1 00:00:01,020 --> 00:00:01,380 Hi. 2 00:00:01,920 --> 00:00:08,610 Right now, we are in the interpreter and we gathered all the information regarding capability escalation 3 00:00:08,610 --> 00:00:09,280 over here. 4 00:00:09,690 --> 00:00:14,490 So within this lecture, we're going to try and become administrator in the Windows machine that we 5 00:00:14,490 --> 00:00:14,950 hacked. 6 00:00:15,420 --> 00:00:21,180 So over here, we have the metal exploits adjuster and we have the others adjuster here as well. 7 00:00:21,600 --> 00:00:25,070 OK, so we know six police adjuster is over here. 8 00:00:25,710 --> 00:00:32,940 So if you just put them side by side, you can compare them to see what kind of similarities we have 9 00:00:32,940 --> 00:00:33,450 over here. 10 00:00:33,450 --> 00:00:39,180 Like we have this MS 11 a.m. Eastern, EMS, 59, 61. 11 00:00:39,390 --> 00:00:45,200 And over here we have the same thing, like my son, 1092, 53. 12 00:00:45,510 --> 00:00:49,680 OK, so these are codes for the different kind of exploits. 13 00:00:50,040 --> 00:00:52,770 And we have the descriptions over here as well. 14 00:00:53,250 --> 00:00:56,430 So you can just go for either one. 15 00:00:56,430 --> 00:01:04,050 I'm going to go with the metal so gister since we are in the interpreter show, OK, because these are 16 00:01:04,050 --> 00:01:06,660 also built in modules šemeta exploited. 17 00:01:06,660 --> 00:01:11,900 So for example, we can just find this key pteropod in the metal exploit itself. 18 00:01:12,430 --> 00:01:18,210 Of course, I'm going to copy this and go to Google dot com in order to show you something, because 19 00:01:18,210 --> 00:01:25,140 you might think that what happens if I don't have an interpreter show and if I have the Keter Pods for 20 00:01:25,140 --> 00:01:29,990 some reason available to me for an exploit way. 21 00:01:30,210 --> 00:01:31,620 So what happens? 22 00:01:31,860 --> 00:01:38,850 You can come over here to GitHub or Reppert seven in order to see what Keitaro Pod means or in order 23 00:01:38,850 --> 00:01:40,860 to see how to exploit it. 24 00:01:41,280 --> 00:01:41,700 Right. 25 00:01:41,710 --> 00:01:44,850 So there is a sense of security over here. 26 00:01:44,940 --> 00:01:46,410 There's exploit DB. 27 00:01:46,710 --> 00:01:49,950 You can just take a look at all of those things. 28 00:01:50,460 --> 00:01:54,330 So in the offensive security souce, it's what color? 29 00:01:54,330 --> 00:01:58,620 Lennix we can just use the commands as usual over here. 30 00:01:58,770 --> 00:02:01,920 And I believe this is the privileged escalation section. 31 00:02:02,340 --> 00:02:04,500 It tells about the gate system. 32 00:02:04,500 --> 00:02:06,620 It tells about the local exploits. 33 00:02:07,080 --> 00:02:15,800 OK, so these are some of the options that we're going to be using during this lecture as well. 34 00:02:16,110 --> 00:02:24,120 So this actually lets you understand how to use the robot exploits using the methods deployed one more 35 00:02:24,120 --> 00:02:26,180 time in the offensive security. 36 00:02:26,700 --> 00:02:31,740 OK, so if you don't know how to use it, you can just come along and just see yourself. 37 00:02:31,980 --> 00:02:39,660 And again over here for for example, we have the available descriptions, we have the available codes. 38 00:02:39,900 --> 00:02:45,390 So it's not only working with the methods deployed, you can manually do this as well. 39 00:02:45,390 --> 00:02:52,770 But if you have an interpreter show that it's great to do it with methods because it will be very easy 40 00:02:52,770 --> 00:02:53,430 for you. 41 00:02:53,940 --> 00:02:57,750 So you can try to understand the description over here. 42 00:02:57,960 --> 00:03:05,250 So understand how octopods vulnerability was discovered and how it works in theory as well. 43 00:03:05,250 --> 00:03:14,580 And most importantly, what kind of Windows versions does it affect, like Windows Server 2008, Windows 44 00:03:14,580 --> 00:03:15,720 XP Windows? 45 00:03:15,720 --> 00:03:23,070 We OK, you can see it for yourselves and you can just see the whole message over here. 46 00:03:23,580 --> 00:03:28,050 OK, and again, this Kitara part is very popular. 47 00:03:28,050 --> 00:03:35,910 So this was the, I believe, one of the first ones that we have seen in the list. 48 00:03:36,150 --> 00:03:39,360 So that's why I'm going to go with this first. 49 00:03:39,990 --> 00:03:43,710 And if it doesn't work, of course, it might not work. 50 00:03:43,710 --> 00:03:45,570 We're just going to go for the other ones. 51 00:03:46,170 --> 00:03:49,320 So over here, I'm going to go with this Kitara part. 52 00:03:49,530 --> 00:03:52,260 OK, so I'm going to copy this. 53 00:03:53,040 --> 00:03:59,970 And if you read the description, it says that the service is running but could not be verified. 54 00:04:00,270 --> 00:04:02,760 So we're going to just try, OK? 55 00:04:02,760 --> 00:04:07,710 For some reason, I have exited this interpretation. 56 00:04:07,710 --> 00:04:10,140 OK, so I have to open it one more time. 57 00:04:10,410 --> 00:04:13,230 So I'm going to just run this one more time. 58 00:04:13,470 --> 00:04:16,320 So I believe we are in the section for right now. 59 00:04:16,320 --> 00:04:16,590 Yep. 60 00:04:16,590 --> 00:04:17,270 Here you go. 61 00:04:17,490 --> 00:04:22,740 Now, if you want to go out of a section, you can always run background. 62 00:04:22,740 --> 00:04:29,940 And by the way, I just made sure that we are running this as I as Apple, not as administrator or something 63 00:04:29,940 --> 00:04:30,480 like that. 64 00:04:30,870 --> 00:04:32,340 So just run background. 65 00:04:32,340 --> 00:04:39,060 Now, your session can be seen in the sessions list, OK, so you can come back to your session anytime 66 00:04:39,060 --> 00:04:39,630 you want. 67 00:04:39,630 --> 00:04:42,000 That's how you don't lose your session. 68 00:04:42,480 --> 00:04:47,340 Now, I'm going to run this, OK, so I'm going to copy this, OK? 69 00:04:47,370 --> 00:04:50,610 And I'm going to try and go into that module. 70 00:04:50,610 --> 00:04:54,180 And by the way, this elevator is another popular one. 71 00:04:54,420 --> 00:04:58,740 If it doesn't work, if the Keiter part doesn't work, of course, I'm going to go with this shallow 72 00:04:58,740 --> 00:04:59,720 water and. 73 00:04:59,810 --> 00:05:05,990 And over here, we have some other suggestions as well, we can try them all. 74 00:05:06,350 --> 00:05:16,520 So let me clear this thing up and just use the exploit with those local counterparts. 75 00:05:16,970 --> 00:05:25,160 OK, now we are in the control module, OK, if we go to Kelly Linux document documentation over here, 76 00:05:25,490 --> 00:05:31,340 it says that you have to just make sure you set the sections, set the payload and the other stuff. 77 00:05:31,790 --> 00:05:33,500 So I'm going to say all options. 78 00:05:33,980 --> 00:05:34,700 Here you go. 79 00:05:34,880 --> 00:05:38,400 We have to specify the station that we are currently running. 80 00:05:38,780 --> 00:05:43,010 So if you might remember, a recession is in the background with Section four. 81 00:05:43,280 --> 00:05:45,980 So I'm going to set the section to that. 82 00:05:46,010 --> 00:05:53,990 So if you can run stations, all yours must be different because I had to open and close at a lot of 83 00:05:53,990 --> 00:05:54,980 times, OK? 84 00:05:55,400 --> 00:05:59,900 So right now, if I say show options, it will be displayed over here. 85 00:06:00,350 --> 00:06:04,070 So over here we have to set the Al-Hussayen airport. 86 00:06:04,430 --> 00:06:10,400 So I'm going to open the F config and see what kind of turns you or I have over here, 10, 10, 14, 87 00:06:10,400 --> 00:06:10,990 19. 88 00:06:11,240 --> 00:06:13,870 So I'm going to set my elbows to my 10 zero. 89 00:06:14,210 --> 00:06:20,080 You can try to write one zero over here as well, but I believe this is a better way to do it. 90 00:06:20,480 --> 00:06:26,020 So I'm going to change the outport to something else or maybe we can live it as it is. 91 00:06:26,330 --> 00:06:28,100 I don't remember if we're. 92 00:06:28,100 --> 00:06:28,820 Yeah, here you go. 93 00:06:28,830 --> 00:06:30,680 We have used for two, four, two. 94 00:06:31,340 --> 00:06:36,470 Maybe we can just leave this as it is two four four four four or you can change it to one, two, three, 95 00:06:36,470 --> 00:06:36,860 four. 96 00:06:37,250 --> 00:06:41,160 It really doesn't matter as long as you find a working port. 97 00:06:41,780 --> 00:06:49,580 So I'm going to say, sure, payloads and we have a lot of payloads over here. 98 00:06:49,580 --> 00:06:51,590 So I'm going to say all options. 99 00:06:51,890 --> 00:06:52,670 Let me see. 100 00:06:53,450 --> 00:06:55,130 We have the module and here you go. 101 00:06:55,130 --> 00:06:57,020 Yeah, we have the payload over here. 102 00:06:57,020 --> 00:07:00,710 We know from Interpretor Reverse DCP, this is fine. 103 00:07:00,710 --> 00:07:06,500 If you don't see it in this options, you can say set payloads to this. 104 00:07:06,770 --> 00:07:10,460 I'm going to exploit this and see if we get a back. 105 00:07:11,030 --> 00:07:12,350 So good. 106 00:07:12,350 --> 00:07:15,710 It says exploit completed, but no station was created. 107 00:07:16,070 --> 00:07:19,310 So there can be a couple of reasons for this. 108 00:07:19,580 --> 00:07:23,180 Maybe it's it doesn't work here, OK? 109 00:07:23,180 --> 00:07:25,010 Maybe doesn't work here. 110 00:07:25,400 --> 00:07:28,610 Maybe we have to run explode Jay-Z, OK. 111 00:07:28,610 --> 00:07:31,130 And then just list these sessions. 112 00:07:31,520 --> 00:07:37,640 Now we see only WCD station for now I'm going to say show options. 113 00:07:38,270 --> 00:07:42,260 And over here, let me check the towns zero over here. 114 00:07:42,830 --> 00:07:43,130 Yeah. 115 00:07:43,130 --> 00:07:44,750 It's actually good. 116 00:07:44,900 --> 00:07:49,850 I'm going to change the outport to something else like one, two, three, four and try with that. 117 00:07:50,360 --> 00:07:58,850 OK, I'm going to exploit this one more time in the background and let me just run l nope. 118 00:07:58,850 --> 00:08:01,100 We don't see it as you can see. 119 00:08:01,940 --> 00:08:04,400 So again, maybe it doesn't work. 120 00:08:04,400 --> 00:08:06,320 Maybe we're doing something wrong. 121 00:08:06,410 --> 00:08:08,900 Maybe we have to just try it one more time. 122 00:08:09,440 --> 00:08:10,100 I don't know. 123 00:08:10,490 --> 00:08:15,800 Maybe we have lost the connection to the server, lost the session in four. 124 00:08:16,070 --> 00:08:17,630 Maybe we can try that. 125 00:08:18,020 --> 00:08:19,790 So it happened before, right? 126 00:08:20,090 --> 00:08:21,170 Just out of blue. 127 00:08:21,350 --> 00:08:25,730 Our station has been closed to the hack the back servers. 128 00:08:26,030 --> 00:08:29,480 So we had to just connect one more time. 129 00:08:29,870 --> 00:08:37,100 And after trying that, if it doesn't work as well, we can go for the elevator or any other exploit 130 00:08:37,110 --> 00:08:39,110 suggestions that we see over here. 131 00:08:40,160 --> 00:08:46,580 So, for example, if you come over here and just say, session's out, we don't see it, OK? 132 00:08:46,880 --> 00:08:52,970 And I'm going to go into the stations for I'm going to run a comment to see if I lost the connection 133 00:08:52,970 --> 00:08:53,660 over here. 134 00:08:54,770 --> 00:08:55,790 Yeah, here you go. 135 00:08:55,790 --> 00:08:58,940 I believe we actually lost the connection. 136 00:08:59,270 --> 00:09:03,350 If I run, get Eweida, it doesn't respond to me. 137 00:09:04,310 --> 00:09:09,200 So for some reason, I believe we cannot connect to the server. 138 00:09:09,200 --> 00:09:11,150 And as you can see now, it's dict. 139 00:09:11,870 --> 00:09:12,230 So. 140 00:09:12,240 --> 00:09:18,890 Well, what I'm going to do, I'm going to go back to my multi handler one more time and try to open 141 00:09:18,890 --> 00:09:20,450 the connection one more time. 142 00:09:20,810 --> 00:09:21,710 It happens. 143 00:09:21,950 --> 00:09:26,420 OK, so I'm going to show the options and here you go. 144 00:09:26,420 --> 00:09:28,130 So I'll hostis is correct. 145 00:09:28,370 --> 00:09:30,620 I'm going to exploit this OK. 146 00:09:31,070 --> 00:09:34,040 And I'm going to connect with my Xbox One more time. 147 00:09:34,700 --> 00:09:35,570 So here you go. 148 00:09:35,570 --> 00:09:36,770 Section five opens. 149 00:09:37,040 --> 00:09:43,790 I'm going to directly go to the module key theropod module over here. 150 00:09:44,150 --> 00:09:45,350 So let me find it. 151 00:09:45,710 --> 00:09:46,640 Yeah, here you go. 152 00:09:46,640 --> 00:09:53,990 Now I'm going to show options and we have to change the station because it's stuck in for over here. 153 00:09:53,990 --> 00:09:59,180 I'm going to say cessation to Fife and rest is good. 154 00:09:59,180 --> 00:09:59,540 I'm just. 155 00:09:59,620 --> 00:10:10,840 And they exploit this and see, here you go, it says that exploitation six opens, if I say, yep, 156 00:10:10,840 --> 00:10:11,430 here you go. 157 00:10:11,440 --> 00:10:14,410 Now we see the anti-austerity system at the wall. 158 00:10:14,430 --> 00:10:15,490 So this is route. 159 00:10:15,610 --> 00:10:17,020 This is administrator. 160 00:10:17,350 --> 00:10:19,240 So I'm going to go into decision six. 161 00:10:19,480 --> 00:10:22,790 I'm going to say get UID and we are authority's system. 162 00:10:23,320 --> 00:10:24,570 So far, so good. 163 00:10:24,570 --> 00:10:27,470 So let me try and see if we can go to shelter. 164 00:10:27,520 --> 00:10:27,820 Yep. 165 00:10:27,820 --> 00:10:28,540 Here you go. 166 00:10:28,870 --> 00:10:29,800 Now I will. 167 00:10:29,800 --> 00:10:30,250 Around who. 168 00:10:30,370 --> 00:10:31,900 My immaturity. 169 00:10:32,380 --> 00:10:38,950 And I'm going to try and see if we can go to the administrator folder so that you can see where the 170 00:10:38,950 --> 00:10:42,610 flags are located under hacked box machines. 171 00:10:42,610 --> 00:10:48,070 So I'm going to go to see and from there and I'm going to go to users. 172 00:10:48,490 --> 00:10:49,880 I'm going to run there. 173 00:10:50,050 --> 00:10:50,730 Here you go. 174 00:10:50,740 --> 00:10:53,460 Now, let's see if we can go to administrator. 175 00:10:54,370 --> 00:10:59,170 OK, and yeah, I believe I misspelled that. 176 00:10:59,170 --> 00:11:02,930 So let me try this one more time like this. 177 00:11:03,280 --> 00:11:03,940 Here you go. 178 00:11:03,940 --> 00:11:08,170 Now, I can run this over here, so it should be on their desktop. 179 00:11:08,170 --> 00:11:09,460 So let me run there. 180 00:11:09,460 --> 00:11:10,270 And here you go. 181 00:11:10,540 --> 00:11:12,240 Route Steve. 182 00:11:12,550 --> 00:11:14,140 Let me just try to type it. 183 00:11:14,140 --> 00:11:15,460 It's like catting it. 184 00:11:15,460 --> 00:11:17,560 OK, so here you go. 185 00:11:17,590 --> 00:11:18,760 This is the route FLAC. 186 00:11:18,760 --> 00:11:20,110 This is Dedman FLAC. 187 00:11:20,440 --> 00:11:27,970 We owned this system in this machine, as you can see, took us a lot of time because we were trying 188 00:11:27,970 --> 00:11:35,200 to understand the theory behind it or the trying to find the exploits that can be helpful for us. 189 00:11:35,560 --> 00:11:43,300 And if it didn't work, if this didn't work, I would go for the elevator and for the other ones here 190 00:11:43,300 --> 00:11:43,810 as well. 191 00:11:44,320 --> 00:11:46,540 Maybe you were going to have to try a lot of things. 192 00:11:46,540 --> 00:11:51,790 Maybe you're going to have to search a lot of things in the Google in order to understand how to leverage 193 00:11:51,790 --> 00:11:53,110 all of those exploits. 194 00:11:53,560 --> 00:11:57,330 Maybe you won't even have a mature position. 195 00:11:57,340 --> 00:11:59,680 So you're going to have to do this manually. 196 00:11:59,920 --> 00:12:01,990 But again, it's a good practice. 197 00:12:02,380 --> 00:12:06,940 So we're going to stop here, but we're going to continue learning about privileges, escalation in 198 00:12:06,940 --> 00:12:08,890 Windows machines in the next lecture.