1
00:00:00,030 --> 00:00:03,810
Hello everybody and welcome back. And
let's see what the security measure

2
00:00:03,810 --> 00:00:07,860
would be for anyone to not be able to
bypass the user account control on

3
00:00:07,859 --> 00:00:12,989
Windows 10. So, in the previous video
we saw that we are able to bypass and

4
00:00:12,990 --> 00:00:19,920
gain the system administrator
account on the Windows 10 host. But, let

5
00:00:19,920 --> 00:00:28,710
me just show you once again. So if I just
sessions, and then enter session ID

6
00:00:28,710 --> 00:00:35,220
number two...and, whoops, once again forgot the session. So it is the session s

7
00:00:35,219 --> 00:00:42,389
-i, and then I exit both of them, and
then I also enter the third one, and exit

8
00:00:42,390 --> 00:00:46,020
that one as well. So if I just type here sessions, we do

9
00:00:46,020 --> 00:00:50,730
not have any connections anymore, which
is good. So what we want to do is

10
00:00:50,730 --> 00:00:55,590
basically repeat the process of exploit.
So I will do this real fast. I will not

11
00:00:55,590 --> 00:01:00,270
explain what I'm doing since I explained it in the previous videos. So use exploit/multi/handler,

12
00:01:00,270 --> 00:01:08,670
show options. Everything is already preset, and I exploit -j -z,

13
00:01:08,670 --> 00:01:16,710
and I run this right here. But before I
actually run this, I want to set the

14
00:01:16,710 --> 00:01:23,360
certain settings in Windows that
enables us to actually ask for the

15
00:01:23,360 --> 00:01:29,370
administrator password for all the
important programs that you open on

16
00:01:29,369 --> 00:01:34,049
Windows. For example, if you were to open task manager right now, it will not ask

17
00:01:34,049 --> 00:01:37,199
for any administrator password or
anything like that. It will basically

18
00:01:37,200 --> 00:01:41,670
just open it and this is the most case
in most Windows 10 machines, since they

19
00:01:41,670 --> 00:01:45,680
do not have your own user account
control to always notify when some

20
00:01:45,680 --> 00:01:51,060
application tries to run a certain
program. But if you go to the search bar

21
00:01:51,060 --> 00:01:55,710
right here and type uac, which will
lead you to the control panel change

22
00:01:55,710 --> 00:02:00,030
user account control settings and you
click on it, you will get this little

23
00:02:00,030 --> 00:02:03,930
window which will give you four
different options when to notify you

24
00:02:03,930 --> 00:02:07,710
when apps try to make changes to
computer. Which will notify you, for

25
00:02:07,710 --> 00:02:13,030
example, once you open the registry keys, the the task manager,

26
00:02:13,030 --> 00:02:18,250
basically any important application. So,
as you can see by default on Windows 10

27
00:02:18,250 --> 00:02:24,910
host it is set to don't notify me when I
make changes to Windows settings. So, this

28
00:02:24,910 --> 00:02:30,220
will be set by default on most Windows
10 PCs. In order to bypass, in

29
00:02:30,220 --> 00:02:34,510
order to actually secure yourself from
the bypass mechanism that we did in the

30
00:02:34,510 --> 00:02:39,730
previous video, you want to set this to
always notify. As we can see right here,

31
00:02:39,730 --> 00:02:43,990
it says always notify me when apps try
to install software or make changes to

32
00:02:43,989 --> 00:02:48,729
my computer. Or always notify me when I
make changes to Windows settings. So this

33
00:02:48,730 --> 00:02:53,710
will also prompt us for the
administrator password once we ask, once

34
00:02:53,709 --> 00:02:59,619
we, for example, open task manager. So just like here okay, and enter your

35
00:02:59,620 --> 00:03:04,210
administrator password. And if I just
type your task manager once again, you

36
00:03:04,209 --> 00:03:08,679
will see that right now it will ask me,
do I want to allow this app to make

37
00:03:08,680 --> 00:03:13,680
changes to the device? And I click here
yes, and then it opens the task manager.

38
00:03:13,680 --> 00:03:17,500
Now you might be asking, so what does
task manager have anything to do with

39
00:03:17,500 --> 00:03:20,680
this? Well, basically, the task manager
doesn't have anything to do with this.

40
00:03:20,680 --> 00:03:26,020
But, the always notify me option in the
user account control prevents the system

41
00:03:26,019 --> 00:03:32,409
privileges bypass in the Kali Linux
fodhelper module. Or basically any

42
00:03:32,410 --> 00:03:37,500
other module that you have for bypass in
Windows 10. So if I show you right here,

43
00:03:37,500 --> 00:03:41,350
let me just see if we have any sessions
connected. So we do not have any sessions

44
00:03:41,350 --> 00:03:46,660
connected. Let us double click this, we
open the meterpreter session 4, and we

45
00:03:46,660 --> 00:03:54,130
enter the session. So getuid, we can
see that we are just a simple user. We

46
00:03:54,130 --> 00:04:00,960
are not the system privilege admin. So
what we want to do right now is use

47
00:04:00,959 --> 00:04:09,659
exploit/window/bypass...

48
00:04:09,880 --> 00:04:14,210
I'm not not really sure, let me just search
bypass. Not really sure if it is a module

49
00:04:14,209 --> 00:04:19,099
or exploit. Search bypass, and let's try to find the

50
00:04:19,100 --> 00:04:26,270
same bypass module that we used. So, let's try this, search bypass_fodhelper...

51
00:04:26,270 --> 00:04:36,460
Or it is not fodhelper, let me just find it right here.

52
00:04:36,639 --> 00:04:52,009
Zoom out a little bit, and let us see
where our bypass_fodhelper is. Okay,

53
00:04:52,010 --> 00:04:57,730
so here it is. It was under local, I forgot
to specify this. So it is underscore

54
00:04:57,730 --> 00:05:03,380
helper. So we copy this right here, and
then we zoom in so you can see it a

55
00:05:03,380 --> 00:05:08,780
little bit better. Then use, and we paste
the name of the exploit, which is the

56
00:05:08,780 --> 00:05:13,070
same as in the previous video. And now if
I clear the screen and just type your

57
00:05:13,070 --> 00:05:18,050
show options, everything is already set.
We just need to change the session ID,

58
00:05:18,050 --> 00:05:21,320
since if I type your sessions, you will
see that right now the current session

59
00:05:21,320 --> 00:05:26,990
open is under ID 4. So we set
session under 4, and we can try to

60
00:05:26,990 --> 00:05:31,640
exploit it right now. As you can see in the
previous video it worked, but right now

61
00:05:31,640 --> 00:05:37,400
it will not work. As it says, exploit
aborted due to failure: not vulnerable.

62
00:05:37,400 --> 00:05:42,290
UAC is set to always notify me. This
module does not bypass this setting,

63
00:05:42,289 --> 00:05:47,269
exiting. And that's how you prevent the
privilege escalation on your Windows 10

64
00:05:47,270 --> 00:05:51,590
PC. Now it might be sometimes annoying
when you need to open task manager every

65
00:05:51,590 --> 00:05:56,030
time and click to allow this application to make changes, but it

66
00:05:56,030 --> 00:06:00,410
can be useful once you do not want
anyone to gain system privilege

67
00:06:00,410 --> 00:06:06,710
escalation on your PC. So, that would be
about it for preventing the privilege

68
00:06:06,710 --> 00:06:10,820
escalation on Windows 10. What we will do in the next video is cover some of the

69
00:06:10,820 --> 00:06:16,520
post modules post, exploitation modules
that you can use on the target. So, that's

70
00:06:16,520 --> 00:06:19,430
about it for this video. I hope I see you
in the next one

71
00:06:19,430 --> 00:06:22,750
and take care. Bye!