1
00:00:00,690 --> 00:00:09,090
Hi, we did this lecture, we're going to continue exploring the other vulnerabilities that we see in

2
00:00:09,090 --> 00:00:10,260
this digital machine.

3
00:00:10,260 --> 00:00:11,880
I'm still in the wind machine.

4
00:00:12,120 --> 00:00:13,700
I'm logged in as a user.

5
00:00:13,710 --> 00:00:20,400
If you don't have that station currently going on right now, just open another interpretational with

6
00:00:20,400 --> 00:00:21,780
running your SBX.

7
00:00:22,050 --> 00:00:27,840
And this is the reason why we have chosen this machine in the first place, because it has more than

8
00:00:27,840 --> 00:00:31,200
one vulnerabilities in order to escalate your privilege.

9
00:00:31,650 --> 00:00:34,110
And I'm going to continue looking for those.

10
00:00:34,110 --> 00:00:40,560
And Regans specifically focus on potatoe attacks because it can be found in caves and Pantex as well.

11
00:00:40,800 --> 00:00:42,540
And that is this one.

12
00:00:42,540 --> 00:00:46,300
So M 16 also in five is a reflection.

13
00:00:46,860 --> 00:00:52,710
OK, so it says that target appears to be vulnerable and we're going to focus on that one and we're

14
00:00:52,710 --> 00:01:00,180
going to see how to exploit it automatically if you actually have to.

15
00:01:00,210 --> 00:01:03,400
Later on, I'm going to show you how to do it manually as well.

16
00:01:03,930 --> 00:01:08,790
So if I search for that on Google, I'm going to go to report seven.

17
00:01:08,790 --> 00:01:10,320
I'm going to go to GetUp!

18
00:01:10,320 --> 00:01:13,490
In order to show you what potatoe attacks meet.

19
00:01:14,490 --> 00:01:19,700
OK, so let me just come over here and see if we have a good description over there.

20
00:01:21,450 --> 00:01:22,830
I believe in the rep at seven.

21
00:01:22,840 --> 00:01:28,650
We only have a description or instruction, you know, to use this in the metal exploit.

22
00:01:28,920 --> 00:01:32,250
OK, I'm going to, of course, show you how to do this as well.

23
00:01:32,580 --> 00:01:36,300
But I'm going to find another thing over here.

24
00:01:36,300 --> 00:01:37,460
Maybe this is good.

25
00:01:38,010 --> 00:01:43,260
So this module, we will abuse the same person privilege.

26
00:01:43,860 --> 00:01:48,830
So it is a commonly found vulnerability in services.

27
00:01:48,960 --> 00:01:50,430
OK, I'd say so here.

28
00:01:50,430 --> 00:01:54,020
And it appears to be so in real life as well.

29
00:01:55,170 --> 00:01:58,020
So what do we mean by impersonation?

30
00:01:58,500 --> 00:02:06,510
So if we go to our interpreter show, OK, and I remember we have gathered information when we first

31
00:02:07,440 --> 00:02:12,440
hacked into the system and we had actually run, who am I?

32
00:02:12,810 --> 00:02:16,320
So if I can get your ID, you will see that I am the apple.

33
00:02:16,320 --> 00:02:18,780
I'm not an administrator or something like that.

34
00:02:19,440 --> 00:02:21,930
And we're going to talk about tokens.

35
00:02:21,930 --> 00:02:23,490
So tokens spell like this.

36
00:02:23,490 --> 00:02:27,930
And if you don't know what the token is, think about the Web applications.

37
00:02:28,200 --> 00:02:36,540
So it actually is a tool that defines our authentication, our user identity.

38
00:02:36,780 --> 00:02:43,160
So if you go to a website, if you make a request to a server, generally, most of the time you get

39
00:02:43,170 --> 00:02:44,100
a token back.

40
00:02:44,460 --> 00:02:49,760
And that's how a server understands that requests are coming from you.

41
00:02:49,770 --> 00:02:51,510
So it responds to you.

42
00:02:51,960 --> 00:02:58,350
Think of it like a cookie and it actually is valid in the window system as well.

43
00:02:58,680 --> 00:03:04,370
So you get a token as a user and other users get a token as well.

44
00:03:04,530 --> 00:03:14,160
OK, so another thing over here is that you can actually impersonate some other users using their token.

45
00:03:15,240 --> 00:03:20,280
So this isn't actually a vulnerability, I'm going to show you that, first of all, you're going to

46
00:03:20,280 --> 00:03:28,020
have to run this load incognito because we're going to have to want to display this tokens by running

47
00:03:28,020 --> 00:03:29,160
this list.

48
00:03:29,280 --> 00:03:30,570
Tokens dash you.

49
00:03:30,570 --> 00:03:32,130
And there is the underscore between.

50
00:03:32,130 --> 00:03:38,970
It lists tokens that you so as you can see, the tokens are available to me is Apple.

51
00:03:38,970 --> 00:03:46,090
And there is an in-person impersonation tokens available as well, which is authority user.

52
00:03:46,650 --> 00:03:51,410
So this impersonation tokens aren't necessarily a vulnerability.

53
00:03:51,410 --> 00:03:56,280
It can be used effectively in server administration as well.

54
00:03:56,550 --> 00:04:00,600
But if there's some mistake, then we can take leverage off that.

55
00:04:00,600 --> 00:04:08,130
We can impersonate the administrator user and without even having to know the administrators password

56
00:04:08,370 --> 00:04:15,780
and without even knowing to have their names, admin names, we can just impersonate them and we can

57
00:04:15,780 --> 00:04:21,060
be admin or we can run any comment as admin in a way that we want.

58
00:04:21,540 --> 00:04:28,140
So in order to do that, first of all, we need to make sure that this is vulnerable.

59
00:04:28,150 --> 00:04:30,180
This is available to us.

60
00:04:30,660 --> 00:04:37,820
And we have seen the first sign in the methods deployed and for the other windows exploit suggested,

61
00:04:37,830 --> 00:04:41,190
we see that this is open to potatoe attacks.

62
00:04:41,570 --> 00:04:49,500
OK, so now I'm going to go into a shell around where my so I ask Apple and I'm going to run away my

63
00:04:49,530 --> 00:04:50,520
slash prive.

64
00:04:50,880 --> 00:04:53,370
So you remember this command?

65
00:04:53,370 --> 00:05:00,710
I said that we were going to use it and over here we're going to have to look for this, impersonate

66
00:05:00,720 --> 00:05:04,110
a client after authentication, impersonate privilege.

67
00:05:04,320 --> 00:05:06,960
So it has to be enabled for some reason.

68
00:05:06,960 --> 00:05:08,700
I'm seeing everything enabled right now.

69
00:05:08,700 --> 00:05:13,920
But if you remember at the first when we hacked in, this was enabled by default.

70
00:05:13,950 --> 00:05:23,040
OK, so if this is enabled and if there is a way to gather the administrator token, then we can run

71
00:05:23,040 --> 00:05:23,730
this attack.

72
00:05:23,730 --> 00:05:27,550
And this attack is called potatoe attack for some reason.

73
00:05:27,980 --> 00:05:36,780
OK, so we can run a potato attack if we can see this table over here, if we are sure that these are

74
00:05:36,780 --> 00:05:44,730
enabled for us, I mean, this is enabled for us and we can try to impersonate the admin itself so that

75
00:05:44,730 --> 00:05:46,500
we can escalate our privilege.

76
00:05:46,860 --> 00:05:50,310
Now, I'm going to exit out of this one into the interpreter.

77
00:05:50,520 --> 00:05:52,300
I'm going to run get prints.

78
00:05:52,320 --> 00:05:56,160
And this is how you see the current privileges in the interpreter as well.

79
00:05:56,190 --> 00:06:02,670
OK, so you don't necessarily have to go into the windows shell and just around who am I?

80
00:06:03,630 --> 00:06:07,590
You can also get prints in order to see your current privileges.

81
00:06:07,950 --> 00:06:12,820
And once you impersonate privilege over there, then you are good to go.

82
00:06:13,320 --> 00:06:16,090
Now we can do this easily in the interpretation.

83
00:06:16,380 --> 00:06:20,250
OK, we can run this potatoe attack in a very easy way.

84
00:06:20,730 --> 00:06:24,110
But it's spelled like this, by the way.

85
00:06:24,110 --> 00:06:29,300
It's actually a potato, but I'm going to show you the manual way as well.

86
00:06:29,550 --> 00:06:37,470
So if you run potato attack something like maybe with a Windows on Google, you can see a lot of resources

87
00:06:37,470 --> 00:06:39,480
over here, like five million results.

88
00:06:39,720 --> 00:06:45,910
So I'm going to go for this hot potato and let's see what we have, what we have here.

89
00:06:46,380 --> 00:06:51,900
So it says that potato privilege escalation on Windows seven, eight and ten.

90
00:06:52,200 --> 00:06:56,280
So server 2008, 2012.

91
00:06:56,640 --> 00:07:03,020
And as you can see, there are some detailed explanations, technical explanations about this attack.

92
00:07:03,360 --> 00:07:06,810
You can actually read this if you want in your own time.

93
00:07:07,080 --> 00:07:11,000
It will be great for you to understand the theory behind it.

94
00:07:11,370 --> 00:07:18,030
We have this hot potato, we know spillage escalation tutorial or some kind of blog over here.

95
00:07:18,510 --> 00:07:25,440
So we see it actually is valid for like almost every Windows version over here.

96
00:07:25,800 --> 00:07:29,010
And it's not about aversion.

97
00:07:29,010 --> 00:07:30,930
It's not about a security patch.

98
00:07:30,930 --> 00:07:35,220
Again, it's kind of a misconfiguration by the administrator user.

99
00:07:36,120 --> 00:07:47,220
It also gives us instructions about how to take leverage of this in a real life example or in no interpretor

100
00:07:47,220 --> 00:07:49,270
shall example, I believe.

101
00:07:49,500 --> 00:07:52,490
OK, and let's see what else we have over here.

102
00:07:53,130 --> 00:07:56,820
OK, we have another pentathlete that block.

103
00:07:57,210 --> 00:08:06,000
So it's kind of a blog and we see we can actually run this potato that exi in a way that is that has

104
00:08:06,000 --> 00:08:07,320
been displayed over here.

105
00:08:07,920 --> 00:08:14,640
So if we go to first thing that we have found, foxgloves, security, potato.

106
00:08:15,210 --> 00:08:17,860
We can see under binaries over here.

107
00:08:17,880 --> 00:08:24,920
I'm going to share dealing with you guys and we we have the potato that you don't have to do that,

108
00:08:24,930 --> 00:08:25,370
OK?

109
00:08:25,860 --> 00:08:30,420
It's easily done with the interpreter, again, that I'm going to show you.

110
00:08:30,420 --> 00:08:31,620
If you had to.

111
00:08:31,920 --> 00:08:32,990
If we had to.

112
00:08:33,030 --> 00:08:36,030
You can just follow along this as well.

113
00:08:36,180 --> 00:08:42,490
Like potato type commands, disable exhaust or something like that.

114
00:08:42,510 --> 00:08:47,100
There are a lot of parameters that you should run in order to make this work.

115
00:08:47,310 --> 00:08:56,100
You can try this, OK, tries to disable the defender if tries to run the potato Yuxi and it tries to

116
00:08:56,100 --> 00:08:57,680
escalate your privilege in a way.

117
00:08:58,380 --> 00:09:01,770
OK, we're going to do this with metal split, as I said before.

118
00:09:02,010 --> 00:09:04,890
But I just want to show you something else as well.

119
00:09:05,220 --> 00:09:07,530
So I'm going to go into the shell, OK?

120
00:09:07,830 --> 00:09:13,110
And we are under the window temp, so I'm going to run short util.

121
00:09:13,680 --> 00:09:15,150
So you don't know that.

122
00:09:15,150 --> 00:09:18,030
And this is one of the reasons why I'm showing you this.

123
00:09:18,030 --> 00:09:27,180
OK, so if you run short util, that's your out cash dash dash f and then specify A you're.

124
00:09:28,230 --> 00:09:36,630
OK, so let me find out, you are to specify I believe we have to just download this Potato Yuxi to

125
00:09:36,630 --> 00:09:39,390
our Windows or Linux machine.

126
00:09:39,720 --> 00:09:41,750
OK, let's see if we can do that.

127
00:09:42,180 --> 00:09:45,300
And then I'm going to download this file.

128
00:09:45,480 --> 00:09:49,220
Let me just say open because Khalid won't let me open.

129
00:09:49,230 --> 00:09:55,230
Otherwise I'm going to take this potato Yuxi, OK, I'm going to cut this and I'm going to put this

130
00:09:55,230 --> 00:10:01,980
on under my bar w w double W HDMI, which is why which is the root of my web server.

131
00:10:02,050 --> 00:10:10,740
OK, so I'm in the callisthenics, I'm going around service Apache to start, so it starts my web server.

132
00:10:11,160 --> 00:10:20,580
Now if I actually just specify this IP address, which is my turn zero from the interpreter, I can

133
00:10:20,580 --> 00:10:21,330
download it.

134
00:10:21,690 --> 00:10:28,050
Right, so 10, 10, 14, 19 and slash potato that xy.

135
00:10:28,800 --> 00:10:33,520
So I'm going to call this potato that XY and here you go.

136
00:10:34,230 --> 00:10:35,970
So why did I show you this?

137
00:10:36,300 --> 00:10:39,610
Because this is like the equivalent of the we get.

138
00:10:39,740 --> 00:10:42,660
OK, we don't need this right now.

139
00:10:42,660 --> 00:10:43,980
You don't have to do that.

140
00:10:44,400 --> 00:10:46,740
And let me run the IP config over here.

141
00:10:46,740 --> 00:10:48,690
So minus 10, 10, 10, five.

142
00:10:48,690 --> 00:10:50,270
So, yep, this is good.

143
00:10:50,670 --> 00:10:51,960
You don't have to do that.

144
00:10:51,960 --> 00:10:55,960
But if you need to, you should know how to do it.

145
00:10:56,390 --> 00:11:03,110
OK, so over here I have the let me try to start this one more time.

146
00:11:03,120 --> 00:11:05,250
Yes, Ted, this is running.

147
00:11:05,520 --> 00:11:07,710
So I believe there is nothing wrong over here.

148
00:11:08,160 --> 00:11:10,280
And let me try that one more time.

149
00:11:10,290 --> 00:11:21,870
By the way, let me see if I misspelled insert util that the URL cache dash f htp um, ten, ten, 14,

150
00:11:21,870 --> 00:11:25,120
19 potatoe that xy.

151
00:11:25,140 --> 00:11:25,980
Let me see.

152
00:11:26,020 --> 00:11:26,250
Yeah.

153
00:11:26,250 --> 00:11:28,790
Potatoe that EIC.

154
00:11:29,220 --> 00:11:36,480
OK, and now I'm going to call the spot XY and see if it works.

155
00:11:38,080 --> 00:11:38,610
Yep.

156
00:11:38,670 --> 00:11:41,760
I believe this is going to work again.

157
00:11:41,850 --> 00:11:44,130
Make sure you take a note of this sir.

158
00:11:44,140 --> 00:11:45,810
Teutul OK.

159
00:11:45,810 --> 00:11:53,790
Yeah it says that comment completed successfully so if we on there right now as you can see.

160
00:11:53,820 --> 00:11:54,030
Yeah.

161
00:11:54,030 --> 00:11:56,760
Pury potatoe that X also here.

162
00:11:56,760 --> 00:12:01,520
So it didn't fail last time but had to do it again just to make sure.

163
00:12:02,130 --> 00:12:05,220
So again, why did I do that.

164
00:12:05,550 --> 00:12:13,170
If I had to, if I didn't have a metal plate or interpretation opened then I should have done well done

165
00:12:13,170 --> 00:12:15,680
this with the Potato Yuxi.

166
00:12:16,110 --> 00:12:18,390
I remember how we go to Windows.

167
00:12:18,390 --> 00:12:19,920
Stop like this.

168
00:12:19,920 --> 00:12:26,910
If you cannot go to Windows Campi just make sure you run this in order to run the search util because

169
00:12:27,090 --> 00:12:32,480
that's how you actually create a file, that's how you actually get a permission to write that file.

170
00:12:33,510 --> 00:12:39,210
So anyway, if I didn't have the interpreter then I would have gone forward that way.

171
00:12:39,330 --> 00:12:46,680
But since I have the interpretation, OK, I'm going to go with this thing over here, so I'm going

172
00:12:46,680 --> 00:12:48,420
to get this into background.

173
00:12:48,630 --> 00:12:55,270
So I'm in the Section two and I'm going to show you how to run this in the windows in the split.

174
00:12:55,530 --> 00:13:01,140
So we're going out to find first the module name, which is M sixteen, also in the fight for your flexion.

175
00:13:01,470 --> 00:13:05,520
So I believe you're going to have to make peace.

176
00:13:05,520 --> 00:13:09,450
And remember that because this is a very particular one.

177
00:13:09,450 --> 00:13:11,040
It's about potato attacks.

178
00:13:11,280 --> 00:13:20,520
OK, once you go over here to my sixteen seventy five reflection, then it says that no payload configured

179
00:13:20,520 --> 00:13:24,990
defaulting to Windows Interpretor reverse TCP, which is good for us.

180
00:13:25,200 --> 00:13:27,030
But if you say so, options.

181
00:13:27,030 --> 00:13:30,120
And if you don't see the payload, you can always set the payload.

182
00:13:30,460 --> 00:13:33,360
So I'm going to set station to two, which is my current station.

183
00:13:33,540 --> 00:13:38,280
I'm going to set my elbows to 10 to 14, 19 Alpert's.

184
00:13:38,280 --> 00:13:41,460
We can change that part or we can just leave it like this.

185
00:13:41,850 --> 00:13:50,310
OK, I'm going to exploit it and see if we can manage to become rudes or at least we can manage to gather

186
00:13:50,310 --> 00:13:54,090
the administrator token.

187
00:13:55,110 --> 00:13:57,740
So it says, that's my interpretation on point.

188
00:13:57,750 --> 00:14:00,660
If I run, get the idea, I'm still it's Apple.

189
00:14:01,290 --> 00:14:08,580
So let's do this and let's see if we can actually become the administrator, because I believe right

190
00:14:08,580 --> 00:14:12,720
now we get the token and we have to use it.

191
00:14:12,720 --> 00:14:15,930
So I'm going to go into the Incognito one more time.

192
00:14:16,470 --> 00:14:20,130
So later on I'm going to list the tokens.

193
00:14:20,130 --> 00:14:20,940
That's you.

194
00:14:21,390 --> 00:14:22,470
And here you go.

195
00:14:22,470 --> 00:14:26,640
Now, the impersonation tokens available is showing the.

196
00:14:27,890 --> 00:14:37,110
User and altered the system, so I'm going to say impersonate, OK, impersonate token under underscore

197
00:14:37,130 --> 00:14:42,050
token, and I'm going to paste this thing in within sight of the quotation marks.

198
00:14:42,770 --> 00:14:44,630
And here you go.

199
00:14:44,630 --> 00:14:47,810
It says that successfully impersonated the user of the system.

200
00:14:48,320 --> 00:14:49,580
Now, let's try this.

201
00:14:49,580 --> 00:14:52,090
Let's see if we are actually the administrator.

202
00:14:52,280 --> 00:14:53,050
Here we go.

203
00:14:53,060 --> 00:14:54,460
We are the administrator.

204
00:14:54,470 --> 00:14:57,380
OK, so we are the administrator.

205
00:14:57,380 --> 00:14:58,940
I'm going to go back into the shell.

206
00:14:59,240 --> 00:14:59,960
I'm going around.

207
00:14:59,960 --> 00:15:00,550
Who am I?

208
00:15:00,770 --> 00:15:02,240
We are the administrator.

209
00:15:02,690 --> 00:15:09,440
You can actually verify this by going into the users, into the administrator folder.

210
00:15:09,440 --> 00:15:12,740
If you can go over here, that means your admin.

211
00:15:13,310 --> 00:15:20,690
So if you go to the desktop, if you run there, you will see the router and you can just type it.

212
00:15:21,650 --> 00:15:22,640
Here you go.

213
00:15:23,060 --> 00:15:26,180
Now, again, one more time, we managed to become rude.

214
00:15:26,180 --> 00:15:31,970
I mean, administrator in windows and we used potato attacks in order to do that.

215
00:15:32,270 --> 00:15:36,740
This is a common mistake that you can actually observing the real systems as well.

216
00:15:36,980 --> 00:15:39,380
So you better understand how to use it.

217
00:15:39,740 --> 00:15:42,860
And I believe we covered every aspect of it.

218
00:15:43,340 --> 00:15:49,130
Now we're going to stop here, but we're going to continue with the privilege escalation in Windows

219
00:15:49,130 --> 00:15:51,950
again in the next lecture together.