1
00:00:00,960 --> 00:00:02,870
Hey, we didn't lecture.

2
00:00:02,910 --> 00:00:11,310
We're going to see how we can escalate our privileges with a manual exploit or manual leverage and privilege,

3
00:00:11,320 --> 00:00:12,730
escalation, opportunity.

4
00:00:12,900 --> 00:00:22,680
OK, so far I have managed to show you how to manually download and exploit into your windows shell,

5
00:00:22,830 --> 00:00:28,190
but we haven't actually executed it, so we haven't seen how it works.

6
00:00:28,770 --> 00:00:35,060
So I'm going to find that one that will not run on the Métis Floyd modules.

7
00:00:35,280 --> 00:00:41,490
OK, so I actually opened the Windows exploits register over here, other metal plates adjuster.

8
00:00:41,730 --> 00:00:50,520
And we're going to go for one of the suggested vulnerabilities over here, which is Amsden, all 59,

9
00:00:50,820 --> 00:00:52,020
which is this one.

10
00:00:52,310 --> 00:00:58,260
OK, and as you can see, it says that this service could allow elevation of privilege.

11
00:00:58,860 --> 00:01:06,330
So this is a gain and exploit or we can use this to escalate our privilege, but it doesn't have that

12
00:01:06,330 --> 00:01:08,050
module Inmet exploit.

13
00:01:08,520 --> 00:01:15,390
So what I'm going to do if you come over here, you can check to see yourselves that we don't have Maston

14
00:01:15,390 --> 00:01:17,540
all 59 or dare.

15
00:01:17,940 --> 00:01:24,930
So rather than searching it in the metal exploit, I'm just going to go and search it in Google and

16
00:01:24,930 --> 00:01:26,460
find the exploit itself.

17
00:01:27,180 --> 00:01:29,270
So I'm going to open the Google over here.

18
00:01:29,610 --> 00:01:33,340
So let's close this down and just go to Google dot com.

19
00:01:33,660 --> 00:01:36,230
OK, let's close everything else over here.

20
00:01:36,780 --> 00:01:43,170
So I'm going to Pastis and just search for Moyston 059 exploit.

21
00:01:43,560 --> 00:01:50,760
OK, so as you can see, we get a lot of results back and it starts with the getup and it's also in

22
00:01:50,760 --> 00:01:54,230
Exploit DB and Reppert seven here as well.

23
00:01:54,870 --> 00:01:56,340
So far so good.

24
00:01:56,370 --> 00:01:58,920
So I believe we have another one over here.

25
00:01:59,940 --> 00:02:08,790
But I want to draw your attention to this GitHub page, which is which actually contains this Moyston

26
00:02:08,790 --> 00:02:11,160
059 Excel file.

27
00:02:11,520 --> 00:02:16,600
OK, and apparently the usage of this file is very easy.

28
00:02:16,860 --> 00:02:21,470
All we have to do is just run it with these parameters over here, OK?

29
00:02:21,480 --> 00:02:25,940
And it will just escalate our privilege like this.

30
00:02:26,730 --> 00:02:31,700
So we're going to see how to use it and how to give this comment.

31
00:02:32,520 --> 00:02:38,940
But before we come over there, let me try to find some more information about this exploit.

32
00:02:39,390 --> 00:02:44,970
And I believe there is not so much of intense description in the exploit.

33
00:02:44,970 --> 00:02:51,570
DB as well as you can see, only says that an attacker can exploit this issue to execute an arbitrary

34
00:02:51,570 --> 00:02:53,570
code with the system level privileges.

35
00:02:53,790 --> 00:03:00,870
So all we are doing over here is just we are exploiting some kind of vulnerability and it can lead us

36
00:03:00,870 --> 00:03:06,840
to execute an arbitrary code and it has the code in here.

37
00:03:06,840 --> 00:03:10,050
So it has the code in the offensive security setup.

38
00:03:10,560 --> 00:03:12,490
OK, if we leave there?

39
00:03:12,780 --> 00:03:20,820
No, it doesn't let us see the code, but we can always go for that zip file and see the code ourselves.

40
00:03:21,450 --> 00:03:28,530
Of course, we can try to search for discrepant seven here as well, but I don't believe we have a good

41
00:03:28,530 --> 00:03:29,510
thing over here.

42
00:03:29,820 --> 00:03:32,190
So let me try to save this file.

43
00:03:32,500 --> 00:03:38,280
Does that zip file and let me try to find that file on my downloads folder.

44
00:03:39,030 --> 00:03:40,460
So let's see.

45
00:03:40,500 --> 00:03:41,400
Yeah, here you go.

46
00:03:41,850 --> 00:03:50,010
As you can see, we have the source code over here so we can try to compile it ourselves.

47
00:03:50,370 --> 00:03:57,760
And as you can see, it's only gives us the descriptions and instructions for compilation of this file.

48
00:03:58,170 --> 00:04:03,380
OK, but I'm going to just delete this because we have already found the file.

49
00:04:03,630 --> 00:04:10,010
I just wanted to show you that if you don't trust the X Files, you can just compile it yourselves.

50
00:04:10,440 --> 00:04:12,780
But again, why not?

51
00:04:12,790 --> 00:04:13,570
Why not?

52
00:04:13,590 --> 00:04:16,050
We tried these files ourselves.

53
00:04:16,800 --> 00:04:24,660
The GetUp page that I have shown you is actually a very good page and actually very comprehensive page

54
00:04:24,660 --> 00:04:28,410
when it comes to Windows privileges escalation.

55
00:04:28,410 --> 00:04:33,900
And it has a lot of XY files embedded in it, so you can't trust that one.

56
00:04:33,900 --> 00:04:35,700
So let me show you one more time.

57
00:04:35,970 --> 00:04:39,120
So this is the one that I'm talking about, SEC Squeaky.

58
00:04:39,450 --> 00:04:42,130
OK, just make sure you follow this page.

59
00:04:42,130 --> 00:04:43,470
You're just like this page.

60
00:04:43,740 --> 00:04:44,730
Follow this page.

61
00:04:44,970 --> 00:04:48,960
And as you can see, there are a lot of repositories over here.

62
00:04:48,960 --> 00:04:55,850
What we are interested in is the windows currently exploit, but it also has the Linux kernel exploits

63
00:04:55,860 --> 00:04:56,580
here as well.

64
00:04:56,790 --> 00:04:59,820
And as you can see, we have a lot of different.

65
00:05:00,480 --> 00:05:03,900
Exploits for each kind of vulnerability over here.

66
00:05:04,620 --> 00:05:13,260
So what we are trying to find is the most 059, but then you find a kernel exploit or kernel vulnerability

67
00:05:13,260 --> 00:05:14,030
in the windows.

68
00:05:14,250 --> 00:05:16,070
Just make sure you come over here.

69
00:05:16,590 --> 00:05:21,360
So I'm going to download the MSM all 59 GHC to my colonics.

70
00:05:21,600 --> 00:05:27,630
It will just give me a warning, but I'm going to say open and find the file on my downloads folder.

71
00:05:27,750 --> 00:05:33,000
I'm going to cut this and put it in my file system.

72
00:05:33,000 --> 00:05:37,680
VAR W-w HDMI and here you go.

73
00:05:38,040 --> 00:05:44,670
So this is sitting in my web server is route so I can reach it from the outside world.

74
00:05:44,670 --> 00:05:51,530
So I'm going to rename this to Amstetten, that a.m. Eastern 059 that XY.

75
00:05:51,840 --> 00:05:54,780
OK, so it would be easy for me to find.

76
00:05:55,830 --> 00:06:02,940
And right now we have the Métis Floyd Interpreter station actually if on Session Zel and we are in the

77
00:06:02,970 --> 00:06:07,080
interpreter, I'm going to background this and show you that I have the section.

78
00:06:07,500 --> 00:06:12,750
OK, as you can see, we have the station, but we're going to pretend that we don't even have an interpreter

79
00:06:12,750 --> 00:06:20,040
station in this case so that we can actually try to see what happens if we don't have the interpreter.

80
00:06:20,100 --> 00:06:24,450
OK, so I'm going to exit out of this one and just do the thing from scratch.

81
00:06:24,660 --> 00:06:33,480
I'm going to go into the metal exploit, OK, by running MSF council on my machine and we can try to

82
00:06:33,480 --> 00:06:37,610
get the station back from that exploit in the metal exploit.

83
00:06:37,620 --> 00:06:39,600
Of course, that would be our first choice.

84
00:06:39,930 --> 00:06:44,480
But if it doesn't work, we can always listen with the Netcare as well.

85
00:06:44,760 --> 00:06:46,410
So let's see how it works.

86
00:06:46,560 --> 00:06:49,710
I'm going to go into the use exploit multicenter.

87
00:06:49,890 --> 00:06:59,670
I'm going to set the payload to Windows Interpretor reverse TCP, OK, and I'm going to show the options.

88
00:06:59,670 --> 00:07:04,440
I'm going to set the Atheros to my own IP address, which is done zero.

89
00:07:04,590 --> 00:07:08,160
I'm going to set the output to 42 42.

90
00:07:08,370 --> 00:07:16,020
I'm going to exploit this and I'm gonna go back to my SBX and run it so that I have the station over

91
00:07:16,020 --> 00:07:16,420
here.

92
00:07:16,800 --> 00:07:17,620
So here you go.

93
00:07:17,620 --> 00:07:18,540
We have the station.

94
00:07:19,020 --> 00:07:24,510
So what I'm going to do, I'm going to go into that station and as you can see, it's in the station

95
00:07:24,510 --> 00:07:32,190
one so you can just interact with it, OK, in order to just download this from our Web server.

96
00:07:32,460 --> 00:07:35,280
So it's sitting on my route right now.

97
00:07:35,640 --> 00:07:41,250
So I'm going to come over here and run sections one and I'm going to go into the shell.

98
00:07:41,250 --> 00:07:47,100
As I said before, we're going to pretend that we don't even have the metro station or an interpreter

99
00:07:47,100 --> 00:07:47,580
station.

100
00:07:47,970 --> 00:07:53,250
So I'm going to go into the temp folder, as we have seen before, and I'm going to run the 32.

101
00:07:53,520 --> 00:07:55,920
So I'm going to say Circuital Eurail cache.

102
00:07:55,920 --> 00:08:00,480
And for the F, I'm going to just specify the HDB tunnel.

103
00:08:00,830 --> 00:08:03,000
Ten, 10, 14, 19, MS.

104
00:08:03,690 --> 00:08:06,080
Ten 059 XY.

105
00:08:06,090 --> 00:08:10,700
And I'm going to call this Amstetten Data XY.

106
00:08:10,980 --> 00:08:15,510
OK, so it will be downloaded to my temp folder over here.

107
00:08:15,630 --> 00:08:21,390
And once we download this, we have to actually have this file on our temp folder.

108
00:08:21,390 --> 00:08:24,900
Let's see, it says on line and here you go.

109
00:08:24,900 --> 00:08:26,580
It says completed successfully.

110
00:08:26,580 --> 00:08:31,020
If you're on there, then we can see them a standard X over here.

111
00:08:31,410 --> 00:08:32,570
So far, so good.

112
00:08:32,850 --> 00:08:38,520
Now we need to run this file and we need to listen for incoming connections.

113
00:08:38,760 --> 00:08:41,130
OK, Onaka Linux, obviously.

114
00:08:41,610 --> 00:08:49,560
Now, if I may stand out, it will say that Chimichurri or Kemistry, I don't know how it's pronounced,

115
00:08:49,560 --> 00:08:58,490
but it apparently gives us the local system shall if we use this as IP address and port with IP address

116
00:08:58,500 --> 00:08:58,910
import.

117
00:08:59,340 --> 00:09:03,390
So this is kind of a back door, but we need to run it manually.

118
00:09:03,840 --> 00:09:06,630
So it's very easy for us to do that.

119
00:09:06,630 --> 00:09:11,670
All we have to do is just supply our IP address along with Siavash part number.

120
00:09:12,000 --> 00:09:13,320
So I'm going to supply it.

121
00:09:13,620 --> 00:09:14,760
And for the port.

122
00:09:14,760 --> 00:09:17,300
No, I'm just going to go with one, two, three, four.

123
00:09:17,640 --> 00:09:25,080
Now again, you can try to get this reverse shell back in Mattos loiters bhau, but we're pretending

124
00:09:25,080 --> 00:09:29,700
that we don't have anything to do with the MSF council, Ormet, the split itself.

125
00:09:30,240 --> 00:09:38,220
So I believe we can go for the next cat in order to listen for incoming call and then choose and see

126
00:09:38,220 --> 00:09:42,450
what happens if we get the child back with that cat again.

127
00:09:42,450 --> 00:09:49,110
It's advantages to get this with an interpreter, but I don't think this exploit gives us the interpreter

128
00:09:49,110 --> 00:09:49,950
shot anyway.

129
00:09:50,310 --> 00:09:56,370
So I'm going to go for NCM VLP one, two, three, four, OK, and I'm going to hit enter over here

130
00:09:56,760 --> 00:09:59,400
and this will just run the country.

131
00:09:59,490 --> 00:10:01,600
Or whatever it is.

132
00:10:02,020 --> 00:10:10,590
OK, and let's see if we get the connection here, let's wait for a minute and let's see if we can get

133
00:10:10,590 --> 00:10:11,540
the connection.

134
00:10:12,540 --> 00:10:19,480
Um, yeah, it seems like it's working, but we don't get the connection for some reason.

135
00:10:20,040 --> 00:10:21,450
Let's try to.

136
00:10:21,450 --> 00:10:22,430
Yeah, here you go.

137
00:10:22,740 --> 00:10:24,180
It gives us something.

138
00:10:24,180 --> 00:10:25,230
And yeah, here you go.

139
00:10:25,230 --> 00:10:26,030
We have the shell.

140
00:10:26,340 --> 00:10:27,270
So if I were on.

141
00:10:27,270 --> 00:10:27,840
Where am I.

142
00:10:27,990 --> 00:10:28,610
Here you go.

143
00:10:28,620 --> 00:10:30,890
We are the end theater to system.

144
00:10:31,320 --> 00:10:34,260
So it took a while, but it gives us the shell.

145
00:10:34,260 --> 00:10:39,240
So that's what's important and very administrator right now, as you can see.

146
00:10:39,660 --> 00:10:47,970
So this is how you do a manual exploitation in order to gain an escalated privilege in the windows as

147
00:10:47,970 --> 00:10:48,250
well.

148
00:10:48,870 --> 00:10:54,210
So far, we have covered a lot of topics regarding the Windows exploitation.

149
00:10:54,390 --> 00:11:00,180
I believe it's time to move on to another machine for windows so that we can get to practice what we

150
00:11:00,180 --> 00:11:03,090
have learned so far and also learn something new.

151
00:11:03,480 --> 00:11:06,570
We're going to do that within the next section together.