1
00:00:01,020 --> 00:00:01,380
Hi.

2
00:00:01,920 --> 00:00:08,610
Right now, we are in the interpreter and we gathered all the information regarding capability escalation

3
00:00:08,610 --> 00:00:09,280
over here.

4
00:00:09,690 --> 00:00:14,490
So within this lecture, we're going to try and become administrator in the Windows machine that we

5
00:00:14,490 --> 00:00:14,950
hacked.

6
00:00:15,420 --> 00:00:21,180
So over here, we have the metal exploits adjuster and we have the others adjuster here as well.

7
00:00:21,600 --> 00:00:25,070
OK, so we know six police adjuster is over here.

8
00:00:25,710 --> 00:00:32,940
So if you just put them side by side, you can compare them to see what kind of similarities we have

9
00:00:32,940 --> 00:00:33,450
over here.

10
00:00:33,450 --> 00:00:39,180
Like we have this MS 11 a.m. Eastern, EMS, 59, 61.

11
00:00:39,390 --> 00:00:45,200
And over here we have the same thing, like my son, 1092, 53.

12
00:00:45,510 --> 00:00:49,680
OK, so these are codes for the different kind of exploits.

13
00:00:50,040 --> 00:00:52,770
And we have the descriptions over here as well.

14
00:00:53,250 --> 00:00:56,430
So you can just go for either one.

15
00:00:56,430 --> 00:01:04,050
I'm going to go with the metal so gister since we are in the interpreter show, OK, because these are

16
00:01:04,050 --> 00:01:06,660
also built in modules šemeta exploited.

17
00:01:06,660 --> 00:01:11,900
So for example, we can just find this key pteropod in the metal exploit itself.

18
00:01:12,430 --> 00:01:18,210
Of course, I'm going to copy this and go to Google dot com in order to show you something, because

19
00:01:18,210 --> 00:01:25,140
you might think that what happens if I don't have an interpreter show and if I have the Keter Pods for

20
00:01:25,140 --> 00:01:29,990
some reason available to me for an exploit way.

21
00:01:30,210 --> 00:01:31,620
So what happens?

22
00:01:31,860 --> 00:01:38,850
You can come over here to GitHub or Reppert seven in order to see what Keitaro Pod means or in order

23
00:01:38,850 --> 00:01:40,860
to see how to exploit it.

24
00:01:41,280 --> 00:01:41,700
Right.

25
00:01:41,710 --> 00:01:44,850
So there is a sense of security over here.

26
00:01:44,940 --> 00:01:46,410
There's exploit DB.

27
00:01:46,710 --> 00:01:49,950
You can just take a look at all of those things.

28
00:01:50,460 --> 00:01:54,330
So in the offensive security souce, it's what color?

29
00:01:54,330 --> 00:01:58,620
Lennix we can just use the commands as usual over here.

30
00:01:58,770 --> 00:02:01,920
And I believe this is the privileged escalation section.

31
00:02:02,340 --> 00:02:04,500
It tells about the gate system.

32
00:02:04,500 --> 00:02:06,620
It tells about the local exploits.

33
00:02:07,080 --> 00:02:15,800
OK, so these are some of the options that we're going to be using during this lecture as well.

34
00:02:16,110 --> 00:02:24,120
So this actually lets you understand how to use the robot exploits using the methods deployed one more

35
00:02:24,120 --> 00:02:26,180
time in the offensive security.

36
00:02:26,700 --> 00:02:31,740
OK, so if you don't know how to use it, you can just come along and just see yourself.

37
00:02:31,980 --> 00:02:39,660
And again over here for for example, we have the available descriptions, we have the available codes.

38
00:02:39,900 --> 00:02:45,390
So it's not only working with the methods deployed, you can manually do this as well.

39
00:02:45,390 --> 00:02:52,770
But if you have an interpreter show that it's great to do it with methods because it will be very easy

40
00:02:52,770 --> 00:02:53,430
for you.

41
00:02:53,940 --> 00:02:57,750
So you can try to understand the description over here.

42
00:02:57,960 --> 00:03:05,250
So understand how octopods vulnerability was discovered and how it works in theory as well.

43
00:03:05,250 --> 00:03:14,580
And most importantly, what kind of Windows versions does it affect, like Windows Server 2008, Windows

44
00:03:14,580 --> 00:03:15,720
XP Windows?

45
00:03:15,720 --> 00:03:23,070
We OK, you can see it for yourselves and you can just see the whole message over here.

46
00:03:23,580 --> 00:03:28,050
OK, and again, this Kitara part is very popular.

47
00:03:28,050 --> 00:03:35,910
So this was the, I believe, one of the first ones that we have seen in the list.

48
00:03:36,150 --> 00:03:39,360
So that's why I'm going to go with this first.

49
00:03:39,990 --> 00:03:43,710
And if it doesn't work, of course, it might not work.

50
00:03:43,710 --> 00:03:45,570
We're just going to go for the other ones.

51
00:03:46,170 --> 00:03:49,320
So over here, I'm going to go with this Kitara part.

52
00:03:49,530 --> 00:03:52,260
OK, so I'm going to copy this.

53
00:03:53,040 --> 00:03:59,970
And if you read the description, it says that the service is running but could not be verified.

54
00:04:00,270 --> 00:04:02,760
So we're going to just try, OK?

55
00:04:02,760 --> 00:04:07,710
For some reason, I have exited this interpretation.

56
00:04:07,710 --> 00:04:10,140
OK, so I have to open it one more time.

57
00:04:10,410 --> 00:04:13,230
So I'm going to just run this one more time.

58
00:04:13,470 --> 00:04:16,320
So I believe we are in the section for right now.

59
00:04:16,320 --> 00:04:16,590
Yep.

60
00:04:16,590 --> 00:04:17,270
Here you go.

61
00:04:17,490 --> 00:04:22,740
Now, if you want to go out of a section, you can always run background.

62
00:04:22,740 --> 00:04:29,940
And by the way, I just made sure that we are running this as I as Apple, not as administrator or something

63
00:04:29,940 --> 00:04:30,480
like that.

64
00:04:30,870 --> 00:04:32,340
So just run background.

65
00:04:32,340 --> 00:04:39,060
Now, your session can be seen in the sessions list, OK, so you can come back to your session anytime

66
00:04:39,060 --> 00:04:39,630
you want.

67
00:04:39,630 --> 00:04:42,000
That's how you don't lose your session.

68
00:04:42,480 --> 00:04:47,340
Now, I'm going to run this, OK, so I'm going to copy this, OK?

69
00:04:47,370 --> 00:04:50,610
And I'm going to try and go into that module.

70
00:04:50,610 --> 00:04:54,180
And by the way, this elevator is another popular one.

71
00:04:54,420 --> 00:04:58,740
If it doesn't work, if the Keiter part doesn't work, of course, I'm going to go with this shallow

72
00:04:58,740 --> 00:04:59,720
water and.

73
00:04:59,810 --> 00:05:05,990
And over here, we have some other suggestions as well, we can try them all.

74
00:05:06,350 --> 00:05:16,520
So let me clear this thing up and just use the exploit with those local counterparts.

75
00:05:16,970 --> 00:05:25,160
OK, now we are in the control module, OK, if we go to Kelly Linux document documentation over here,

76
00:05:25,490 --> 00:05:31,340
it says that you have to just make sure you set the sections, set the payload and the other stuff.

77
00:05:31,790 --> 00:05:33,500
So I'm going to say all options.

78
00:05:33,980 --> 00:05:34,700
Here you go.

79
00:05:34,880 --> 00:05:38,400
We have to specify the station that we are currently running.

80
00:05:38,780 --> 00:05:43,010
So if you might remember, a recession is in the background with Section four.

81
00:05:43,280 --> 00:05:45,980
So I'm going to set the section to that.

82
00:05:46,010 --> 00:05:53,990
So if you can run stations, all yours must be different because I had to open and close at a lot of

83
00:05:53,990 --> 00:05:54,980
times, OK?

84
00:05:55,400 --> 00:05:59,900
So right now, if I say show options, it will be displayed over here.

85
00:06:00,350 --> 00:06:04,070
So over here we have to set the Al-Hussayen airport.

86
00:06:04,430 --> 00:06:10,400
So I'm going to open the F config and see what kind of turns you or I have over here, 10, 10, 14,

87
00:06:10,400 --> 00:06:10,990
19.

88
00:06:11,240 --> 00:06:13,870
So I'm going to set my elbows to my 10 zero.

89
00:06:14,210 --> 00:06:20,080
You can try to write one zero over here as well, but I believe this is a better way to do it.

90
00:06:20,480 --> 00:06:26,020
So I'm going to change the outport to something else or maybe we can live it as it is.

91
00:06:26,330 --> 00:06:28,100
I don't remember if we're.

92
00:06:28,100 --> 00:06:28,820
Yeah, here you go.

93
00:06:28,830 --> 00:06:30,680
We have used for two, four, two.

94
00:06:31,340 --> 00:06:36,470
Maybe we can just leave this as it is two four four four four or you can change it to one, two, three,

95
00:06:36,470 --> 00:06:36,860
four.

96
00:06:37,250 --> 00:06:41,160
It really doesn't matter as long as you find a working port.

97
00:06:41,780 --> 00:06:49,580
So I'm going to say, sure, payloads and we have a lot of payloads over here.

98
00:06:49,580 --> 00:06:51,590
So I'm going to say all options.

99
00:06:51,890 --> 00:06:52,670
Let me see.

100
00:06:53,450 --> 00:06:55,130
We have the module and here you go.

101
00:06:55,130 --> 00:06:57,020
Yeah, we have the payload over here.

102
00:06:57,020 --> 00:07:00,710
We know from Interpretor Reverse DCP, this is fine.

103
00:07:00,710 --> 00:07:06,500
If you don't see it in this options, you can say set payloads to this.

104
00:07:06,770 --> 00:07:10,460
I'm going to exploit this and see if we get a back.

105
00:07:11,030 --> 00:07:12,350
So good.

106
00:07:12,350 --> 00:07:15,710
It says exploit completed, but no station was created.

107
00:07:16,070 --> 00:07:19,310
So there can be a couple of reasons for this.

108
00:07:19,580 --> 00:07:23,180
Maybe it's it doesn't work here, OK?

109
00:07:23,180 --> 00:07:25,010
Maybe doesn't work here.

110
00:07:25,400 --> 00:07:28,610
Maybe we have to run explode Jay-Z, OK.

111
00:07:28,610 --> 00:07:31,130
And then just list these sessions.

112
00:07:31,520 --> 00:07:37,640
Now we see only WCD station for now I'm going to say show options.

113
00:07:38,270 --> 00:07:42,260
And over here, let me check the towns zero over here.

114
00:07:42,830 --> 00:07:43,130
Yeah.

115
00:07:43,130 --> 00:07:44,750
It's actually good.

116
00:07:44,900 --> 00:07:49,850
I'm going to change the outport to something else like one, two, three, four and try with that.

117
00:07:50,360 --> 00:07:58,850
OK, I'm going to exploit this one more time in the background and let me just run l nope.

118
00:07:58,850 --> 00:08:01,100
We don't see it as you can see.

119
00:08:01,940 --> 00:08:04,400
So again, maybe it doesn't work.

120
00:08:04,400 --> 00:08:06,320
Maybe we're doing something wrong.

121
00:08:06,410 --> 00:08:08,900
Maybe we have to just try it one more time.

122
00:08:09,440 --> 00:08:10,100
I don't know.

123
00:08:10,490 --> 00:08:15,800
Maybe we have lost the connection to the server, lost the session in four.

124
00:08:16,070 --> 00:08:17,630
Maybe we can try that.

125
00:08:18,020 --> 00:08:19,790
So it happened before, right?

126
00:08:20,090 --> 00:08:21,170
Just out of blue.

127
00:08:21,350 --> 00:08:25,730
Our station has been closed to the hack the back servers.

128
00:08:26,030 --> 00:08:29,480
So we had to just connect one more time.

129
00:08:29,870 --> 00:08:37,100
And after trying that, if it doesn't work as well, we can go for the elevator or any other exploit

130
00:08:37,110 --> 00:08:39,110
suggestions that we see over here.

131
00:08:40,160 --> 00:08:46,580
So, for example, if you come over here and just say, session's out, we don't see it, OK?

132
00:08:46,880 --> 00:08:52,970
And I'm going to go into the stations for I'm going to run a comment to see if I lost the connection

133
00:08:52,970 --> 00:08:53,660
over here.

134
00:08:54,770 --> 00:08:55,790
Yeah, here you go.

135
00:08:55,790 --> 00:08:58,940
I believe we actually lost the connection.

136
00:08:59,270 --> 00:09:03,350
If I run, get Eweida, it doesn't respond to me.

137
00:09:04,310 --> 00:09:09,200
So for some reason, I believe we cannot connect to the server.

138
00:09:09,200 --> 00:09:11,150
And as you can see now, it's dict.

139
00:09:11,870 --> 00:09:12,230
So.

140
00:09:12,240 --> 00:09:18,890
Well, what I'm going to do, I'm going to go back to my multi handler one more time and try to open

141
00:09:18,890 --> 00:09:20,450
the connection one more time.

142
00:09:20,810 --> 00:09:21,710
It happens.

143
00:09:21,950 --> 00:09:26,420
OK, so I'm going to show the options and here you go.

144
00:09:26,420 --> 00:09:28,130
So I'll hostis is correct.

145
00:09:28,370 --> 00:09:30,620
I'm going to exploit this OK.

146
00:09:31,070 --> 00:09:34,040
And I'm going to connect with my Xbox One more time.

147
00:09:34,700 --> 00:09:35,570
So here you go.

148
00:09:35,570 --> 00:09:36,770
Section five opens.

149
00:09:37,040 --> 00:09:43,790
I'm going to directly go to the module key theropod module over here.

150
00:09:44,150 --> 00:09:45,350
So let me find it.

151
00:09:45,710 --> 00:09:46,640
Yeah, here you go.

152
00:09:46,640 --> 00:09:53,990
Now I'm going to show options and we have to change the station because it's stuck in for over here.

153
00:09:53,990 --> 00:09:59,180
I'm going to say cessation to Fife and rest is good.

154
00:09:59,180 --> 00:09:59,540
I'm just.

155
00:09:59,620 --> 00:10:10,840
And they exploit this and see, here you go, it says that exploitation six opens, if I say, yep,

156
00:10:10,840 --> 00:10:11,430
here you go.

157
00:10:11,440 --> 00:10:14,410
Now we see the anti-austerity system at the wall.

158
00:10:14,430 --> 00:10:15,490
So this is route.

159
00:10:15,610 --> 00:10:17,020
This is administrator.

160
00:10:17,350 --> 00:10:19,240
So I'm going to go into decision six.

161
00:10:19,480 --> 00:10:22,790
I'm going to say get UID and we are authority's system.

162
00:10:23,320 --> 00:10:24,570
So far, so good.

163
00:10:24,570 --> 00:10:27,470
So let me try and see if we can go to shelter.

164
00:10:27,520 --> 00:10:27,820
Yep.

165
00:10:27,820 --> 00:10:28,540
Here you go.

166
00:10:28,870 --> 00:10:29,800
Now I will.

167
00:10:29,800 --> 00:10:30,250
Around who.

168
00:10:30,370 --> 00:10:31,900
My immaturity.

169
00:10:32,380 --> 00:10:38,950
And I'm going to try and see if we can go to the administrator folder so that you can see where the

170
00:10:38,950 --> 00:10:42,610
flags are located under hacked box machines.

171
00:10:42,610 --> 00:10:48,070
So I'm going to go to see and from there and I'm going to go to users.

172
00:10:48,490 --> 00:10:49,880
I'm going to run there.

173
00:10:50,050 --> 00:10:50,730
Here you go.

174
00:10:50,740 --> 00:10:53,460
Now, let's see if we can go to administrator.

175
00:10:54,370 --> 00:10:59,170
OK, and yeah, I believe I misspelled that.

176
00:10:59,170 --> 00:11:02,930
So let me try this one more time like this.

177
00:11:03,280 --> 00:11:03,940
Here you go.

178
00:11:03,940 --> 00:11:08,170
Now, I can run this over here, so it should be on their desktop.

179
00:11:08,170 --> 00:11:09,460
So let me run there.

180
00:11:09,460 --> 00:11:10,270
And here you go.

181
00:11:10,540 --> 00:11:12,240
Route Steve.

182
00:11:12,550 --> 00:11:14,140
Let me just try to type it.

183
00:11:14,140 --> 00:11:15,460
It's like catting it.

184
00:11:15,460 --> 00:11:17,560
OK, so here you go.

185
00:11:17,590 --> 00:11:18,760
This is the route FLAC.

186
00:11:18,760 --> 00:11:20,110
This is Dedman FLAC.

187
00:11:20,440 --> 00:11:27,970
We owned this system in this machine, as you can see, took us a lot of time because we were trying

188
00:11:27,970 --> 00:11:35,200
to understand the theory behind it or the trying to find the exploits that can be helpful for us.

189
00:11:35,560 --> 00:11:43,300
And if it didn't work, if this didn't work, I would go for the elevator and for the other ones here

190
00:11:43,300 --> 00:11:43,810
as well.

191
00:11:44,320 --> 00:11:46,540
Maybe you were going to have to try a lot of things.

192
00:11:46,540 --> 00:11:51,790
Maybe you're going to have to search a lot of things in the Google in order to understand how to leverage

193
00:11:51,790 --> 00:11:53,110
all of those exploits.

194
00:11:53,560 --> 00:11:57,330
Maybe you won't even have a mature position.

195
00:11:57,340 --> 00:11:59,680
So you're going to have to do this manually.

196
00:11:59,920 --> 00:12:01,990
But again, it's a good practice.

197
00:12:02,380 --> 00:12:06,940
So we're going to stop here, but we're going to continue learning about privileges, escalation in

198
00:12:06,940 --> 00:12:08,890
Windows machines in the next lecture.