1
00:00:00,900 --> 00:00:07,590
Hi, we did this lecture, where are you going to see the other tools rather than the experts I just

2
00:00:07,590 --> 00:00:15,040
saw itself in order to understand the alternatives that we should look into when we try to find a vulnerability.

3
00:00:15,570 --> 00:00:22,200
So over here, we still have the shell and we're going to exit out of this one and go into the interpreter.

4
00:00:22,440 --> 00:00:24,720
And apparently we cannot clear that.

5
00:00:24,720 --> 00:00:25,700
But don't worry.

6
00:00:26,190 --> 00:00:31,050
So we're going to see the advantage of having an interpreter shell here as well.

7
00:00:31,440 --> 00:00:38,220
OK, so interpretor shell actually gives you a lot of possibility, like you can run, and that's,

8
00:00:38,220 --> 00:00:39,840
for example, rather than there.

9
00:00:40,080 --> 00:00:49,880
But other than the eye, this kind of cosmetic things, we also get to see some nice features like get

10
00:00:49,890 --> 00:00:50,500
system.

11
00:00:50,850 --> 00:00:59,640
OK, so if you on get system, if metallurgic can find a way to escalate your privilege in an automated

12
00:00:59,640 --> 00:01:02,180
way, it will do it, OK?

13
00:01:02,340 --> 00:01:03,690
You just have to right.

14
00:01:03,720 --> 00:01:04,600
Get system.

15
00:01:05,220 --> 00:01:11,920
So this will just look out for the basic opportunities in order to escalate your privilege.

16
00:01:12,840 --> 00:01:16,550
Most of the time this won't work, by the way, but it's worth a shot.

17
00:01:16,550 --> 00:01:18,110
That's just one comment.

18
00:01:18,540 --> 00:01:24,330
So insects might it might work in real life, Pantazis?

19
00:01:24,330 --> 00:01:25,280
I don't think so.

20
00:01:25,680 --> 00:01:27,570
However, it's worth a shot.

21
00:01:27,790 --> 00:01:33,780
And also, this is not the only advantage that we get when we actually have an interpreter.

22
00:01:33,810 --> 00:01:43,190
Well, the other thing is it has a post exploit suggestion module built inside of it, OK?

23
00:01:43,440 --> 00:01:49,800
It's not built inside of the interpreter itself, but it's built inside of the metal exploit itself

24
00:01:50,130 --> 00:01:56,910
so that we can actually use the section that we have over here as an interpreter station and we can

25
00:01:56,910 --> 00:02:04,620
supply the station's info to that module in order to understand if we have any suggestions in order

26
00:02:04,620 --> 00:02:06,100
to escalate the privilege.

27
00:02:06,810 --> 00:02:13,770
So all you got to do is just run this run post exploit and the suggestion itself.

28
00:02:13,980 --> 00:02:16,950
But you got to do this in the background.

29
00:02:17,430 --> 00:02:19,440
OK, so let me show you what I mean.

30
00:02:19,440 --> 00:02:24,570
I'm going to run this run post multi or multi, OK?

31
00:02:24,870 --> 00:02:35,030
And then slash recon and then slash local exploit suggest or so this post multi recon local exploits

32
00:02:35,040 --> 00:02:38,970
register is a module of the metal exploit itself.

33
00:02:39,380 --> 00:02:48,240
OK, so when we run this from inside of the interpreter, it tries to collect the local exploits for

34
00:02:48,240 --> 00:02:55,910
the windows and it will try to just give us some suggestions, give us some outputs like this.

35
00:02:55,920 --> 00:02:56,430
Here we go.

36
00:02:56,430 --> 00:02:57,000
It works.

37
00:02:57,240 --> 00:03:00,480
As you can see, we already have some output.

38
00:03:00,480 --> 00:03:08,270
We already have some information over here and they are similar with the Windows exploits.

39
00:03:08,280 --> 00:03:11,550
I just heard Tingay that we have seen in the previous lecture.

40
00:03:11,970 --> 00:03:14,840
OK, so this is very good.

41
00:03:14,850 --> 00:03:16,230
This is very practical.

42
00:03:16,230 --> 00:03:25,690
You can do this with only one command and I believe we lost the session over here for some reason.

43
00:03:26,070 --> 00:03:31,530
So before we lose this stuff as well, I'm going to copy this, OK, and take note of this.

44
00:03:31,890 --> 00:03:37,280
I'm going to copy this and I'm going to save this under my notes as well.

45
00:03:37,860 --> 00:03:45,560
We did that in the windows, exploits Gister, and we did that under the CTF folder, under the digital

46
00:03:45,570 --> 00:03:46,950
folder or here.

47
00:03:46,950 --> 00:03:55,770
OK, so I'm going to just do the same thing so that we can compare our results later on and come back

48
00:03:55,770 --> 00:03:59,010
to see if we have any much more information.

49
00:03:59,010 --> 00:04:02,430
Do we need, if any, information is needed.

50
00:04:02,880 --> 00:04:11,010
So let me come over here and I know a new tax code at this point suggested that I'm going to paste the

51
00:04:11,400 --> 00:04:18,380
output over here and I'm going to save this and I'm going to try and open the session one more time.

52
00:04:18,540 --> 00:04:21,890
So let me see the sections over here so that I shall.

53
00:04:22,140 --> 00:04:24,390
Nope, we don't have any issues.

54
00:04:24,660 --> 00:04:26,340
We don't have any jobs.

55
00:04:26,730 --> 00:04:28,710
So I'm going to say all options.

56
00:04:28,920 --> 00:04:29,180
Yeah.

57
00:04:29,190 --> 00:04:29,850
Here you go.

58
00:04:29,850 --> 00:04:37,230
I believe our al-Hassan outport is correct, so I'm going to explore one more time and I'm going to

59
00:04:37,230 --> 00:04:42,660
run our aspects and to see if we have the section back.

60
00:04:42,660 --> 00:04:43,590
Yeah, here you go.

61
00:04:43,980 --> 00:04:47,720
Now I'm going to run sections two and here you go.

62
00:04:48,030 --> 00:04:50,340
Now we're interacting with the section two.

63
00:04:50,760 --> 00:04:52,350
Now we're back in the section.

64
00:04:53,130 --> 00:04:56,550
OK, but of course, this doesn't end here.

65
00:04:56,550 --> 00:04:59,730
So we have already seen two tools in.

66
00:05:00,160 --> 00:05:06,200
Understand if you have any possibility of previous escalation, but also there is a very popular third

67
00:05:06,220 --> 00:05:07,250
one here as well.

68
00:05:07,480 --> 00:05:09,240
So let me show you what I mean.

69
00:05:09,250 --> 00:05:13,130
I'm going to go for Google dot com and I'm going to search for Limpus.

70
00:05:13,540 --> 00:05:16,060
So this limpets is actually for Linux.

71
00:05:16,060 --> 00:05:18,290
And this is a batch file, as you can see.

72
00:05:18,550 --> 00:05:20,680
You can use this in Linux as well.

73
00:05:21,100 --> 00:05:28,330
OK, so this is kind of a search for these vulnerabilities and show us back to results.

74
00:05:28,510 --> 00:05:31,170
So we're going to look for the vampyres over here.

75
00:05:31,180 --> 00:05:37,590
So they are named after the same syntax as you might have already understood that.

76
00:05:37,780 --> 00:05:43,950
And over here, under the car laws, we have the windpipes that ETECSA.

77
00:05:44,470 --> 00:05:47,380
So if you want, you can compile it yourself.

78
00:05:47,390 --> 00:05:52,870
You have the source code over here, or if you don't want it, you can just download the one piece that

79
00:05:52,870 --> 00:05:56,150
exi and try to just use it.

80
00:05:56,620 --> 00:06:01,260
OK, so this is Windows privilege, escalation of some script.

81
00:06:01,510 --> 00:06:06,280
So this is the aberration of our piece come from.

82
00:06:06,280 --> 00:06:07,930
OK, previously escalation.

83
00:06:07,930 --> 00:06:08,980
Awesome script.

84
00:06:10,370 --> 00:06:16,850
So it's again in the book, the tech tricks that exercise that we have seen this before.

85
00:06:17,390 --> 00:06:26,260
So if you haven't bookmarked yet, I suggest you to do so, because this is not the only thing.

86
00:06:26,270 --> 00:06:31,970
This is not the only path that we should follow when it comes to Peruggia escalation, as you can see

87
00:06:31,970 --> 00:06:39,020
in the hack tricks that X, Y, Z, we see a lot of things over here like system information, searching

88
00:06:39,020 --> 00:06:40,520
for kernel exploits.

89
00:06:40,970 --> 00:06:44,690
And of course, we are following the same path over here.

90
00:06:44,690 --> 00:06:53,030
But you may just get a lot of different comments or a lot of different techniques in order to understand

91
00:06:53,030 --> 00:06:56,990
if there is any possibility for privileged escalation.

92
00:06:57,510 --> 00:07:04,790
As you know, this is a book like an online book, and it gives you a lot of information, much more

93
00:07:04,790 --> 00:07:08,320
information that we actually see over here.

94
00:07:08,330 --> 00:07:12,230
So make sure you take a note of this.

95
00:07:12,530 --> 00:07:19,270
For example, over here we have some Mentos upload payloads like we can use with MSF, Vietnam.

96
00:07:19,940 --> 00:07:24,800
We have some kind of Amazigh installation, something like that.

97
00:07:25,160 --> 00:07:31,980
You got to take this into consideration as well when you're trying to solve a CTF or a real test.

98
00:07:32,660 --> 00:07:40,290
So over here we have the binaries and also the source codes for this awesome script suite.

99
00:07:40,700 --> 00:07:45,650
But we all also have the XY over here.

100
00:07:45,650 --> 00:07:49,340
So I'm just going to go for the latest obfuscated version.

101
00:07:49,670 --> 00:07:57,320
OK, so I'm going to go for the latest ETECSA and just download it so you can find it under Bhim.

102
00:07:57,620 --> 00:07:59,950
And this is the X Files.

103
00:07:59,960 --> 00:08:05,560
So we have the any X Files, 64 bit and 32 bit over here.

104
00:08:05,570 --> 00:08:10,460
So you just going to have to just use it one that fits you.

105
00:08:10,630 --> 00:08:15,060
OK, so you can try to use it with any that XY.

106
00:08:15,340 --> 00:08:24,250
OK, I'm going to go for that and see if I can download it so I believe I can not download it.

107
00:08:24,260 --> 00:08:26,870
Is it a previous one over here.

108
00:08:27,140 --> 00:08:33,170
So let me try to delete this or let me just try to download it one more time.

109
00:08:33,170 --> 00:08:39,140
I believe we are in a 32 bit environment, as you might remember from the system info.

110
00:08:39,350 --> 00:08:43,310
So I'm going to go for the X eight to six over there.

111
00:08:43,790 --> 00:08:49,760
And once you do that, it contains the color of the things it contains and malware.

112
00:08:50,060 --> 00:08:54,900
So you going to have to open it and just find it under your download folder.

113
00:08:54,920 --> 00:08:56,000
Here we are.

114
00:08:56,510 --> 00:09:02,440
OK, I believe I have the any 64 bit and the 86 bit over here.

115
00:09:03,020 --> 00:09:05,420
So I have downloaded these things before.

116
00:09:05,930 --> 00:09:10,360
So I'm going to delete this old one and go for the latest one.

117
00:09:11,000 --> 00:09:18,380
So let me just rename this, OK, so let me just rename this and here you go.

118
00:09:18,380 --> 00:09:20,090
I have all three versions.

119
00:09:20,090 --> 00:09:24,740
You you're more than welcome to download and try it yourselves, OK?

120
00:09:24,750 --> 00:09:31,400
And if you have an interpreter session again and very important aspect of this, that you can just upload

121
00:09:31,400 --> 00:09:38,180
something to the server, upload something that you're currently logged in to your target machine.

122
00:09:38,180 --> 00:09:46,480
OK, so if I run PWP, I mean the system 32 Einarsson ratio, I if I want I can just upload its upload

123
00:09:46,490 --> 00:09:51,860
this to here or I can go to the temporary folder as we do in the Linux.

124
00:09:52,100 --> 00:09:58,940
But again, this is actually placed in somewhere else in the Windows and it's better for us to know

125
00:09:58,940 --> 00:10:01,850
where it's located so that we can use it.

126
00:10:02,390 --> 00:10:09,650
But of course you can try to upload it anywhere like in the system Gerta or in the sea directly, but

127
00:10:09,650 --> 00:10:11,300
most of the time it won't work.

128
00:10:11,330 --> 00:10:14,540
OK, so it's better to go into the temp folder.

129
00:10:15,080 --> 00:10:17,570
In order to do that, you're going to have to write it like this.

130
00:10:17,840 --> 00:10:27,410
So CD into C and after Kullen you're going to have to do some backslash just like this and to back slashers

131
00:10:27,410 --> 00:10:28,690
in that case.

132
00:10:29,060 --> 00:10:35,870
OK, so see column two back is windows and two backslash is temp.

133
00:10:36,260 --> 00:10:42,140
So if your windows is not located on the C like this, you're gonna have to adjust it yourselves and

134
00:10:42,140 --> 00:10:44,930
you can get this information from get system info.

135
00:10:45,350 --> 00:10:48,890
Right now we are in the C Windows temp, as you can see.

136
00:10:49,130 --> 00:10:52,520
So this is the equivalent of the temp folder in the Linux.

137
00:10:52,820 --> 00:11:00,770
So most probably we can have have permission to write files over here so we can try to download the

138
00:11:00,770 --> 00:11:01,460
file.

139
00:11:01,460 --> 00:11:04,760
But I'm just going to upload it using our interpreter shall.

140
00:11:05,540 --> 00:11:09,220
And in order to do that, I believe we need a full page.

141
00:11:09,410 --> 00:11:15,530
We were here, so this is located on the route download, so if yours is located down there somewhere

142
00:11:15,530 --> 00:11:20,880
else, make sure you copy that because we need to supply that information over here.

143
00:11:21,300 --> 00:11:23,480
OK, so let me pass the clipboard.

144
00:11:23,750 --> 00:11:28,160
And after that, we're going to have to supply the whole name, which is weird.

145
00:11:28,160 --> 00:11:33,820
Please let me write that when whimpers X 866.

146
00:11:33,830 --> 00:11:38,810
See, I, if I run this, it will upload this to our target server.

147
00:11:39,020 --> 00:11:43,030
They fire on the less I will see.

148
00:11:43,080 --> 00:11:44,990
Let's see if we can see this actually.

149
00:11:46,430 --> 00:11:47,290
Yep.

150
00:11:47,930 --> 00:11:48,600
Here you go.

151
00:11:48,770 --> 00:11:53,560
Yeah, it's under the tem folder and also we have a lot of temp files over there.

152
00:11:53,840 --> 00:11:55,040
Don't worry about it.

153
00:11:55,220 --> 00:11:56,930
OK, we have it over here.

154
00:11:57,380 --> 00:12:03,280
And of course if you want you can try it wimps any EXI as well.

155
00:12:04,130 --> 00:12:10,630
It should work in this case, whether it's six or forward or 32 bit.

156
00:12:10,950 --> 00:12:18,860
But I believe you're in a 32 bit environment and we can try to migrate to another Tingay later on if

157
00:12:18,860 --> 00:12:19,820
we get a show.

158
00:12:20,420 --> 00:12:26,380
So I'm going to go into the windows shall if I run there we see the wimps over here.

159
00:12:26,660 --> 00:12:28,700
OK, so it's there now.

160
00:12:28,700 --> 00:12:32,510
I will try to execute this by just typing the name over here.

161
00:12:32,750 --> 00:12:36,830
And if I hit enter, as you can see, nothing happens.

162
00:12:37,010 --> 00:12:41,450
I don't know even if it's if it got executed or something like that.

163
00:12:42,230 --> 00:12:51,080
But remember, we also had the wind defender and firewall enabled in this section in this actually targeted

164
00:12:51,080 --> 00:12:51,650
machine.

165
00:12:51,830 --> 00:12:54,140
So maybe it's blocking the connection.

166
00:12:54,500 --> 00:13:01,550
So it's always a good idea to avoid running Ekis on the target if we have alternatives.

167
00:13:01,820 --> 00:13:09,230
OK, and in this case, we already have one and two different kind of suggestions.

168
00:13:09,560 --> 00:13:12,800
But as you can see, I'm trying the third one.

169
00:13:12,800 --> 00:13:15,560
Maybe we get a different kind of output.

170
00:13:15,560 --> 00:13:18,200
I don't know, but we cannot seem to do that.

171
00:13:18,590 --> 00:13:22,990
Of course, we can try to exit and try to load power, shell power.

172
00:13:23,030 --> 00:13:25,550
Shell is kind of a shell that you can run.

173
00:13:26,210 --> 00:13:33,020
Some system commands like a powerful execution of shell limitation in windows, OK?

174
00:13:33,530 --> 00:13:40,610
And in this case, we can try to load the power shell from the interpreter and try to run it with power

175
00:13:40,610 --> 00:13:41,480
shell as well.

176
00:13:42,050 --> 00:13:45,080
But again, we lost the connection.

177
00:13:45,080 --> 00:13:47,450
Let me try to exploit it one more time.

178
00:13:47,810 --> 00:13:54,110
It really does matter because I already tried it and it doesn't work in the power shell if you just

179
00:13:54,530 --> 00:14:00,680
type low power usually and if you can try to execute it from there, it won't give you any result back.

180
00:14:00,860 --> 00:14:07,640
But it's not important because we already have the exploits register and the metal split posts joester

181
00:14:08,330 --> 00:14:09,770
results back here.

182
00:14:10,130 --> 00:14:16,940
OK, so make sure you open your session one more time because I believe we have a lot of information

183
00:14:17,180 --> 00:14:26,000
to elaborate right now to evaluate and see if we can elaborate something out of that to become administrator.

184
00:14:26,150 --> 00:14:32,120
And that's exactly what we are going to do within the next lecture, because I believe we have already

185
00:14:32,120 --> 00:14:34,790
covered the information gathering phase over here.

186
00:14:35,000 --> 00:14:36,890
Let's do that in the next lecture.