1 00:00:00,630 --> 00:00:07,110 Hi, within this lecture, we're going to see how we can turn the information that we have gathered 2 00:00:07,380 --> 00:00:13,780 into a valuable suggestion in order to privilege escalation in this case. 3 00:00:14,070 --> 00:00:18,360 So remember when we actually ran system info in a windows? 4 00:00:18,360 --> 00:00:25,650 Shall we get a very detailed information from the Windows shadow over here like this? 5 00:00:26,020 --> 00:00:35,280 OK, so we can try to understand if you have a kernel exploit or any other exploits available just by 6 00:00:35,280 --> 00:00:37,150 looking at this information. 7 00:00:37,530 --> 00:00:43,230 OK, because their version information over here, configuration information, built types. 8 00:00:43,560 --> 00:00:51,000 So operating system information, anything that we need actually in order to understand if we have a 9 00:00:51,000 --> 00:00:57,840 kernel exploit or version exploit or any other vulnerability that may lead us to privilege escalation. 10 00:00:58,560 --> 00:01:07,500 So in this case, if you remember in WI in Linux, we have downloaded some exploits, Algester and we 11 00:01:07,500 --> 00:01:15,180 have actually supplied some information or just ran the script in order for it to gain information and 12 00:01:15,180 --> 00:01:17,100 give us back an output. 13 00:01:17,730 --> 00:01:21,950 But in this case, we're going to do a little bit different things. 14 00:01:22,200 --> 00:01:25,190 We're going to do it in a much more simpler way. 15 00:01:25,440 --> 00:01:32,160 We're going to download the exploits, register to our own machine, OK, in our own colonics, and 16 00:01:32,160 --> 00:01:40,050 we will just supply the system info information to that tool in our machine and we can get back some 17 00:01:40,050 --> 00:01:44,880 suggestions so we don't need to download anything in the windows. 18 00:01:45,160 --> 00:01:45,760 OK. 19 00:01:45,990 --> 00:01:52,380 And by the way, if you need to download anything later on, we're going to see what can we use over 20 00:01:52,380 --> 00:01:56,010 here, like we get off because we don't have we get in here. 21 00:01:56,310 --> 00:01:57,480 We have different tools. 22 00:01:57,480 --> 00:01:59,970 We can see all of those things later on. 23 00:02:00,180 --> 00:02:07,620 But for right now, what we need to do is just understand if there is any current version of vulnerability 24 00:02:07,620 --> 00:02:14,070 that we can take leverage off, because it's the most simplest way and it's the most effective way that 25 00:02:14,070 --> 00:02:14,940 you can think of. 26 00:02:14,940 --> 00:02:21,870 If there is one if there is one way to exploit this, then we should definitely go for that one. 27 00:02:22,560 --> 00:02:24,090 So let me show you what I mean. 28 00:02:24,090 --> 00:02:26,130 I'm going to go to Google, OK? 29 00:02:26,520 --> 00:02:32,910 And I'm going to search for the Windows XP register and find the link that we should find. 30 00:02:32,910 --> 00:02:36,660 So I'm going from Windows Exploits Adjuster. 31 00:02:37,410 --> 00:02:38,670 So here you go. 32 00:02:38,700 --> 00:02:46,590 I believe this is the one that we are looking for a on cyber Lapps, OK, AOA and Cyber Labs. 33 00:02:46,980 --> 00:02:48,780 So I'm going to click on that. 34 00:02:49,050 --> 00:02:52,440 And over here we have a python file again. 35 00:02:52,440 --> 00:02:53,430 This is the link. 36 00:02:53,430 --> 00:03:00,210 So this is the we know six plates register and we can just download this and use this. 37 00:03:00,330 --> 00:03:07,680 OK, so as you can see in the descriptions to compare Target's patch level against the Windows Microsoft 38 00:03:07,680 --> 00:03:12,150 vulnerability database in order to detect potential missing patches. 39 00:03:12,780 --> 00:03:19,950 So if you think that, yeah, this is a good tool, but it hasn't been updated for years right now. 40 00:03:20,250 --> 00:03:24,090 So how do we understand if there are current vulnerabilities or not? 41 00:03:24,660 --> 00:03:25,200 Don't worry. 42 00:03:25,200 --> 00:03:27,200 I'm going to show you some other tools as well. 43 00:03:27,480 --> 00:03:31,110 So this is just one of the tools that we are going to use. 44 00:03:31,320 --> 00:03:33,570 And also it will try to update itself. 45 00:03:33,570 --> 00:03:37,860 If it's get updated in the database, then we're going to have a current one. 46 00:03:38,220 --> 00:03:40,560 So I'm going to save this file, OK? 47 00:03:40,560 --> 00:03:42,660 I'm saving this file in my Linux. 48 00:03:43,200 --> 00:03:48,510 So let me just open this download file folder over here, OK? 49 00:03:48,870 --> 00:03:55,290 And I'm going to unzip this just we need the PVI file, the python file from there. 50 00:03:55,650 --> 00:03:57,480 I'm going to put it over there. 51 00:03:57,480 --> 00:04:05,220 And I believe we don't need this, but I cannot seem to find our file because it's a folder. 52 00:04:05,220 --> 00:04:08,370 Let me just cut this folder from our downloads folder. 53 00:04:08,700 --> 00:04:16,100 I'm going to go into the documents, OK, under CTF and I'm going to create a new folder called Divil. 54 00:04:17,130 --> 00:04:21,180 So I'm going to put this on there, Deval over here and paste it. 55 00:04:21,690 --> 00:04:23,370 And yet here you go. 56 00:04:23,550 --> 00:04:25,980 Now we have the python file over there. 57 00:04:26,250 --> 00:04:28,200 We don't have to do it with anything. 58 00:04:28,200 --> 00:04:31,830 But let me open this with Genea and show you what it contains. 59 00:04:32,100 --> 00:04:38,910 As you can see, this is a python code and it contains a lot of information regarding to current databases 60 00:04:38,910 --> 00:04:48,360 or current information on vulnerabilities in certain Windows versions of certain Windows patches. 61 00:04:48,630 --> 00:04:57,660 So we need that information in order to let this tool and just let it make its work and find the vulnerabilities 62 00:04:58,050 --> 00:04:59,240 that they're matching with our. 63 00:04:59,530 --> 00:05:00,190 Inversion. 64 00:05:00,540 --> 00:05:07,350 So how it's done, we need to run this from terminology using Python, and it's also instructed in the 65 00:05:07,350 --> 00:05:08,520 guitar pages as well. 66 00:05:08,880 --> 00:05:11,490 OK, so let me open the tab. 67 00:05:11,760 --> 00:05:20,080 I'm going to go for the document CTF and the will over here and under the Windows XP. 68 00:05:20,160 --> 00:05:21,470 So just a master. 69 00:05:21,480 --> 00:05:23,590 We have the python file over there. 70 00:05:24,060 --> 00:05:29,010 So what I'm going to do, I'm going to come back to this explanation description part. 71 00:05:29,220 --> 00:05:35,190 As you can see, it says that run the profile, but first run it with the update command so that it 72 00:05:35,190 --> 00:05:36,150 gets updated. 73 00:05:36,610 --> 00:05:42,760 OK, so once you do that, it will give you an excellent X, so an Excel file. 74 00:05:43,050 --> 00:05:45,000 OK, and we will need that file. 75 00:05:45,480 --> 00:05:49,200 So make sure you just run the update command. 76 00:05:50,280 --> 00:05:51,570 OK, and here you go. 77 00:05:51,840 --> 00:05:56,790 It says that writing to file and this is the thing that we are looking for. 78 00:05:56,820 --> 00:05:59,360 So we need this Excel file. 79 00:05:59,370 --> 00:06:04,500 So this is an Excel file that is kind of a database. 80 00:06:04,500 --> 00:06:07,110 It contains the vulnerabilities. 81 00:06:07,140 --> 00:06:10,920 Are we going to compare it against this XOS file? 82 00:06:10,920 --> 00:06:11,570 Actually? 83 00:06:12,180 --> 00:06:13,680 So how do we use it? 84 00:06:14,400 --> 00:06:19,830 We know what kind of information we have from our Windows machine. 85 00:06:19,830 --> 00:06:20,190 Right. 86 00:06:20,580 --> 00:06:24,150 If we come over here, it says that installed the dependencies. 87 00:06:24,360 --> 00:06:27,690 I believe these are preinstalled in Linux. 88 00:06:27,690 --> 00:06:30,690 But again, it's no harm running this. 89 00:06:30,690 --> 00:06:34,100 So people install Excel already upgrade. 90 00:06:34,530 --> 00:06:37,660 So if you had an upgrade, it will just do it for you. 91 00:06:37,960 --> 00:06:41,120 OK, so very good. 92 00:06:42,000 --> 00:06:44,910 I believe we are getting that. 93 00:06:44,910 --> 00:06:45,120 Yeah. 94 00:06:45,120 --> 00:06:45,680 Here you go. 95 00:06:46,200 --> 00:06:48,510 Now we have the six or D. 96 00:06:49,170 --> 00:06:56,220 If you didn't have that, just make sure you have it and come over here and run this final comment. 97 00:06:56,240 --> 00:06:59,090 So in this comment we are running the experts. 98 00:06:59,100 --> 00:07:06,780 I just to one more time and for database we are giving the Excel ASX that we have created previously, 99 00:07:07,170 --> 00:07:11,040 OK, and we need to give that as a parameter. 100 00:07:11,190 --> 00:07:15,860 And also we need to supply the system for as a parameter here as well. 101 00:07:16,170 --> 00:07:25,140 So we have to create a system for that 60 or any text file and we need to copy our system info and paste 102 00:07:25,140 --> 00:07:29,070 as in so we can totally do that in our clinics. 103 00:07:29,070 --> 00:07:34,740 All we got to do is just come back to Windows Machine and after running system info like this, just 104 00:07:34,740 --> 00:07:36,390 gather everything, OK? 105 00:07:36,390 --> 00:07:39,360 Gather everything after system info. 106 00:07:39,780 --> 00:07:50,340 Just make sure you copy this thing and come back and you can create a new file from your terminal over 107 00:07:50,340 --> 00:07:50,850 here. 108 00:07:51,810 --> 00:07:54,150 Here is our Windows XP. 109 00:07:54,330 --> 00:07:54,960 Yes, sir. 110 00:07:55,140 --> 00:07:57,450 Now I'm going to nanoha a new file. 111 00:07:57,480 --> 00:07:59,550 I'm going to call this Windows. 112 00:08:00,240 --> 00:08:04,020 Exploit that, Steve, but you can just call it anything you want. 113 00:08:04,710 --> 00:08:06,060 I'm going to place the clipboard. 114 00:08:06,060 --> 00:08:06,680 Here you go. 115 00:08:07,080 --> 00:08:09,300 So this is the thing that we have copied. 116 00:08:09,510 --> 00:08:12,390 So this is all the information that we need over here. 117 00:08:12,390 --> 00:08:15,680 I'm going to close this down and I'm going to run this comment. 118 00:08:15,990 --> 00:08:19,230 So basically, we're going to supply two parameters. 119 00:08:19,230 --> 00:08:20,310 It's very easy. 120 00:08:20,310 --> 00:08:23,730 First of which is database and the second one, sys info. 121 00:08:24,030 --> 00:08:28,080 So we have all the files that we need in the same folder. 122 00:08:28,320 --> 00:08:29,330 Beware of that. 123 00:08:29,340 --> 00:08:34,110 OK, so if you don't have that, you're going to have to supply a full path. 124 00:08:34,410 --> 00:08:39,630 But in this case, I'm just going to say Windows exploitative 64, the system for parameter. 125 00:08:39,990 --> 00:08:49,050 And over here we're just going to change the dates like twenty twenty here, eleven here and twenty 126 00:08:49,050 --> 00:08:50,070 one here. 127 00:08:50,580 --> 00:08:52,710 OK, and I believe. 128 00:08:53,490 --> 00:08:54,600 Yeah, here you go. 129 00:08:55,260 --> 00:08:57,900 The extension is also different. 130 00:08:58,290 --> 00:09:06,750 So we have the Zellous over here, but in the sample command we have the access X, so I'm going to 131 00:09:06,750 --> 00:09:09,300 delete this and here you go. 132 00:09:09,660 --> 00:09:12,720 Now we initiated that and here you go. 133 00:09:12,720 --> 00:09:14,640 We have the output. 134 00:09:15,090 --> 00:09:17,610 So in the output, what do we have here? 135 00:09:17,610 --> 00:09:19,590 We have suggestions. 136 00:09:19,590 --> 00:09:22,020 So this is a suggestion. 137 00:09:22,020 --> 00:09:23,100 This is a suggestion. 138 00:09:23,100 --> 00:09:24,320 This is a suggestion. 139 00:09:24,600 --> 00:09:31,200 We can try to understand this vulnerabilities and we can try to exploit them one by one, as we have 140 00:09:31,200 --> 00:09:33,330 discussed in the Linux section as well. 141 00:09:33,880 --> 00:09:40,710 Remember, we had a lot of suggestions in the Linux exploit such gesture and we have the same suggestions 142 00:09:40,710 --> 00:09:41,280 over here. 143 00:09:41,280 --> 00:09:46,050 We have possible vulnerabilities that we should take care of. 144 00:09:46,050 --> 00:09:54,960 We should just try and test and we're going to try all of those things until we find a working one. 145 00:09:55,680 --> 00:09:58,650 So I'm going to create a new folder or new. 146 00:09:58,710 --> 00:10:00,130 File over here, OK? 147 00:10:00,570 --> 00:10:11,490 So in order to just to save this and I'm going to call this something like maybe Windows exploit suggestions 148 00:10:11,490 --> 00:10:15,490 or something like that, OK, I'm going to call the suggestion. 149 00:10:15,720 --> 00:10:17,220 You can call it anything you want. 150 00:10:17,220 --> 00:10:20,420 Just make sure you saved us so that we won't have to deal it. 151 00:10:21,060 --> 00:10:22,560 Deal with it one more time. 152 00:10:22,770 --> 00:10:24,780 I'm going to save this in my nano. 153 00:10:24,780 --> 00:10:27,770 And here we have the final results. 154 00:10:28,230 --> 00:10:31,230 So this is only one way to get this, OK? 155 00:10:31,260 --> 00:10:36,330 Of course, there are alternative ways and we're going to have to learn every one of them so that we 156 00:10:36,330 --> 00:10:40,820 can compare and we can find the one that is working best for us. 157 00:10:41,580 --> 00:10:46,500 We're going to stop here and continue with the same process within the next lecture.