1 00:00:00,900 --> 00:00:07,590 Hi, we did this lecture, where are you going to see the other tools rather than the experts I just 2 00:00:07,590 --> 00:00:15,040 saw itself in order to understand the alternatives that we should look into when we try to find a vulnerability. 3 00:00:15,570 --> 00:00:22,200 So over here, we still have the shell and we're going to exit out of this one and go into the interpreter. 4 00:00:22,440 --> 00:00:24,720 And apparently we cannot clear that. 5 00:00:24,720 --> 00:00:25,700 But don't worry. 6 00:00:26,190 --> 00:00:31,050 So we're going to see the advantage of having an interpreter shell here as well. 7 00:00:31,440 --> 00:00:38,220 OK, so interpretor shell actually gives you a lot of possibility, like you can run, and that's, 8 00:00:38,220 --> 00:00:39,840 for example, rather than there. 9 00:00:40,080 --> 00:00:49,880 But other than the eye, this kind of cosmetic things, we also get to see some nice features like get 10 00:00:49,890 --> 00:00:50,500 system. 11 00:00:50,850 --> 00:00:59,640 OK, so if you on get system, if metallurgic can find a way to escalate your privilege in an automated 12 00:00:59,640 --> 00:01:02,180 way, it will do it, OK? 13 00:01:02,340 --> 00:01:03,690 You just have to right. 14 00:01:03,720 --> 00:01:04,600 Get system. 15 00:01:05,220 --> 00:01:11,920 So this will just look out for the basic opportunities in order to escalate your privilege. 16 00:01:12,840 --> 00:01:16,550 Most of the time this won't work, by the way, but it's worth a shot. 17 00:01:16,550 --> 00:01:18,110 That's just one comment. 18 00:01:18,540 --> 00:01:24,330 So insects might it might work in real life, Pantazis? 19 00:01:24,330 --> 00:01:25,280 I don't think so. 20 00:01:25,680 --> 00:01:27,570 However, it's worth a shot. 21 00:01:27,790 --> 00:01:33,780 And also, this is not the only advantage that we get when we actually have an interpreter. 22 00:01:33,810 --> 00:01:43,190 Well, the other thing is it has a post exploit suggestion module built inside of it, OK? 23 00:01:43,440 --> 00:01:49,800 It's not built inside of the interpreter itself, but it's built inside of the metal exploit itself 24 00:01:50,130 --> 00:01:56,910 so that we can actually use the section that we have over here as an interpreter station and we can 25 00:01:56,910 --> 00:02:04,620 supply the station's info to that module in order to understand if we have any suggestions in order 26 00:02:04,620 --> 00:02:06,100 to escalate the privilege. 27 00:02:06,810 --> 00:02:13,770 So all you got to do is just run this run post exploit and the suggestion itself. 28 00:02:13,980 --> 00:02:16,950 But you got to do this in the background. 29 00:02:17,430 --> 00:02:19,440 OK, so let me show you what I mean. 30 00:02:19,440 --> 00:02:24,570 I'm going to run this run post multi or multi, OK? 31 00:02:24,870 --> 00:02:35,030 And then slash recon and then slash local exploit suggest or so this post multi recon local exploits 32 00:02:35,040 --> 00:02:38,970 register is a module of the metal exploit itself. 33 00:02:39,380 --> 00:02:48,240 OK, so when we run this from inside of the interpreter, it tries to collect the local exploits for 34 00:02:48,240 --> 00:02:55,910 the windows and it will try to just give us some suggestions, give us some outputs like this. 35 00:02:55,920 --> 00:02:56,430 Here we go. 36 00:02:56,430 --> 00:02:57,000 It works. 37 00:02:57,240 --> 00:03:00,480 As you can see, we already have some output. 38 00:03:00,480 --> 00:03:08,270 We already have some information over here and they are similar with the Windows exploits. 39 00:03:08,280 --> 00:03:11,550 I just heard Tingay that we have seen in the previous lecture. 40 00:03:11,970 --> 00:03:14,840 OK, so this is very good. 41 00:03:14,850 --> 00:03:16,230 This is very practical. 42 00:03:16,230 --> 00:03:25,690 You can do this with only one command and I believe we lost the session over here for some reason. 43 00:03:26,070 --> 00:03:31,530 So before we lose this stuff as well, I'm going to copy this, OK, and take note of this. 44 00:03:31,890 --> 00:03:37,280 I'm going to copy this and I'm going to save this under my notes as well. 45 00:03:37,860 --> 00:03:45,560 We did that in the windows, exploits Gister, and we did that under the CTF folder, under the digital 46 00:03:45,570 --> 00:03:46,950 folder or here. 47 00:03:46,950 --> 00:03:55,770 OK, so I'm going to just do the same thing so that we can compare our results later on and come back 48 00:03:55,770 --> 00:03:59,010 to see if we have any much more information. 49 00:03:59,010 --> 00:04:02,430 Do we need, if any, information is needed. 50 00:04:02,880 --> 00:04:11,010 So let me come over here and I know a new tax code at this point suggested that I'm going to paste the 51 00:04:11,400 --> 00:04:18,380 output over here and I'm going to save this and I'm going to try and open the session one more time. 52 00:04:18,540 --> 00:04:21,890 So let me see the sections over here so that I shall. 53 00:04:22,140 --> 00:04:24,390 Nope, we don't have any issues. 54 00:04:24,660 --> 00:04:26,340 We don't have any jobs. 55 00:04:26,730 --> 00:04:28,710 So I'm going to say all options. 56 00:04:28,920 --> 00:04:29,180 Yeah. 57 00:04:29,190 --> 00:04:29,850 Here you go. 58 00:04:29,850 --> 00:04:37,230 I believe our al-Hassan outport is correct, so I'm going to explore one more time and I'm going to 59 00:04:37,230 --> 00:04:42,660 run our aspects and to see if we have the section back. 60 00:04:42,660 --> 00:04:43,590 Yeah, here you go. 61 00:04:43,980 --> 00:04:47,720 Now I'm going to run sections two and here you go. 62 00:04:48,030 --> 00:04:50,340 Now we're interacting with the section two. 63 00:04:50,760 --> 00:04:52,350 Now we're back in the section. 64 00:04:53,130 --> 00:04:56,550 OK, but of course, this doesn't end here. 65 00:04:56,550 --> 00:04:59,730 So we have already seen two tools in. 66 00:05:00,160 --> 00:05:06,200 Understand if you have any possibility of previous escalation, but also there is a very popular third 67 00:05:06,220 --> 00:05:07,250 one here as well. 68 00:05:07,480 --> 00:05:09,240 So let me show you what I mean. 69 00:05:09,250 --> 00:05:13,130 I'm going to go for Google dot com and I'm going to search for Limpus. 70 00:05:13,540 --> 00:05:16,060 So this limpets is actually for Linux. 71 00:05:16,060 --> 00:05:18,290 And this is a batch file, as you can see. 72 00:05:18,550 --> 00:05:20,680 You can use this in Linux as well. 73 00:05:21,100 --> 00:05:28,330 OK, so this is kind of a search for these vulnerabilities and show us back to results. 74 00:05:28,510 --> 00:05:31,170 So we're going to look for the vampyres over here. 75 00:05:31,180 --> 00:05:37,590 So they are named after the same syntax as you might have already understood that. 76 00:05:37,780 --> 00:05:43,950 And over here, under the car laws, we have the windpipes that ETECSA. 77 00:05:44,470 --> 00:05:47,380 So if you want, you can compile it yourself. 78 00:05:47,390 --> 00:05:52,870 You have the source code over here, or if you don't want it, you can just download the one piece that 79 00:05:52,870 --> 00:05:56,150 exi and try to just use it. 80 00:05:56,620 --> 00:06:01,260 OK, so this is Windows privilege, escalation of some script. 81 00:06:01,510 --> 00:06:06,280 So this is the aberration of our piece come from. 82 00:06:06,280 --> 00:06:07,930 OK, previously escalation. 83 00:06:07,930 --> 00:06:08,980 Awesome script. 84 00:06:10,370 --> 00:06:16,850 So it's again in the book, the tech tricks that exercise that we have seen this before. 85 00:06:17,390 --> 00:06:26,260 So if you haven't bookmarked yet, I suggest you to do so, because this is not the only thing. 86 00:06:26,270 --> 00:06:31,970 This is not the only path that we should follow when it comes to Peruggia escalation, as you can see 87 00:06:31,970 --> 00:06:39,020 in the hack tricks that X, Y, Z, we see a lot of things over here like system information, searching 88 00:06:39,020 --> 00:06:40,520 for kernel exploits. 89 00:06:40,970 --> 00:06:44,690 And of course, we are following the same path over here. 90 00:06:44,690 --> 00:06:53,030 But you may just get a lot of different comments or a lot of different techniques in order to understand 91 00:06:53,030 --> 00:06:56,990 if there is any possibility for privileged escalation. 92 00:06:57,510 --> 00:07:04,790 As you know, this is a book like an online book, and it gives you a lot of information, much more 93 00:07:04,790 --> 00:07:08,320 information that we actually see over here. 94 00:07:08,330 --> 00:07:12,230 So make sure you take a note of this. 95 00:07:12,530 --> 00:07:19,270 For example, over here we have some Mentos upload payloads like we can use with MSF, Vietnam. 96 00:07:19,940 --> 00:07:24,800 We have some kind of Amazigh installation, something like that. 97 00:07:25,160 --> 00:07:31,980 You got to take this into consideration as well when you're trying to solve a CTF or a real test. 98 00:07:32,660 --> 00:07:40,290 So over here we have the binaries and also the source codes for this awesome script suite. 99 00:07:40,700 --> 00:07:45,650 But we all also have the XY over here. 100 00:07:45,650 --> 00:07:49,340 So I'm just going to go for the latest obfuscated version. 101 00:07:49,670 --> 00:07:57,320 OK, so I'm going to go for the latest ETECSA and just download it so you can find it under Bhim. 102 00:07:57,620 --> 00:07:59,950 And this is the X Files. 103 00:07:59,960 --> 00:08:05,560 So we have the any X Files, 64 bit and 32 bit over here. 104 00:08:05,570 --> 00:08:10,460 So you just going to have to just use it one that fits you. 105 00:08:10,630 --> 00:08:15,060 OK, so you can try to use it with any that XY. 106 00:08:15,340 --> 00:08:24,250 OK, I'm going to go for that and see if I can download it so I believe I can not download it. 107 00:08:24,260 --> 00:08:26,870 Is it a previous one over here. 108 00:08:27,140 --> 00:08:33,170 So let me try to delete this or let me just try to download it one more time. 109 00:08:33,170 --> 00:08:39,140 I believe we are in a 32 bit environment, as you might remember from the system info. 110 00:08:39,350 --> 00:08:43,310 So I'm going to go for the X eight to six over there. 111 00:08:43,790 --> 00:08:49,760 And once you do that, it contains the color of the things it contains and malware. 112 00:08:50,060 --> 00:08:54,900 So you going to have to open it and just find it under your download folder. 113 00:08:54,920 --> 00:08:56,000 Here we are. 114 00:08:56,510 --> 00:09:02,440 OK, I believe I have the any 64 bit and the 86 bit over here. 115 00:09:03,020 --> 00:09:05,420 So I have downloaded these things before. 116 00:09:05,930 --> 00:09:10,360 So I'm going to delete this old one and go for the latest one. 117 00:09:11,000 --> 00:09:18,380 So let me just rename this, OK, so let me just rename this and here you go. 118 00:09:18,380 --> 00:09:20,090 I have all three versions. 119 00:09:20,090 --> 00:09:24,740 You you're more than welcome to download and try it yourselves, OK? 120 00:09:24,750 --> 00:09:31,400 And if you have an interpreter session again and very important aspect of this, that you can just upload 121 00:09:31,400 --> 00:09:38,180 something to the server, upload something that you're currently logged in to your target machine. 122 00:09:38,180 --> 00:09:46,480 OK, so if I run PWP, I mean the system 32 Einarsson ratio, I if I want I can just upload its upload 123 00:09:46,490 --> 00:09:51,860 this to here or I can go to the temporary folder as we do in the Linux. 124 00:09:52,100 --> 00:09:58,940 But again, this is actually placed in somewhere else in the Windows and it's better for us to know 125 00:09:58,940 --> 00:10:01,850 where it's located so that we can use it. 126 00:10:02,390 --> 00:10:09,650 But of course you can try to upload it anywhere like in the system Gerta or in the sea directly, but 127 00:10:09,650 --> 00:10:11,300 most of the time it won't work. 128 00:10:11,330 --> 00:10:14,540 OK, so it's better to go into the temp folder. 129 00:10:15,080 --> 00:10:17,570 In order to do that, you're going to have to write it like this. 130 00:10:17,840 --> 00:10:27,410 So CD into C and after Kullen you're going to have to do some backslash just like this and to back slashers 131 00:10:27,410 --> 00:10:28,690 in that case. 132 00:10:29,060 --> 00:10:35,870 OK, so see column two back is windows and two backslash is temp. 133 00:10:36,260 --> 00:10:42,140 So if your windows is not located on the C like this, you're gonna have to adjust it yourselves and 134 00:10:42,140 --> 00:10:44,930 you can get this information from get system info. 135 00:10:45,350 --> 00:10:48,890 Right now we are in the C Windows temp, as you can see. 136 00:10:49,130 --> 00:10:52,520 So this is the equivalent of the temp folder in the Linux. 137 00:10:52,820 --> 00:11:00,770 So most probably we can have have permission to write files over here so we can try to download the 138 00:11:00,770 --> 00:11:01,460 file. 139 00:11:01,460 --> 00:11:04,760 But I'm just going to upload it using our interpreter shall. 140 00:11:05,540 --> 00:11:09,220 And in order to do that, I believe we need a full page. 141 00:11:09,410 --> 00:11:15,530 We were here, so this is located on the route download, so if yours is located down there somewhere 142 00:11:15,530 --> 00:11:20,880 else, make sure you copy that because we need to supply that information over here. 143 00:11:21,300 --> 00:11:23,480 OK, so let me pass the clipboard. 144 00:11:23,750 --> 00:11:28,160 And after that, we're going to have to supply the whole name, which is weird. 145 00:11:28,160 --> 00:11:33,820 Please let me write that when whimpers X 866. 146 00:11:33,830 --> 00:11:38,810 See, I, if I run this, it will upload this to our target server. 147 00:11:39,020 --> 00:11:43,030 They fire on the less I will see. 148 00:11:43,080 --> 00:11:44,990 Let's see if we can see this actually. 149 00:11:46,430 --> 00:11:47,290 Yep. 150 00:11:47,930 --> 00:11:48,600 Here you go. 151 00:11:48,770 --> 00:11:53,560 Yeah, it's under the tem folder and also we have a lot of temp files over there. 152 00:11:53,840 --> 00:11:55,040 Don't worry about it. 153 00:11:55,220 --> 00:11:56,930 OK, we have it over here. 154 00:11:57,380 --> 00:12:03,280 And of course if you want you can try it wimps any EXI as well. 155 00:12:04,130 --> 00:12:10,630 It should work in this case, whether it's six or forward or 32 bit. 156 00:12:10,950 --> 00:12:18,860 But I believe you're in a 32 bit environment and we can try to migrate to another Tingay later on if 157 00:12:18,860 --> 00:12:19,820 we get a show. 158 00:12:20,420 --> 00:12:26,380 So I'm going to go into the windows shall if I run there we see the wimps over here. 159 00:12:26,660 --> 00:12:28,700 OK, so it's there now. 160 00:12:28,700 --> 00:12:32,510 I will try to execute this by just typing the name over here. 161 00:12:32,750 --> 00:12:36,830 And if I hit enter, as you can see, nothing happens. 162 00:12:37,010 --> 00:12:41,450 I don't know even if it's if it got executed or something like that. 163 00:12:42,230 --> 00:12:51,080 But remember, we also had the wind defender and firewall enabled in this section in this actually targeted 164 00:12:51,080 --> 00:12:51,650 machine. 165 00:12:51,830 --> 00:12:54,140 So maybe it's blocking the connection. 166 00:12:54,500 --> 00:13:01,550 So it's always a good idea to avoid running Ekis on the target if we have alternatives. 167 00:13:01,820 --> 00:13:09,230 OK, and in this case, we already have one and two different kind of suggestions. 168 00:13:09,560 --> 00:13:12,800 But as you can see, I'm trying the third one. 169 00:13:12,800 --> 00:13:15,560 Maybe we get a different kind of output. 170 00:13:15,560 --> 00:13:18,200 I don't know, but we cannot seem to do that. 171 00:13:18,590 --> 00:13:22,990 Of course, we can try to exit and try to load power, shell power. 172 00:13:23,030 --> 00:13:25,550 Shell is kind of a shell that you can run. 173 00:13:26,210 --> 00:13:33,020 Some system commands like a powerful execution of shell limitation in windows, OK? 174 00:13:33,530 --> 00:13:40,610 And in this case, we can try to load the power shell from the interpreter and try to run it with power 175 00:13:40,610 --> 00:13:41,480 shell as well. 176 00:13:42,050 --> 00:13:45,080 But again, we lost the connection. 177 00:13:45,080 --> 00:13:47,450 Let me try to exploit it one more time. 178 00:13:47,810 --> 00:13:54,110 It really does matter because I already tried it and it doesn't work in the power shell if you just 179 00:13:54,530 --> 00:14:00,680 type low power usually and if you can try to execute it from there, it won't give you any result back. 180 00:14:00,860 --> 00:14:07,640 But it's not important because we already have the exploits register and the metal split posts joester 181 00:14:08,330 --> 00:14:09,770 results back here. 182 00:14:10,130 --> 00:14:16,940 OK, so make sure you open your session one more time because I believe we have a lot of information 183 00:14:17,180 --> 00:14:26,000 to elaborate right now to evaluate and see if we can elaborate something out of that to become administrator. 184 00:14:26,150 --> 00:14:32,120 And that's exactly what we are going to do within the next lecture, because I believe we have already 185 00:14:32,120 --> 00:14:34,790 covered the information gathering phase over here. 186 00:14:35,000 --> 00:14:36,890 Let's do that in the next lecture.