650 --> 00:12:06,167 So, just type "base64 decode" 267 00:12:06,167 --> 00:12:07,800 (typing on the keyboard) 268 00:12:07,800 --> 00:12:10,920 and we can use any website that pops up. 269 00:12:10,920 --> 00:12:14,114 Just make sure that we copy this first. 270 00:12:14,114 --> 00:12:16,800 (clicks) 271 00:12:16,800 --> 00:12:21,360 Go to this website, since, I, already, used it before, 272 00:12:21,360 --> 00:12:22,600 let's use it again 273 00:12:24,269 --> 00:12:25,102 (clicks) 274 00:12:25,102 --> 00:12:29,250 and let's paste this. 275 00:12:29,250 --> 00:12:32,490 Just zoom this in, so, we can see it a little bit better. 276 00:12:32,490 --> 00:12:34,170 (clicks) 277 00:12:34,170 --> 00:12:35,937 And if I click on "DECODE", 278 00:12:39,630 --> 00:12:41,197 okay, here it is, 279 00:12:41,197 --> 00:12:43,920 "backup@spookysec.local" 280 00:12:43,920 --> 00:12:46,413 and this would be the password. 281 00:12:47,340 --> 00:12:49,980 So, we successfully got the output, 282 00:12:49,980 --> 00:12:52,920 or the password for the backup account 283 00:12:52,920 --> 00:12:55,830 after we decoded the "backup_credentials" 284 00:12:55,830 --> 00:12:56,967 from "Base64". 285 00:12:58,320 --> 00:13:02,220 Now, you can answer this question, right here, 286 00:13:02,220 --> 00:13:04,590 which is "Decoding the contents of the file, 287 00:13:04,590 --> 00:13:06,150 what is the full content?" 288 00:13:06,150 --> 00:13:08,550 You just copy the output that we got 289 00:13:08,550 --> 00:13:10,743 and you paste it, right here. 290 00:13:12,000 --> 00:13:13,680 Okay, awesome. 291 00:13:13,680 --> 00:13:17,310 So, we successfully compromised, technically, two accounts. 292 00:13:17,310 --> 00:13:21,150 We compromised the "svc-admin" and the "backup" account, 293 00:13:21,150 --> 00:13:23,280 or we got the "backup_credentials", 294 00:13:23,280 --> 00:13:26,070 once, we logged in as "svc-admin", 295 00:13:26,070 --> 00:13:29,910 since, "svc-admin" had access to the backup share, 296 00:13:29,910 --> 00:13:32,880 but it didn't have access to other shares. 297 00:13:32,880 --> 00:13:35,730 So, there's a little bit of a vulnerability, right there, 298 00:13:35,730 --> 00:13:38,940 since, we did have access to the "backup" account, 299 00:13:38,940 --> 00:13:41,280 which provides us with "backup_credentials". 300 00:13:41,280 --> 00:13:43,620 But we cannot access any other share, 301 00:13:43,620 --> 00:13:45,660 which is quite contradictory, 302 00:13:45,660 --> 00:13:47,400 since, we can just use the "backup" account 303 00:13:47,400 --> 00:13:50,010 to access other shares, 304 00:13:50,010 --> 00:13:52,650 which we will see, in the next lecture. 305 00:13:52,650 --> 00:13:56,430 So, we successfully compromised one account for now 306 00:13:56,430 --> 00:14:00,360 and let's see, how we can perform privilege escalation 307 00:14:00,360 --> 00:14:01,920 in the next lecture. 308 00:14:01,920 --> 00:14:02,753 See you there.