1
00:00:00,390 --> 00:00:07,170
So the guys in this room will be doing the registration technique, will be seeing that that is insecure

2
00:00:07,290 --> 00:00:14,170
service permissions, so we have a service running and the service permissions are insecure.

3
00:00:14,370 --> 00:00:23,180
So that means a normal user can change the permissions for this service like or the entire binary or

4
00:00:23,190 --> 00:00:31,710
reading the part of the solid C and how to do this through the discretion technique.

5
00:00:32,040 --> 00:00:39,270
So first of all, you should learn about this access to data so it is easier to check the access permissions

6
00:00:39,270 --> 00:00:47,580
for the user of the particular service, a particular binary, a particular process, etc. So you can

7
00:00:47,580 --> 00:00:51,690
download those that access the access to the exit from the Internet.

8
00:00:51,900 --> 00:00:55,400
So it will be available from this internal schools.

9
00:00:56,700 --> 00:00:58,480
So I have already downloaded this one.

10
00:00:58,740 --> 00:01:00,830
So first I will show you HelpAge.

11
00:01:01,440 --> 00:01:04,050
So we need to know about the few comments.

12
00:01:05,330 --> 00:01:13,990
And sees for queering for the service and before only showing the territories and EUFOR integrity levels,

13
00:01:14,300 --> 00:01:20,530
and so you can see here care for registry keys.

14
00:01:20,810 --> 00:01:21,320
All right.

15
00:01:24,350 --> 00:01:34,250
Now you can see the P4 process, nimar possessory and then our eyes only to show the objects that have

16
00:01:34,250 --> 00:01:35,870
the red Xs and OS.

17
00:01:35,870 --> 00:01:42,380
Ferguson is so new for suppressors, for verbose and W4 right axis.

18
00:01:42,680 --> 00:01:46,820
So with these sutures we need to enumerate the services.

19
00:01:47,300 --> 00:01:51,700
So the IP address you need to login as our DP.

20
00:01:51,710 --> 00:01:55,520
So the credentials, username and password to do one.

21
00:01:58,190 --> 00:02:00,740
So so this is the.

22
00:02:04,100 --> 00:02:10,670
So this is the think of it as a normal year after we get the reversal.

23
00:02:10,700 --> 00:02:17,640
So from here, we need to transfer the access, check that exhibit so you can transfer that using the

24
00:02:18,290 --> 00:02:22,260
set up by transfer and then you can use the of.

25
00:02:24,790 --> 00:02:33,340
So access to food or water and access check, it will show you some excerpting, so you need to suppress

26
00:02:33,340 --> 00:02:33,850
that error.

27
00:02:40,210 --> 00:02:42,370
So if you run normally so.

28
00:02:47,760 --> 00:02:49,080
So if you don't normally.

29
00:02:52,900 --> 00:02:59,380
OK, I don't know, it's been closed, so they will be a tick box need to accept the terms and services

30
00:02:59,380 --> 00:03:01,180
and then you need to open that.

31
00:03:01,720 --> 00:03:05,980
So to suppress that because you are in the command line, need to use this excerpt.

32
00:03:06,910 --> 00:03:13,090
And then what we're going to use is minus you for any errors and for verbose.

33
00:03:13,900 --> 00:03:22,510
And I think you are used for quite so after these procedures, we need to provide the W, so we need

34
00:03:22,510 --> 00:03:26,980
to find that w writable what we are going to find services.

35
00:03:27,580 --> 00:03:34,170
So we are going to find the right services and Interahamwe.

36
00:03:34,180 --> 00:03:41,110
What they have done is they have already specified that this Darcel service are discretionary access

37
00:03:41,110 --> 00:03:41,820
control list.

38
00:03:42,680 --> 00:03:46,750
This is being run as, uh, system user.

39
00:03:47,560 --> 00:03:55,080
They do not show us how to find this one because we don't know when we were doing the boxes.

40
00:03:55,750 --> 00:03:58,480
So what you can do is you can put this card here.

41
00:03:58,810 --> 00:04:06,730
And if you run this and it would give you are the services which other rerate access so ensured of,

42
00:04:06,790 --> 00:04:11,760
uh, for our users, you need to define your user.

43
00:04:11,770 --> 00:04:13,090
So what is my username?

44
00:04:13,090 --> 00:04:13,900
That is user.

45
00:04:15,520 --> 00:04:20,380
And now you can see, uh, for the user because we are the user.

46
00:04:26,180 --> 00:04:34,910
And I have quoted for all the services which have the right access for my user and I came up with this

47
00:04:34,910 --> 00:04:38,150
LASO service, so here's what I can.

48
00:04:38,160 --> 00:04:42,470
Ginnie's service Cherney config service start service top.

49
00:04:43,190 --> 00:04:50,060
So that means I can change the configuration of this service and also I can start and stop the service.

50
00:04:50,690 --> 00:04:56,420
So if you do not have this access, then you do have if you do not have this, you need to wait for

51
00:04:56,420 --> 00:04:58,400
the computer to restart.

52
00:05:00,080 --> 00:05:05,390
So we found that, uh, service, which is being written.

53
00:05:05,390 --> 00:05:08,420
So we don't know whether it is running a system or not.

54
00:05:08,420 --> 00:05:10,710
So to check that, we need to see.

55
00:05:11,390 --> 00:05:20,930
So this is a sea manager and see you need to query for the user service.

56
00:05:23,580 --> 00:05:32,340
So it is oh, I think they should give us enough information, so let's go and.

57
00:05:45,800 --> 00:05:52,510
And now you can see the binary partner, so see the escalation for the reverse order.

58
00:05:53,480 --> 00:05:59,510
So I have already changed this one, so I will show you how to change this one.

59
00:05:59,840 --> 00:06:01,600
So type A C config.

60
00:06:03,470 --> 00:06:08,170
So I'm going to ask for configuration for this service.

61
00:06:08,660 --> 00:06:10,010
Now, what continues?

62
00:06:10,020 --> 00:06:12,220
You can change out of these properties.

63
00:06:12,530 --> 00:06:14,920
So one we are interested is one report.

64
00:06:16,190 --> 00:06:24,430
So go to this current Xbox and make the reversal with the added hostname your card next to zero and

65
00:06:24,430 --> 00:06:25,990
the report and output.

66
00:06:26,000 --> 00:06:27,710
That's reverse psychology.

67
00:06:29,330 --> 00:06:32,900
So after that, you make sure you are going on a listening.

68
00:06:37,250 --> 00:06:40,280
So now what, we're going to a config.

69
00:06:45,140 --> 00:06:48,810
Those are reasonable and the property of this service.

70
00:06:48,830 --> 00:06:57,050
So it is binary pot, so we are going to change the binary pot further to our malicious river security.

71
00:06:57,710 --> 00:07:00,860
OK, so you need to put the Backwords rush for this.

72
00:07:01,190 --> 00:07:02,850
Um, Walcott's.

73
00:07:13,610 --> 00:07:15,180
So it's in the process.

74
00:07:28,620 --> 00:07:30,150
So I think they should do it.

75
00:07:32,700 --> 00:07:34,170
So now it has been changed.

76
00:07:34,210 --> 00:07:36,030
Now let's query again, sorry.

77
00:07:42,540 --> 00:07:49,970
Now, you can see the binary part is this one, our money, just money so we can use the net command

78
00:07:49,980 --> 00:07:51,840
to start this one.

79
00:07:59,020 --> 00:08:04,560
So let's run this now, you can see we got the shirt, it's like, who am I?

80
00:08:05,170 --> 00:08:06,290
So we are system.

81
00:08:07,030 --> 00:08:10,930
So what we have done is we have found that there is a service.

82
00:08:10,930 --> 00:08:13,600
We can write the properties of the service.

83
00:08:14,230 --> 00:08:17,390
So you can also start and start that service.

84
00:08:17,420 --> 00:08:20,880
So what we have done is one of the properties Bernadi partner.

85
00:08:21,130 --> 00:08:23,340
So we have changed our dinner party.

86
00:08:23,650 --> 00:08:29,080
So dinner partner with this one subprogram, first National Service and Dirty ACCE.

87
00:08:29,320 --> 00:08:36,240
So we have changed to our malicious bernadi which use the reversal to us and then we hashtag the service.

88
00:08:37,000 --> 00:08:38,190
So let's exert.

89
00:08:40,790 --> 00:08:51,230
So first of all, what we can also use, you can argue for better trees that are right.

90
00:08:55,440 --> 00:09:06,480
So suppressors and show the output and then use the W so W for writable and then backtrace.

91
00:09:16,400 --> 00:09:17,040
So program.

92
00:09:17,240 --> 00:09:24,560
So I want to search for are the territories from the C program files and I want to put that.

93
00:09:25,100 --> 00:09:28,110
Yes, because to search for recursively.

94
00:09:28,280 --> 00:09:33,080
So from there on, what I want to check whether I can write or not.

95
00:09:34,820 --> 00:09:37,010
So you can see there are a lot of.

96
00:09:41,410 --> 00:09:46,520
There are a lot of military, so I think I consider using this username, so we are the user.

97
00:09:46,720 --> 00:09:52,110
So in your windows, you are the user name is at or some other user level.

98
00:09:52,150 --> 00:09:53,410
So you need to put this one.

99
00:09:55,570 --> 00:10:00,990
So for me, the directory I can write is C program files.

100
00:10:02,140 --> 00:10:04,030
So uncoded parts service.

101
00:10:04,060 --> 00:10:08,520
OK, so the D will be doing the next one.

102
00:10:08,530 --> 00:10:16,410
So you can also I think you can also search for Armel Directress.

103
00:10:17,230 --> 00:10:21,310
You go into service so there is no.

104
00:10:30,000 --> 00:10:35,040
So I think we cannot find a service like this, so all we can find the services.

105
00:10:37,790 --> 00:10:38,430
Users.

106
00:10:38,870 --> 00:10:40,820
So this you'll find four hours of users.

107
00:10:46,630 --> 00:10:56,340
So you can see we got a bunch of wineries, so why we why did we get the winners?

108
00:10:56,350 --> 00:10:58,030
Because we did not include the seat.

109
00:10:58,240 --> 00:11:01,210
If you include the Sivewright, it will search only for services.

110
00:11:03,670 --> 00:11:10,720
So you can see now we have got only one service, so I want another take I want to show you is using

111
00:11:10,720 --> 00:11:11,360
the power of.

112
00:11:12,220 --> 00:11:15,970
So there is a partial shutdown in your witness box.

113
00:11:16,360 --> 00:11:24,790
So you can tell that whether the person has been installed using that power shell, shut the door and

114
00:11:24,790 --> 00:11:28,190
maybe use, uh, water table.

115
00:11:29,290 --> 00:11:33,790
So this will give you the latest version and also are the compatible versions.

116
00:11:35,200 --> 00:11:38,020
So if you had a power sharing site, I'll show you one script.

117
00:11:38,020 --> 00:11:39,800
That is the power of that person.

118
00:11:39,820 --> 00:11:44,620
So if you go to Google, you can search for power up and you can download the script.

119
00:11:45,460 --> 00:11:48,070
So in this world that they have provided all the files.

120
00:11:48,220 --> 00:11:50,070
So this is the power of that one.

121
00:11:50,290 --> 00:11:55,030
So I will show you one liner to execute all the functions in the power of.

122
00:11:57,730 --> 00:11:58,630
So partial.

123
00:12:01,880 --> 00:12:08,110
But module, so we want to import the module, so which is the module that is this power of that piece.

124
00:12:10,570 --> 00:12:15,670
So after importing immediately, I want to invoke article so there is the function.

125
00:12:21,850 --> 00:12:25,960
So there is a function inside this part of the screen, what are the text?

126
00:12:25,960 --> 00:12:35,610
So this will call are the functions like Invoker services and insecure service functions and etc..

127
00:12:35,860 --> 00:12:40,590
So I'm going to run this and you can see here Autofill put.

128
00:12:46,210 --> 00:12:52,970
So service executable and argument permission so that we name is the service and the party.

129
00:12:53,000 --> 00:12:53,580
This one.

130
00:12:53,590 --> 00:12:57,660
So we have changed this one, that's for sure, like this modifiable file.

131
00:12:57,700 --> 00:12:58,570
So this is one.

132
00:12:59,650 --> 00:13:07,780
So about also how some functions so you can create the binary on the system itself without the use of

133
00:13:08,950 --> 00:13:09,020
it.

134
00:13:09,040 --> 00:13:10,930
So we'll be doing this.

135
00:13:11,290 --> 00:13:16,920
And later videos when I'm showing the in peace and power up, etc..

136
00:13:17,770 --> 00:13:21,060
So we have also the file permission service.

137
00:13:21,460 --> 00:13:23,690
So that is located at this one.

138
00:13:24,730 --> 00:13:29,560
So I think there are two services so that we file permission services.

139
00:13:32,020 --> 00:13:38,740
So, OK, if they did not cover this one will be trying to do this one, so it's similar to so you can

140
00:13:38,740 --> 00:13:47,770
think of it as an exercise and query for this using the C command and then modify this one to reverse

141
00:13:47,770 --> 00:13:48,430
each one of these.

142
00:13:51,930 --> 00:14:00,480
So there are two subways running on the service permissions, maybe we have only on this one, so,

143
00:14:00,600 --> 00:14:06,500
OK, we'll see what the output of our other functions did.

144
00:14:06,870 --> 00:14:09,090
So always in salt water.

145
00:14:09,300 --> 00:14:15,480
So you can create a fake MSA and you can install that once it will give you reverser.

146
00:14:17,180 --> 00:14:22,010
So this part of it is very helpful when you have the power to shut down the system.

147
00:14:23,660 --> 00:14:25,310
So that's after this video.

148
00:14:25,310 --> 00:14:28,100
We have seen the how to modify the service permissions.