1
00:00:00,810 --> 00:00:01,500
Welcome back.

2
00:00:02,010 --> 00:00:06,620
Time to see how we can try to elevate our privileges on the target machine.

3
00:00:07,620 --> 00:00:12,480
But before we do that, I just want to play you this recording that we recorded from the previous video

4
00:00:12,660 --> 00:00:18,540
using my interpreter and the record, my comment, just to see that we indeed managed to record the

5
00:00:18,540 --> 00:00:20,030
sound on the target machine.

6
00:00:20,460 --> 00:00:21,300
So if I played.

7
00:00:23,900 --> 00:00:28,520
This will start recording and it should capture what I'm speaking at the moment.

8
00:00:29,610 --> 00:00:30,360
To the microphone.

9
00:00:32,830 --> 00:00:34,730
You can see it did manage to record it.

10
00:00:34,750 --> 00:00:40,360
Now, it is not that high quality of a sound, but nonetheless, we can hear what the target spoke on

11
00:00:40,360 --> 00:00:40,970
the microphone.

12
00:00:41,500 --> 00:00:48,460
Nonetheless, let's get back to the Privileges and Privileges Commission is a big topic and a more advanced

13
00:00:48,460 --> 00:00:48,880
topic.

14
00:00:49,290 --> 00:00:53,170
There are many advanced techniques that can be used to try to elevate privileges.

15
00:00:53,470 --> 00:00:59,530
However, we're going to be covering the scripts we can use to automate those processes, all of those

16
00:00:59,530 --> 00:01:03,180
scripts we have available inside the government framework.

17
00:01:03,610 --> 00:01:07,420
Now, usually we don't know whether we can elevate privileges or not.

18
00:01:07,940 --> 00:01:13,090
Throughout the years, there have been many experts that got patched for the privilege escalation.

19
00:01:13,630 --> 00:01:18,370
However, maybe our target skipped some patch and is vulnerable to one of them.

20
00:01:18,730 --> 00:01:24,190
So what we are left is just to try all of those scripts out and see if some of them works.

21
00:01:25,110 --> 00:01:31,350
What we can do to search for the privilege escalation experts is we first background this session that

22
00:01:31,350 --> 00:01:37,530
we got with our Winterstein machine and we can type search, bypass UAC.

23
00:01:39,160 --> 00:01:40,000
What does this mean?

24
00:01:40,480 --> 00:01:47,620
Well, you see is user account control and these exploits that we will find are used to bypass it,

25
00:01:47,620 --> 00:01:52,270
which could allow us to elevate our program privileges to the system level.

26
00:01:52,870 --> 00:01:56,620
Another thing I like to search is type search.

27
00:01:56,620 --> 00:02:04,930
And then the year that we are currently in, since we are at the end of 2020, we can type 20, 20 or

28
00:02:04,930 --> 00:02:06,250
search 2020.

29
00:02:06,730 --> 00:02:10,780
And this will list out all the modules that came out this year.

30
00:02:11,560 --> 00:02:13,850
Inside of these modules, we will have everything.

31
00:02:13,870 --> 00:02:21,430
So what we want to search and filter out is windows experts and preferably local Windows exploits,

32
00:02:21,700 --> 00:02:23,170
as we can see right here.

33
00:02:23,830 --> 00:02:25,210
What does local mean?

34
00:02:25,600 --> 00:02:28,850
It means it's getting executed on the system itself.

35
00:02:29,350 --> 00:02:33,250
Usually these type of local exploits try to elevate privileges.

36
00:02:33,610 --> 00:02:39,840
For example, here we can see a few of them, such as Exploit Local and then this name up here.

37
00:02:39,850 --> 00:02:43,390
We got another local expert and many more are right here.

38
00:02:43,720 --> 00:02:47,350
And we can also see the SMB ghost exploit.

39
00:02:48,130 --> 00:02:49,680
Now, I know what you're thinking.

40
00:02:49,690 --> 00:02:50,960
I did say that matters.

41
00:02:50,970 --> 00:02:54,010
Split Framework doesn't have some big ghost module.

42
00:02:54,520 --> 00:02:56,270
Well, that wasn't true.

43
00:02:56,440 --> 00:03:03,100
However, this module is a local exploit and it's only useful after you're already on the target machine.

44
00:03:03,100 --> 00:03:07,570
As we can see, it is exposed for Windows, but it is also a local exploit.

45
00:03:08,480 --> 00:03:14,000
The one that we covered is the same vulnerability inside the survivors, and we just we exploited it

46
00:03:14,000 --> 00:03:17,160
remotely from another computer to gain a shell.

47
00:03:17,540 --> 00:03:23,930
But let's test it out just to see whether we managed to elevate our privileges using this exploit.

48
00:03:24,530 --> 00:03:29,690
So to use it, we can type, use and paste the exploit.

49
00:03:30,080 --> 00:03:33,770
Just make sure that you got the active session with the target machine.

50
00:03:33,980 --> 00:03:38,960
As you can see right here, I got Section one active on the user account of the Winterstein machine.

51
00:03:39,860 --> 00:03:45,920
If I type show info for this exploit, we can read that this is a vulnerability that exists within the

52
00:03:45,920 --> 00:03:52,460
Microsoft server message block three point one point one protocol that can be leveraged to execute code

53
00:03:52,460 --> 00:03:54,050
on a vulnerable server.

54
00:03:54,830 --> 00:03:56,930
So we can see the targets right here.

55
00:03:57,080 --> 00:04:01,460
And all we need to set is the session ID to do that.

56
00:04:01,460 --> 00:04:07,640
We can type the sessions command, check out the session ID that we got and type set session and then

57
00:04:07,820 --> 00:04:12,530
one if I type run to execute this local exploit.

58
00:04:13,640 --> 00:04:20,360
Well, it seems that he did something, but we didn't get a shell back, so we can assume it doesn't

59
00:04:20,480 --> 00:04:20,900
work.

60
00:04:21,590 --> 00:04:22,880
Let's try another one.

61
00:04:23,310 --> 00:04:31,550
If I type search 20, 20, and for example, let's say I'm going to use this one, which is exploit

62
00:04:31,550 --> 00:04:35,110
Windows Local CVG 2020 service tracing.

63
00:04:35,270 --> 00:04:40,120
And the reason why I'm using this one is because down here it says privilege, elevation, vulnerability.

64
00:04:40,130 --> 00:04:44,260
So this can be used to elevate privileges in case our target machine is vulnerable.

65
00:04:44,600 --> 00:04:50,600
Let's check it out, press enter type show info just to check out what this model does.

66
00:04:50,900 --> 00:04:57,440
And this module leverages a trusted file, overwrite with a dual hijacking vulnerability to gain system

67
00:04:57,440 --> 00:05:00,080
level access on vulnerable Windows 10.

68
00:05:00,080 --> 00:05:01,250
Sixty four bit targets.

69
00:05:01,760 --> 00:05:06,020
So our targets do match and we do want to gain system level access.

70
00:05:06,020 --> 00:05:07,910
So let see whether this will work.

71
00:05:08,690 --> 00:05:14,540
There is only one thing that we must set and that is required and that option is session.

72
00:05:14,660 --> 00:05:23,520
So let's typeset session and then one press enter and run the exploit, fail to validate all hosts.

73
00:05:23,520 --> 00:05:27,230
So let this type show options just to see which BAYLOCK we got.

74
00:05:27,230 --> 00:05:34,340
And we need to set our host to be wanted to two of the 168 at twelve, which is the IP address of my

75
00:05:34,790 --> 00:05:35,410
Linux machine.

76
00:05:35,690 --> 00:05:41,900
Now also make sure that the airport is different than the port that you got active inside of a session.

77
00:05:42,170 --> 00:05:48,170
Since I got Port five five five five active in the current session, I can specify right here four four

78
00:05:48,170 --> 00:05:48,740
four four.

79
00:05:49,070 --> 00:05:55,070
But if your interpreter session is running on port four four four four, you need to specify a different

80
00:05:55,070 --> 00:05:55,930
local port.

81
00:05:55,940 --> 00:06:02,230
Otherwise none of these experts will work so I can leave it on for four, four, four and type frunk.

82
00:06:04,410 --> 00:06:07,330
And it seems that this one doesn't work either.

83
00:06:07,890 --> 00:06:15,450
Let's try from the UAC bypass exploits, soil type search to bypass, see and hear, obviously all of

84
00:06:15,450 --> 00:06:17,640
the exploits for user account control bypass.

85
00:06:18,330 --> 00:06:24,890
Now, you can go ahead and try all of these local windows, bypass US experts to see which ones work.

86
00:06:25,320 --> 00:06:29,390
Just make sure you read information about them first before running them.

87
00:06:29,790 --> 00:06:35,850
But what I'm going to use in this case is this Ford Helper bypass USSI.

88
00:06:36,330 --> 00:06:41,760
It is from two thousand and seventeen, and it showed to work a lot of times in my personal experience.

89
00:06:42,030 --> 00:06:43,410
So we'll copy the name.

90
00:06:46,600 --> 00:06:51,880
Type use, and then I will paste the name right here, press enter.

91
00:06:53,310 --> 00:06:59,550
It configured the payload and let's give it a try, if I type show information just to see what it does,

92
00:06:59,580 --> 00:07:05,310
it will tell me this module will bypass Windows 10 user account control by hijacking a special key in

93
00:07:05,310 --> 00:07:11,610
the registry under the current user hype and inserting a custom command that will get invoked when the

94
00:07:11,610 --> 00:07:19,920
Windows Phone, the XY application is launched, it will spawn our second shell that has the U.S. flag

95
00:07:19,920 --> 00:07:20,820
turned off.

96
00:07:22,290 --> 00:07:27,800
So let's see what are our options that we must set and we need to set this session.

97
00:07:27,810 --> 00:07:32,190
In my case, it session one and I can use the local port for four, four four.

98
00:07:32,310 --> 00:07:35,640
And if I type run, here it is.

99
00:07:35,830 --> 00:07:38,190
We got another session open.

100
00:07:38,400 --> 00:07:39,990
We got the matter better opened.

101
00:07:39,990 --> 00:07:41,370
And this is a different session.

102
00:07:41,370 --> 00:07:44,450
As you can see, it is running on port four four four four.

103
00:07:45,240 --> 00:07:48,600
So we got a shellback with this local expert.

104
00:07:48,840 --> 00:07:55,620
But if we try to run the command, get user ID, it will say that we are still the same account that

105
00:07:55,620 --> 00:07:56,340
we were before.

106
00:07:56,970 --> 00:08:04,350
But remember, it set in the module description that this exploit will spawn a second shell with the

107
00:08:04,350 --> 00:08:07,040
user account control flag turned off.

108
00:08:07,830 --> 00:08:08,710
What does this mean?

109
00:08:09,120 --> 00:08:15,750
Well, it means that if we try once again to run the command get system that didn't work before.

110
00:08:17,460 --> 00:08:19,770
Now we are the system account.

111
00:08:20,660 --> 00:08:22,200
We did it right now.

112
00:08:22,230 --> 00:08:28,400
We can say we fully owned this Windows 10 target machine since there is nothing that we can do on it

113
00:08:28,550 --> 00:08:29,200
right now.

114
00:08:29,480 --> 00:08:34,580
And just to prove to you, I will type get user I.D. once again and it will tell me that I am authority

115
00:08:34,580 --> 00:08:35,650
system account.

116
00:08:36,080 --> 00:08:40,300
So feel free to test out other modules to see if they work or not.

117
00:08:40,310 --> 00:08:45,800
And you can also try these modules on our Windows seven virtual machine just to see how that would go.

118
00:08:46,580 --> 00:08:47,000
Great.

119
00:08:47,180 --> 00:08:53,090
Now that we elevated our privileges, let us check out other post exploitation modules that we can also

120
00:08:53,120 --> 00:08:53,430
run.

121
00:08:54,200 --> 00:08:55,150
See you in the next video.