1
00:00:00,570 --> 00:00:06,780
So now, after being able to you get a limited interpreter shell, which can severely limit actions

2
00:00:06,780 --> 00:00:08,190
you can perform on the system.

3
00:00:09,380 --> 00:00:16,340
The next thing to do is escalate your privileges to administrative or system level users.

4
00:00:17,400 --> 00:00:20,670
And for that matter, Peter has a get system command.

5
00:00:21,600 --> 00:00:26,490
Reduces some of the techniques to elevate your privileges on the target.

6
00:00:27,490 --> 00:00:34,480
However, I want to point out, in some cases, the get system command doesn't solve your escalation

7
00:00:34,480 --> 00:00:34,990
problem.

8
00:00:36,390 --> 00:00:41,670
And by that, I mean that there are some other ways for you to be able to escalate your privileges.

9
00:00:42,720 --> 00:00:46,080
So when you get system isn't enough, you can.

10
00:00:47,140 --> 00:00:51,460
Migrate a higher privilege process and use get system.

11
00:00:52,430 --> 00:00:53,840
Search for a local XPoint.

12
00:00:54,760 --> 00:00:58,270
And I'm sure that you'll be able to be more imaginative.

13
00:00:59,120 --> 00:01:01,150
So you can test your limits as well.

14
00:01:03,240 --> 00:01:08,190
So right now, I will use a limited session to try to show you that escalation problem.

15
00:01:09,290 --> 00:01:15,770
So here's my limited session on Métis Voidable three, and right here on the screen, you can see that

16
00:01:15,770 --> 00:01:18,980
the user is anti authority, local service.

17
00:01:19,790 --> 00:01:24,080
In such a session, you can't run some commands on the target.

18
00:01:24,960 --> 00:01:29,700
So here, let me try clear Evy and has done.

19
00:01:31,650 --> 00:01:33,870
And definitely they are not executed.

20
00:01:35,210 --> 00:01:42,650
So the problem here is the user rights, so in such situations, there are some ways that you should

21
00:01:42,650 --> 00:01:44,060
follow sequentially.

22
00:01:45,040 --> 00:01:48,190
And now the first thing to do is use that, get system command.

23
00:01:49,690 --> 00:01:51,810
OK, but somehow that doesn't work either.

24
00:01:52,770 --> 00:01:59,790
It might be better to run the post module of that command, so let's first look at the definition of

25
00:01:59,790 --> 00:02:01,980
the module with the infocom and.

26
00:02:07,000 --> 00:02:09,610
All right, so there are no other variables to set.

27
00:02:10,710 --> 00:02:12,120
So then I can run this module.

28
00:02:16,670 --> 00:02:17,690
And nothing happened.

29
00:02:18,980 --> 00:02:26,180
So the next thing to try other than your patient, is to migrate another process, so this sometimes

30
00:02:26,180 --> 00:02:26,530
works.

31
00:02:27,050 --> 00:02:32,290
However, generally when they get system is negative, this one is also negative.

32
00:02:33,300 --> 00:02:36,750
So to be able to use this command, you must provide a process in.

33
00:02:38,010 --> 00:02:42,960
So let's type's dash as explorer Yuxi.

34
00:02:44,220 --> 00:02:50,220
And this command brings the idea of the explorer Don EIC, which you can try to migrate.

35
00:02:51,470 --> 00:02:59,210
So let's type my migrate and the idea of exploratory sexy five one four four.

36
00:03:00,930 --> 00:03:03,160
Hmm, OK, but nothing has changed.

37
00:03:04,780 --> 00:03:11,540
So, like get system, there is a migrate post module as well.

38
00:03:12,340 --> 00:03:13,720
So let's give that a try.

39
00:03:15,000 --> 00:03:16,900
Let's have a look at the definition of the module.

40
00:03:22,540 --> 00:03:27,130
And we will need to set that aside and the Sporn variables.

41
00:03:28,120 --> 00:03:32,390
Otherwise, it will just migrate a similar process, it has a lower privileges, right?

42
00:03:33,380 --> 00:03:39,560
And now execute this command type run post windows.

43
00:03:40,920 --> 00:03:41,520
Manege.

44
00:03:42,550 --> 00:03:43,330
Migrate.

45
00:03:44,290 --> 00:03:44,950
And then.

46
00:03:46,340 --> 00:03:52,140
Did equals five one four four sworn equals falls.

47
00:03:53,240 --> 00:03:54,170
And then hit enter.

48
00:03:56,130 --> 00:03:58,380
And so that doesn't work either.

49
00:03:59,610 --> 00:04:07,740
So now the next thing to do is check patches and look for local exploits on the target.

50
00:04:08,880 --> 00:04:11,730
How do we do that in patches?

51
00:04:12,480 --> 00:04:17,880
We'll bring you the missing patches on the system and after a quick look over the description.

52
00:04:22,810 --> 00:04:24,550
Yeah, yeah, you can run it directly.

53
00:04:31,580 --> 00:04:32,720
And this may take a while.

54
00:04:33,740 --> 00:04:35,570
But here in my case, this is the result.

55
00:04:36,660 --> 00:04:40,680
And sometimes, but not always, this information may help you.

56
00:04:41,400 --> 00:04:43,470
So let's come back to the actual point.

57
00:04:44,420 --> 00:04:49,640
I'm not going to go into and look for the individual patches, so.

58
00:04:50,530 --> 00:04:58,720
The last place to look for local experts on the system is by doing this manually or using interpretor

59
00:04:59,560 --> 00:05:04,320
local exploit suggestion, and that might just do it for you.

60
00:05:09,560 --> 00:05:11,360
And all that information is here.

61
00:05:12,490 --> 00:05:15,400
Now it only needs a valid interpretor session.

62
00:05:16,770 --> 00:05:18,120
So we can run this command.

63
00:05:23,330 --> 00:05:28,610
And wait a couple of minutes to collect all the local XPoint.

64
00:05:30,410 --> 00:05:32,990
Now, these are the probable local XPoint.

65
00:05:34,260 --> 00:05:40,920
Now, I assume that you set up the lab, so I'll leave these for you to check and please write in a

66
00:05:40,920 --> 00:05:43,110
comment section what you were faced with.

67
00:05:44,200 --> 00:05:45,780
Because right now, I want to show you another thing.

68
00:05:47,480 --> 00:05:48,850
You shouldn't restrict yourself.

69
00:05:50,390 --> 00:05:56,720
So when you look in the Internet for Windows local exploits, you're going to meet with some of the

70
00:05:56,720 --> 00:05:57,590
known XPoint.

71
00:05:58,550 --> 00:06:01,910
And here's one of them, says Rete.

72
00:06:02,930 --> 00:06:04,790
So visit a GitHub page.

73
00:06:06,480 --> 00:06:08,310
You can download it and examine it.

74
00:06:09,760 --> 00:06:15,070
So after the download, extract the files and go to the release folder.

75
00:06:16,100 --> 00:06:19,490
Now, there are two files here which will perform exploitations for us.

76
00:06:20,560 --> 00:06:24,820
And I'm going to go back to the MSF council.

77
00:06:26,050 --> 00:06:29,950
And navigate to the release folder from the console.

78
00:06:30,220 --> 00:06:31,630
OK, so I'm already there.

79
00:06:33,310 --> 00:06:36,130
Now, I'm here in the remote system also.

80
00:06:39,310 --> 00:06:44,170
So now you need to upload these files to the target, a disposable three.

81
00:06:45,580 --> 00:06:52,960
So we can type upload our current directory, see temp.

82
00:06:54,700 --> 00:07:02,590
R is for recursively uploading files in the folder, so it's going to install files to the temp folder

83
00:07:02,590 --> 00:07:03,940
in the C directory.

84
00:07:04,960 --> 00:07:08,860
And by the way, don't forget to get the process, Edet.

85
00:07:10,660 --> 00:07:16,300
Mine is 59 24, so then type shell.

86
00:07:19,140 --> 00:07:22,530
And then we're going to change the directory to the temp folder.

87
00:07:24,840 --> 00:07:27,090
And list the items here by.

88
00:07:28,030 --> 00:07:29,620
Easier for directory.

89
00:07:31,060 --> 00:07:43,870
The uploaded files will reside here now to run the exploit type system, red dot exi dash P I.D. and

90
00:07:43,870 --> 00:07:44,830
your process ID.

91
00:07:45,340 --> 00:07:47,740
In my case it's 59 24.

92
00:07:49,650 --> 00:07:51,000
And it will quickly handle it.

93
00:07:52,860 --> 00:07:55,560
All right, so now hold control Z.

94
00:07:56,550 --> 00:08:00,780
Right type Y and this will send the channel to the background.

95
00:08:01,990 --> 00:08:04,620
Then look at who you are.

96
00:08:06,190 --> 00:08:08,680
I am anti authority system.

97
00:08:09,970 --> 00:08:12,550
And now it's time to use get system.

98
00:08:15,260 --> 00:08:15,750
Excellent.

99
00:08:15,770 --> 00:08:22,880
So you can see that you're finally able to get system level access to this system from interpretor.