Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:04,560 --> 00:00:07,879 [Music] 2 00:00:07,879 --> 00:00:10,280 hey guys hack exploit here back again 3 00:00:10,280 --> 00:00:12,160 with another video Welcome Back to the 4 00:00:12,160 --> 00:00:15,200 penetration testing boot camp uh in this 5 00:00:15,200 --> 00:00:17,199 video or in this set of videos we will 6 00:00:17,199 --> 00:00:19,520 be uh taking a look at the various 7 00:00:19,520 --> 00:00:21,519 Windows privilege escalation uh 8 00:00:21,519 --> 00:00:23,199 techniques or vectors that you can use 9 00:00:23,199 --> 00:00:25,599 to elevate your privileges on a Windows 10 00:00:25,599 --> 00:00:28,160 system and again this is part of the pen 11 00:00:28,160 --> 00:00:29,720 testing boot camp so we've covered post 12 00:00:29,720 --> 00:00:31,480 EXP itation we're now moving on to 13 00:00:31,480 --> 00:00:33,879 pesque we'll also be covering we we'll 14 00:00:33,879 --> 00:00:36,440 also be covering prives on Linux so 15 00:00:36,440 --> 00:00:37,760 again I just want to make sure that 16 00:00:37,760 --> 00:00:39,719 we're uh we all have an understanding of 17 00:00:39,719 --> 00:00:41,960 where we are and where we're going now 18 00:00:41,960 --> 00:00:44,200 I've been getting a lot of messages 19 00:00:44,200 --> 00:00:46,960 regarding uh the log forj or the log for 20 00:00:46,960 --> 00:00:48,920 Shell vulnerability and how to exploit 21 00:00:48,920 --> 00:00:51,520 it and I'm currently working on an 22 00:00:51,520 --> 00:00:53,239 in-depth video that covers the 23 00:00:53,239 --> 00:00:56,079 exploitation not just of uh you know of 24 00:00:56,079 --> 00:00:58,359 the vulnerability on Minecraft servers 25 00:00:58,359 --> 00:01:00,680 uh but also on the very ious Apache 26 00:01:00,680 --> 00:01:03,160 Solutions out there so uh do stay tuned 27 00:01:03,160 --> 00:01:05,760 for that in this uh video we'll be 28 00:01:05,760 --> 00:01:08,400 focusing primarily on performing uh 29 00:01:08,400 --> 00:01:11,000 local enumeration with a uh a script or 30 00:01:11,000 --> 00:01:13,159 a tool called wipas which you guys have 31 00:01:13,159 --> 00:01:15,400 seen me use before uh the objective of 32 00:01:15,400 --> 00:01:17,799 this video is again to perform local 33 00:01:17,799 --> 00:01:19,840 enumeration on the system in order to 34 00:01:19,840 --> 00:01:22,240 identify uh the various vulnerabilities 35 00:01:22,240 --> 00:01:23,799 that we can essentially exploit to 36 00:01:23,799 --> 00:01:26,280 elevate our privileges and this uh the 37 00:01:26,280 --> 00:01:27,960 room that we'll be utilizing is the 38 00:01:27,960 --> 00:01:30,680 windows prives room on triac me it's a 39 00:01:30,680 --> 00:01:33,079 free room and it's an intermediate room 40 00:01:33,079 --> 00:01:35,280 so uh the objective here is to 41 00:01:35,280 --> 00:01:37,360 essentially Elevate our privileges to 42 00:01:37,360 --> 00:01:39,840 the highest level I've already started 43 00:01:39,840 --> 00:01:42,000 the actual machine here and let me just 44 00:01:42,000 --> 00:01:44,719 copy the IP there and as you can see 45 00:01:44,719 --> 00:01:46,079 there are various techniques that we'll 46 00:01:46,079 --> 00:01:47,920 be exploring and in my view this is 47 00:01:47,920 --> 00:01:49,759 pretty much one of the best rooms on 48 00:01:49,759 --> 00:01:52,040 traki uh that goes over the various 49 00:01:52,040 --> 00:01:54,320 privilege escalation vectors on windows 50 00:01:54,320 --> 00:01:57,079 so without further Ado uh the primary 51 00:01:57,079 --> 00:01:59,439 access Vector is VI RDP so again we're 52 00:01:59,439 --> 00:02:01,200 not exploiting anything on the target 53 00:02:01,200 --> 00:02:03,680 system although that could be an option 54 00:02:03,680 --> 00:02:06,320 uh but we'll just copy the xfree RDP 55 00:02:06,320 --> 00:02:08,440 command here to uh essentially start up 56 00:02:08,440 --> 00:02:11,319 an RDP session you're free to use Rina 57 00:02:11,319 --> 00:02:13,959 if you want as well so there we are 58 00:02:13,959 --> 00:02:16,840 that'll open up the RDP session for us 59 00:02:16,840 --> 00:02:18,440 and we'll give that a couple of seconds 60 00:02:18,440 --> 00:02:21,280 it looks like it's a uh Windows Server 61 00:02:21,280 --> 00:02:23,440 uh box so we'll just wait for that to 62 00:02:23,440 --> 00:02:26,040 load up um looks like it's starting up 63 00:02:26,040 --> 00:02:27,959 CMD for some reason there we are Windows 64 00:02:27,959 --> 00:02:31,959 Server 2019 evaluation now if we take a 65 00:02:31,959 --> 00:02:33,519 look at the instructions here you can 66 00:02:33,519 --> 00:02:34,760 see that we're logging in as an 67 00:02:34,760 --> 00:02:36,680 unprivileged user so I just want you to 68 00:02:36,680 --> 00:02:38,360 take note of that because that's very 69 00:02:38,360 --> 00:02:40,879 important so uh again as I said we're 70 00:02:40,879 --> 00:02:42,560 going to be using a tool called win 71 00:02:42,560 --> 00:02:44,680 piece to perform enumeration in the 72 00:02:44,680 --> 00:02:46,959 previous set of videos uh within the 73 00:02:46,959 --> 00:02:49,400 post exploitation series I covered how 74 00:02:49,400 --> 00:02:51,879 to perform manual enumeration on Windows 75 00:02:51,879 --> 00:02:53,599 and we were primarily focused on 76 00:02:53,599 --> 00:02:55,840 performing enumeration on an active 77 00:02:55,840 --> 00:02:57,640 directory environment but again the 78 00:02:57,640 --> 00:03:00,080 techniques are also uh in know to to 79 00:03:00,080 --> 00:03:02,239 some degree applicable on a standard 80 00:03:02,239 --> 00:03:05,440 Windows system so what is wipas well 81 00:03:05,440 --> 00:03:09,319 wipas is essentially a binary or a tool 82 00:03:09,319 --> 00:03:11,720 that can be used to uh essentially 83 00:03:11,720 --> 00:03:14,040 automate all the you know traditional 84 00:03:14,040 --> 00:03:15,799 information gathering uh checks that 85 00:03:15,799 --> 00:03:18,360 You' perform on a Windows system and 86 00:03:18,360 --> 00:03:20,239 more specifically it actually gives you 87 00:03:20,239 --> 00:03:21,920 important diagnostic information 88 00:03:21,920 --> 00:03:24,640 regarding vulnerable Services uh more to 89 00:03:24,640 --> 00:03:26,959 do with elevating your privileges but 90 00:03:26,959 --> 00:03:29,519 just basically uh it it really gives you 91 00:03:29,519 --> 00:03:32,680 a comprehensive rundown of uh the system 92 00:03:32,680 --> 00:03:35,120 configuration any misconfigurations or 93 00:03:35,120 --> 00:03:36,519 vulnerabilities that we can take 94 00:03:36,519 --> 00:03:38,760 advantage of so on and so forth all 95 00:03:38,760 --> 00:03:40,560 right now the GitHub repository will be 96 00:03:40,560 --> 00:03:43,040 in the description section and you can 97 00:03:43,040 --> 00:03:44,799 see that right over here we have the 98 00:03:44,799 --> 00:03:47,799 batch file as well as sorry the bat file 99 00:03:47,799 --> 00:03:50,040 as well as the exe binaries here so if I 100 00:03:50,040 --> 00:03:52,079 click on that uh you can see you have 101 00:03:52,079 --> 00:03:53,599 the source code so you can actually go 102 00:03:53,599 --> 00:03:55,239 through it and compile it yourself if 103 00:03:55,239 --> 00:03:57,319 you're not comfortable uh or if you're 104 00:03:57,319 --> 00:03:59,400 not you know if you don't feel safe uh 105 00:03:59,400 --> 00:04:01,159 you know just download downloading and 106 00:04:01,159 --> 00:04:03,560 executing a binary of the internet so 107 00:04:03,560 --> 00:04:06,360 I'll click on wipes here and uh you can 108 00:04:06,360 --> 00:04:08,159 see there we are that's the source code 109 00:04:08,159 --> 00:04:10,560 there so I'll just take a step back and 110 00:04:10,560 --> 00:04:12,720 if we take a look at the binaries uh we 111 00:04:12,720 --> 00:04:14,400 have the obvious skated releases which 112 00:04:14,400 --> 00:04:16,639 have been obvious skated so if you click 113 00:04:16,639 --> 00:04:19,079 on that you can see that you have the do 114 00:04:19,079 --> 00:04:21,239 obfuscated uh binaries and then you have 115 00:04:21,239 --> 00:04:24,240 your obfuscated uh binaries here so uh 116 00:04:24,240 --> 00:04:25,960 they're sorted based on the target 117 00:04:25,960 --> 00:04:27,560 operating system architecture so you 118 00:04:27,560 --> 00:04:30,360 have 32-bit 64-bit as well as any 119 00:04:30,360 --> 00:04:32,199 architecture which will run on uh pretty 120 00:04:32,199 --> 00:04:35,560 much both 32bit and 64-bit versions of 121 00:04:35,560 --> 00:04:37,720 Windows uh in this case it looks like 122 00:04:37,720 --> 00:04:39,680 it's Windows Server so it's a it's a 123 00:04:39,680 --> 00:04:42,039 64-bit system so we'll be utilizing the 124 00:04:42,039 --> 00:04:45,360 64-bit binary there we are and again you 125 00:04:45,360 --> 00:04:47,080 can just download it onto your Cali 126 00:04:47,080 --> 00:04:48,919 system and then in terms of transferring 127 00:04:48,919 --> 00:04:51,280 it you can transfer it onto the target 128 00:04:51,280 --> 00:04:53,680 system via CT util or through a 129 00:04:53,680 --> 00:04:57,120 interpreter session so um as for the uh 130 00:04:57,120 --> 00:04:59,080 tasks here that's already done so we'll 131 00:04:59,080 --> 00:05:00,320 hit complete 132 00:05:00,320 --> 00:05:02,039 and if we move to the first or the 133 00:05:02,039 --> 00:05:03,680 second task here which essentially 134 00:05:03,680 --> 00:05:05,479 involves generating a reverse shell 135 00:05:05,479 --> 00:05:08,120 executable as our primary access Vector 136 00:05:08,120 --> 00:05:10,360 so uh the technique highlighted here 137 00:05:10,360 --> 00:05:12,360 essentially involves setting up an SMB 138 00:05:12,360 --> 00:05:14,440 server and then transferring it over to 139 00:05:14,440 --> 00:05:19,280 the Target via our our RDP session I I I 140 00:05:19,280 --> 00:05:22,160 pretty much prefer utilizing a u you 141 00:05:22,160 --> 00:05:24,400 know utilizing the web delivery metas 142 00:05:24,400 --> 00:05:26,000 Spate module so that's what I'm going to 143 00:05:26,000 --> 00:05:27,840 be doing although you can also follow 144 00:05:27,840 --> 00:05:29,440 along with the techniques highlighted 145 00:05:29,440 --> 00:05:30,240 here 146 00:05:30,240 --> 00:05:32,600 all right so I'll start up my I'll open 147 00:05:32,600 --> 00:05:35,720 up a new tab here and I'll start up msf 148 00:05:35,720 --> 00:05:38,600 console and what we'll do is we will 149 00:05:38,600 --> 00:05:40,479 essentially generate a partial command 150 00:05:40,479 --> 00:05:42,160 that will then execute on the target 151 00:05:42,160 --> 00:05:43,759 system and that'll provide us with a 152 00:05:43,759 --> 00:05:45,960 interpreter session after which we can 153 00:05:45,960 --> 00:05:47,000 perform the 154 00:05:47,000 --> 00:05:49,479 enumeration uh with win peas all right 155 00:05:49,479 --> 00:05:52,800 so we'll give that a couple of seconds 156 00:05:52,800 --> 00:05:54,639 there all right there we are it looks 157 00:05:54,639 --> 00:05:56,880 like it's starting up msf usually takes 158 00:05:56,880 --> 00:05:59,199 a few seconds there we are I'll search 159 00:05:59,199 --> 00:06:01,039 for the module and of course I covered 160 00:06:01,039 --> 00:06:02,759 how to use it so you should be familiar 161 00:06:02,759 --> 00:06:06,319 with it now um I'll just hit copy and 162 00:06:06,319 --> 00:06:08,479 we'll hit paste and then we want to set 163 00:06:08,479 --> 00:06:11,880 the target as Powershell and we will use 164 00:06:11,880 --> 00:06:14,880 the binary option so uh there we are let 165 00:06:14,880 --> 00:06:17,319 me set that up correctly binary and then 166 00:06:17,319 --> 00:06:20,840 set the payload if we show the options 167 00:06:20,840 --> 00:06:23,440 now uh you can see we still need need to 168 00:06:23,440 --> 00:06:24,919 set up the payload so I'm going to say 169 00:06:24,919 --> 00:06:27,400 Set uh payload and then we can set up 170 00:06:27,400 --> 00:06:28,880 the Powershell payload so I'm going to 171 00:06:28,880 --> 00:06:30,120 say Powershell 172 00:06:30,120 --> 00:06:33,240 so that is not po shell but um we're 173 00:06:33,240 --> 00:06:35,639 going to set the payload to Windows and 174 00:06:35,639 --> 00:06:38,199 then we'll say po shell and we're using 175 00:06:38,199 --> 00:06:41,360 a non-staged module here so Powershell 176 00:06:41,360 --> 00:06:45,120 reverse TCP show the options 177 00:06:45,120 --> 00:06:47,440 again and we're going to set the lhost 178 00:06:47,440 --> 00:06:49,360 option so let me just check out my IP 179 00:06:49,360 --> 00:06:52,560 here so ip config and tunnel zero is the 180 00:06:52,560 --> 00:06:54,520 interface so I'll copy that there so 181 00:06:54,520 --> 00:06:57,800 I'll say set l l host and we'll we'll 182 00:06:57,800 --> 00:07:00,560 leave the L Port as Port 44 44 which is 183 00:07:00,560 --> 00:07:04,319 fine so show options and uh we then need 184 00:07:04,319 --> 00:07:06,560 to set up a few other options one of 185 00:07:06,560 --> 00:07:08,319 them is going to be an advanced option 186 00:07:08,319 --> 00:07:10,240 so show 187 00:07:10,240 --> 00:07:13,039 Advanced there we are and uh the option 188 00:07:13,039 --> 00:07:16,199 we want to disable is the Parell encode 189 00:07:16,199 --> 00:07:18,080 option so let me see if I can find that 190 00:07:18,080 --> 00:07:20,440 here so that's pow shell encoded command 191 00:07:20,440 --> 00:07:22,360 we're going to set that to false so I'm 192 00:07:22,360 --> 00:07:24,720 going to copy that uh sorry let me just 193 00:07:24,720 --> 00:07:26,800 get that done there and we're going to 194 00:07:26,800 --> 00:07:30,759 say set partial encoded command to false 195 00:07:30,759 --> 00:07:33,240 there we go and if we now hit exploit we 196 00:07:33,240 --> 00:07:35,120 should get the PowerAll code that we can 197 00:07:35,120 --> 00:07:37,240 then ex we we can then execute on the 198 00:07:37,240 --> 00:07:40,039 target system so uh I'll give that a 199 00:07:40,039 --> 00:07:41,560 couple of seconds there there we are 200 00:07:41,560 --> 00:07:43,639 it's generated it for us and it starts 201 00:07:43,639 --> 00:07:47,639 up the Handler so uh we'll copy that and 202 00:07:47,639 --> 00:07:49,759 we'll then head over here and we'll open 203 00:07:49,759 --> 00:07:53,000 up a command prompt so I'll give that a 204 00:07:53,000 --> 00:07:55,159 couple of seconds uh because you know 205 00:07:55,159 --> 00:07:57,879 this is a VM after all well not a VM 206 00:07:57,879 --> 00:07:59,520 it's a cloud instance and of course 207 00:07:59,520 --> 00:08:02,800 resources are going to be uh scarce so 208 00:08:02,800 --> 00:08:04,479 I'll just paste that in there and of 209 00:08:04,479 --> 00:08:05,919 course you can get rid of the Hidden 210 00:08:05,919 --> 00:08:07,759 option there so that it executes and 211 00:08:07,759 --> 00:08:09,319 doesn't close up the window if you want 212 00:08:09,319 --> 00:08:11,360 to actually know where there are any 213 00:08:11,360 --> 00:08:14,240 errors I'll just hit enter and that 214 00:08:14,240 --> 00:08:17,000 should open up a pow shell window here 215 00:08:17,000 --> 00:08:18,440 which means that it's executed 216 00:08:18,440 --> 00:08:20,720 successfully there we are and it should 217 00:08:20,720 --> 00:08:22,000 send the 218 00:08:22,000 --> 00:08:25,199 stage there we are delivering the 219 00:08:25,199 --> 00:08:28,120 payload and we'll give that a couple of 220 00:08:28,120 --> 00:08:30,879 seconds there we looks like that is done 221 00:08:30,879 --> 00:08:34,560 delivering payload is done um any errors 222 00:08:34,560 --> 00:08:36,719 there nothing there have we got a 223 00:08:36,719 --> 00:08:40,240 interpreter session probably there we 224 00:08:40,240 --> 00:08:42,080 are power shell session well sorry we 225 00:08:42,080 --> 00:08:43,680 actually need to upgrade the power shell 226 00:08:43,680 --> 00:08:46,839 session into a interpreter session so if 227 00:08:46,839 --> 00:08:48,959 we say sessions you can see we have the 228 00:08:48,959 --> 00:08:50,399 power shell session there so I'm going 229 00:08:50,399 --> 00:08:52,440 to upgrade the command shell or the 230 00:08:52,440 --> 00:08:55,080 power Shell Shell uh into a meterpreter 231 00:08:55,080 --> 00:08:56,959 shell and that's that can be done by 232 00:08:56,959 --> 00:08:59,600 using the sessions U option and the 233 00:08:59,600 --> 00:09:01,519 session we want to upgrade is session 234 00:09:01,519 --> 00:09:03,760 one there we are don't worry if it gives 235 00:09:03,760 --> 00:09:05,519 you the error that this may not be 236 00:09:05,519 --> 00:09:07,040 compatible with this module that's 237 00:09:07,040 --> 00:09:09,560 simply just um a message to to to to 238 00:09:09,560 --> 00:09:11,480 actually inform you to keep you aware of 239 00:09:11,480 --> 00:09:14,279 that so uh there we are sending the 240 00:09:14,279 --> 00:09:17,040 stage and we should get a MPR session on 241 00:09:17,040 --> 00:09:19,399 the target system there we are 242 00:09:19,399 --> 00:09:22,560 meterpreter session two 243 00:09:24,640 --> 00:09:27,480 opened sessions there we are and we get 244 00:09:27,480 --> 00:09:30,519 a 64-bit session so session too let's 245 00:09:30,519 --> 00:09:32,760 perform some basic enumeration so CIS 246 00:09:32,760 --> 00:09:35,480 info uh you know get us ID and then of 247 00:09:35,480 --> 00:09:37,360 course you can pop a native command 248 00:09:37,360 --> 00:09:39,959 shell and then uh essentially you know 249 00:09:39,959 --> 00:09:41,839 perform all of the commands that we had 250 00:09:41,839 --> 00:09:44,399 taken a look at previously in this case 251 00:09:44,399 --> 00:09:46,279 however we're just going to navigate to 252 00:09:46,279 --> 00:09:49,160 the root of the C drive and uh into the 253 00:09:49,160 --> 00:09:51,040 temp directory which is where I want to 254 00:09:51,040 --> 00:09:53,399 save the wipie binary and then I can 255 00:09:53,399 --> 00:09:56,200 upload it so I can say upload and in my 256 00:09:56,200 --> 00:09:58,519 case I've saved the win piece binary on 257 00:09:58,519 --> 00:10:02,200 my desktop under Windows enum and then I 258 00:10:02,200 --> 00:10:05,120 of course I have um winp there we have 259 00:10:05,120 --> 00:10:07,040 there's the folder and then I'm going to 260 00:10:07,040 --> 00:10:10,000 upload uh winp 261 00:10:10,000 --> 00:10:13,880 x64.exe upload that there and they will 262 00:10:13,880 --> 00:10:15,240 give that a couple of seconds to 263 00:10:15,240 --> 00:10:17,640 actually 264 00:10:20,680 --> 00:10:23,079 complete there we are looks like it's 265 00:10:23,079 --> 00:10:24,760 completed and then of course we can pop 266 00:10:24,760 --> 00:10:27,320 a shell here and we're currently within 267 00:10:27,320 --> 00:10:29,399 the temp directory which is great and we 268 00:10:29,399 --> 00:10:32,000 can then execute the wipas executable so 269 00:10:32,000 --> 00:10:36,120 winp x64.exe however before you do that 270 00:10:36,120 --> 00:10:38,800 you can open up the help uh menu right 271 00:10:38,800 --> 00:10:41,160 over here now this is very important 272 00:10:41,160 --> 00:10:43,959 because if you run win pece by default 273 00:10:43,959 --> 00:10:46,000 or just without any arguments or any 274 00:10:46,000 --> 00:10:48,399 other options it's going to go through 275 00:10:48,399 --> 00:10:50,519 all of the uh enumeration right so it's 276 00:10:50,519 --> 00:10:51,839 going to enumerate all of this 277 00:10:51,839 --> 00:10:53,200 information right over here so it's 278 00:10:53,200 --> 00:10:54,920 going to enumerate the domain 279 00:10:54,920 --> 00:10:56,800 information if it's part of a domain 280 00:10:56,800 --> 00:10:58,800 system information User information 281 00:10:58,800 --> 00:11:02,079 process service etc etc so uh if you're 282 00:11:02,079 --> 00:11:04,120 uh specifically looking for a specific 283 00:11:04,120 --> 00:11:05,760 set of information like the user 284 00:11:05,760 --> 00:11:07,920 information I can specify that so I can 285 00:11:07,920 --> 00:11:10,440 say winp uh 286 00:11:10,440 --> 00:11:12,959 x64.exe and then I can 287 00:11:12,959 --> 00:11:17,000 say user information so user info hit 288 00:11:17,000 --> 00:11:19,360 enter that'll only enumerate the user 289 00:11:19,360 --> 00:11:20,959 information here so we'll give that a 290 00:11:20,959 --> 00:11:23,120 couple of seconds there we are let's 291 00:11:23,120 --> 00:11:24,680 take a look at what information this 292 00:11:24,680 --> 00:11:26,160 will give us because this is quite 293 00:11:26,160 --> 00:11:28,560 important so first and foremost you can 294 00:11:28,560 --> 00:11:30,279 see that it'll go through the following 295 00:11:30,279 --> 00:11:31,839 checklist so it'll check if it's part of 296 00:11:31,839 --> 00:11:34,560 a domain getting the user account info 297 00:11:34,560 --> 00:11:37,279 the group list active user list disabled 298 00:11:37,279 --> 00:11:40,120 users admin users and uh files or 299 00:11:40,120 --> 00:11:41,920 directories uh that we can essentially 300 00:11:41,920 --> 00:11:44,240 search so uh check if you have some 301 00:11:44,240 --> 00:11:46,959 admin equivalent equivalent privileges 302 00:11:46,959 --> 00:11:49,360 uh you can see that the current user is 303 00:11:49,360 --> 00:11:51,560 not part of the admin group so we don't 304 00:11:51,560 --> 00:11:54,079 have any elevated privileges uh we have 305 00:11:54,079 --> 00:11:55,760 an admin user that's part of the 306 00:11:55,760 --> 00:11:57,720 administrator group as well as the 307 00:11:57,720 --> 00:11:59,839 administrator account and then of course 308 00:11:59,839 --> 00:12:01,560 we have our current user account the 309 00:12:01,560 --> 00:12:03,839 rest are you guest accounts and the 310 00:12:03,839 --> 00:12:06,440 default account which is disabled uh on 311 00:12:06,440 --> 00:12:09,639 you know modern versions of Windows um 312 00:12:09,639 --> 00:12:12,240 as for the other piece of information 313 00:12:12,240 --> 00:12:13,480 you can see you have your token 314 00:12:13,480 --> 00:12:15,720 privileges here and then of course 315 00:12:15,720 --> 00:12:17,760 logged on users it'll only tell us that 316 00:12:17,760 --> 00:12:20,079 we are currently logged on which is very 317 00:12:20,079 --> 00:12:22,279 important then uh display information 318 00:12:22,279 --> 00:12:24,360 about the uh local users which we've 319 00:12:24,360 --> 00:12:26,399 already gone over but you can get the 320 00:12:26,399 --> 00:12:28,720 user ID to identify whether that user is 321 00:12:28,720 --> 00:12:32,199 administ you know etc etc right um okay 322 00:12:32,199 --> 00:12:35,000 so the users that have logged on to the 323 00:12:35,000 --> 00:12:38,000 system administrator admin user okay so 324 00:12:38,000 --> 00:12:40,519 on and so forth you get the idea now we 325 00:12:40,519 --> 00:12:42,519 can enumerate all the information as I 326 00:12:42,519 --> 00:12:45,839 said previously by simply saying wipas 327 00:12:45,839 --> 00:12:46,480 uh 328 00:12:46,480 --> 00:12:50,480 x64.exe right so I'll hit enter and uh 329 00:12:50,480 --> 00:12:52,560 in this particular context the reason 330 00:12:52,560 --> 00:12:55,399 why I'm using wipas is because wipas 331 00:12:55,399 --> 00:12:57,519 will actually help you identify all of 332 00:12:57,519 --> 00:12:59,720 these privilege escalation vectors 333 00:12:59,720 --> 00:13:01,440 uh and whether or not the system is 334 00:13:01,440 --> 00:13:03,720 vulnerable to any of them right so it'll 335 00:13:03,720 --> 00:13:05,199 tell you whether you have any insecure 336 00:13:05,199 --> 00:13:07,160 service permissions unquoted Service 337 00:13:07,160 --> 00:13:09,199 Parts weak registry permissions uh 338 00:13:09,199 --> 00:13:12,040 insecure Service executables uh Auto 339 00:13:12,040 --> 00:13:14,199 runs uh they always install elevated 340 00:13:14,199 --> 00:13:16,680 vulnerability uh week registry uh 341 00:13:16,680 --> 00:13:19,720 permissions um so on and so forth right 342 00:13:19,720 --> 00:13:21,839 so let's go back here you can see it's 343 00:13:21,839 --> 00:13:23,440 still going through the check and I'm 344 00:13:23,440 --> 00:13:24,839 just going to wait for it to complete 345 00:13:24,839 --> 00:13:26,320 and then I'll take you through it step 346 00:13:26,320 --> 00:13:29,360 by step and that'll pretty much conclude 347 00:13:29,360 --> 00:13:31,000 this video because we'll then move on to 348 00:13:31,000 --> 00:13:33,800 the first privilege escalation Vector so 349 00:13:33,800 --> 00:13:35,320 if we take a look at the results from 350 00:13:35,320 --> 00:13:37,160 the beginning uh most of it is going to 351 00:13:37,160 --> 00:13:39,440 be diagnostic information pertinent to 352 00:13:39,440 --> 00:13:41,680 processes uh that are currently running 353 00:13:41,680 --> 00:13:43,839 the networking uh information like the 354 00:13:43,839 --> 00:13:45,720 interfaces which can be useful if you're 355 00:13:45,720 --> 00:13:48,320 trying to Pivot uh it'll also enumerate 356 00:13:48,320 --> 00:13:50,079 other information that can be quite 357 00:13:50,079 --> 00:13:52,399 useful but again we'll get to that in a 358 00:13:52,399 --> 00:13:54,320 few seconds right so there's quite a lot 359 00:13:54,320 --> 00:13:56,160 of in information here and you can see 360 00:13:56,160 --> 00:13:58,480 we have path injection vulnerabilities 361 00:13:58,480 --> 00:14:00,560 that have been detected um but let's 362 00:14:00,560 --> 00:14:03,279 take a look at the beginning here all 363 00:14:03,279 --> 00:14:05,440 right so there we are that's where it 364 00:14:05,440 --> 00:14:08,040 began so first and foremost you'll get 365 00:14:08,040 --> 00:14:10,639 the system information so the host name 366 00:14:10,639 --> 00:14:12,800 uh the version of Windows the release ID 367 00:14:12,800 --> 00:14:14,800 or the build version of Windows the 368 00:14:14,800 --> 00:14:17,120 architecture the the actual current 369 00:14:17,120 --> 00:14:19,680 version the time zone which can be quite 370 00:14:19,680 --> 00:14:22,079 important as well as the keyboard 371 00:14:22,079 --> 00:14:24,040 language and then whether or not it's a 372 00:14:24,040 --> 00:14:25,600 part of the domain the hot fix is 373 00:14:25,600 --> 00:14:28,160 installed Etc now as for the 374 00:14:28,160 --> 00:14:30,079 vulnerabilities that it identifies with 375 00:14:30,079 --> 00:14:31,800 whats and here these are going to be 376 00:14:31,800 --> 00:14:33,680 vulnerabilities uh pertinent to the 377 00:14:33,680 --> 00:14:36,079 kernel or you know parts of the Windows 378 00:14:36,079 --> 00:14:38,160 operating system that can be exploited 379 00:14:38,160 --> 00:14:40,000 to elevate Privileges and of course 380 00:14:40,000 --> 00:14:42,000 we'll be exploring kernel exploits in 381 00:14:42,000 --> 00:14:44,120 the next video as we progress uh but 382 00:14:44,120 --> 00:14:45,720 this is where you typically find that 383 00:14:45,720 --> 00:14:48,360 information so you get the exploit DB uh 384 00:14:48,360 --> 00:14:50,600 code or reference link if there is a 385 00:14:50,600 --> 00:14:52,680 publicly available exploit and then you 386 00:14:52,680 --> 00:14:54,240 get the reference link which could 387 00:14:54,240 --> 00:14:56,519 contain the exploit code or a proof of 388 00:14:56,519 --> 00:14:59,320 concept all right so uh for the install 389 00:14:59,320 --> 00:15:01,199 updates it'll give you the hot fix ID 390 00:15:01,199 --> 00:15:03,279 when it was installed uh and then of 391 00:15:03,279 --> 00:15:04,800 course the description and the title 392 00:15:04,800 --> 00:15:06,880 which is very important right so uh in 393 00:15:06,880 --> 00:15:08,959 this case you can see that the Microsoft 394 00:15:08,959 --> 00:15:11,399 updates are pertinent to uh one of them 395 00:15:11,399 --> 00:15:13,680 is pertinent to Windows uh antivirus or 396 00:15:13,680 --> 00:15:15,519 Windows Defender and then of course 397 00:15:15,519 --> 00:15:17,759 there's a driver install which is VMware 398 00:15:17,759 --> 00:15:19,519 which tells us that this is indeed a 399 00:15:19,519 --> 00:15:21,720 virtual machine okay the user 400 00:15:21,720 --> 00:15:23,480 environment variables we can which can 401 00:15:23,480 --> 00:15:26,199 be quite uh useful uh and then of course 402 00:15:26,199 --> 00:15:28,000 the system environment variable so you 403 00:15:28,000 --> 00:15:29,440 can see that the temp directory 404 00:15:29,440 --> 00:15:32,160 specified there uh the actual path and 405 00:15:32,160 --> 00:15:35,199 Driver data directories are specified uh 406 00:15:35,199 --> 00:15:38,160 so on and so forth all right let's take 407 00:15:38,160 --> 00:15:40,199 a look at some of the other options here 408 00:15:40,199 --> 00:15:42,240 LSA protection right so this is very 409 00:15:42,240 --> 00:15:44,440 important so if enabled a driver is 410 00:15:44,440 --> 00:15:47,040 needed to read Elsas memory uh so again 411 00:15:47,040 --> 00:15:49,600 it tells us right over here that L LSA 412 00:15:49,600 --> 00:15:52,120 protection is not enabled we'll get to 413 00:15:52,120 --> 00:15:54,319 uh why that is important and then of 414 00:15:54,319 --> 00:15:56,880 course credential guard is not enabled 415 00:15:56,880 --> 00:15:59,160 um we don't have uh it looks like we 416 00:15:59,160 --> 00:16:01,839 have cached creds uh which tells us 417 00:16:01,839 --> 00:16:04,000 right via cached log on count is set to 418 00:16:04,000 --> 00:16:06,600 10 right so uh credentials will be 419 00:16:06,600 --> 00:16:08,800 cashed in the registry and accessible by 420 00:16:08,800 --> 00:16:10,720 the system user so we'll only be able to 421 00:16:10,720 --> 00:16:13,360 access credentials um you know once 422 00:16:13,360 --> 00:16:15,440 we've elevated our privileges no 423 00:16:15,440 --> 00:16:17,880 antivirus was detected so it tells us 424 00:16:17,880 --> 00:16:19,639 that Windows Defender has been disabled 425 00:16:19,639 --> 00:16:21,720 in this case it makes sense because we 426 00:16:21,720 --> 00:16:23,959 were able to execute the poell code 427 00:16:23,959 --> 00:16:26,440 natively without encoding it right uh 428 00:16:26,440 --> 00:16:29,160 user access control status or UA C 429 00:16:29,160 --> 00:16:31,079 status it tells us that any local 430 00:16:31,079 --> 00:16:33,279 account can be used for lateral movement 431 00:16:33,279 --> 00:16:35,000 so we can pretty much Elevate our 432 00:16:35,000 --> 00:16:36,759 privileges directly if we were to try 433 00:16:36,759 --> 00:16:39,440 that right now uh via UAC and I'll cover 434 00:16:39,440 --> 00:16:42,160 that as well um but that's very very 435 00:16:42,160 --> 00:16:43,880 important right because that's one of 436 00:16:43,880 --> 00:16:45,519 the most common Windows privilege 437 00:16:45,519 --> 00:16:47,680 escalation vectors that you typically 438 00:16:47,680 --> 00:16:50,680 utilize is trying to bypass UAC and of 439 00:16:50,680 --> 00:16:52,639 course there's various techniques or 440 00:16:52,639 --> 00:16:54,279 Metasploit modules that can be used to 441 00:16:54,279 --> 00:16:57,839 do that um let's take a look at some of 442 00:16:57,839 --> 00:16:59,880 the other options here that I can 443 00:16:59,880 --> 00:17:01,759 actually go through so let's take a look 444 00:17:01,759 --> 00:17:04,160 at an example check here if we are 445 00:17:04,160 --> 00:17:07,199 trying to look for maybe um let's see uh 446 00:17:07,199 --> 00:17:09,160 insecure service permissions let's see 447 00:17:09,160 --> 00:17:11,079 if we can find information pertinent to 448 00:17:11,079 --> 00:17:14,360 that so again this is just the system uh 449 00:17:14,360 --> 00:17:18,000 configuration there um user information 450 00:17:18,000 --> 00:17:20,400 which we enumerated uh there we are and 451 00:17:20,400 --> 00:17:22,199 then of course the home folders there 452 00:17:22,199 --> 00:17:23,439 RDP 453 00:17:23,439 --> 00:17:26,120 sessions uh the password policy will 454 00:17:26,120 --> 00:17:27,799 tell you the minimum password the 455 00:17:27,799 --> 00:17:30,360 minimum and maximum password Edge the 456 00:17:30,360 --> 00:17:32,600 minimum and maximum password length or 457 00:17:32,600 --> 00:17:34,640 rather the minimum password length which 458 00:17:34,640 --> 00:17:37,600 again can be used to get an idea of uh 459 00:17:37,600 --> 00:17:39,520 you know of the length of the password 460 00:17:39,520 --> 00:17:42,039 if you're performing password cracking 461 00:17:42,039 --> 00:17:45,160 uh the print log on Services interesting 462 00:17:45,160 --> 00:17:47,440 processes right uh so right over here 463 00:17:47,440 --> 00:17:50,200 you can see that it identifies wipas as 464 00:17:50,200 --> 00:17:52,039 an interesting process that we can 465 00:17:52,039 --> 00:17:55,039 essentially perform D hijacking although 466 00:17:55,039 --> 00:17:57,559 in this case that's really not relevant 467 00:17:57,559 --> 00:17:59,280 um let's see if we can find there we are 468 00:17:59,280 --> 00:18:02,039 so Services information uh we're looking 469 00:18:02,039 --> 00:18:04,480 for insecure service permissions there 470 00:18:04,480 --> 00:18:07,400 we are so this is where you'll identify 471 00:18:07,400 --> 00:18:09,960 the weak uh service permission so for 472 00:18:09,960 --> 00:18:12,520 example the file uh the file permission 473 00:18:12,520 --> 00:18:14,240 service which is a vulnerable service 474 00:18:14,240 --> 00:18:16,200 that has been set up to demonstrate this 475 00:18:16,200 --> 00:18:18,280 vulnerability you can see that this 476 00:18:18,280 --> 00:18:19,799 particular service it gives you the 477 00:18:19,799 --> 00:18:23,159 actual path to the exe or the service 478 00:18:23,159 --> 00:18:25,720 the current status is stopped and we can 479 00:18:25,720 --> 00:18:27,559 start or stop it because the file 480 00:18:27,559 --> 00:18:29,640 permissions are set to everyone so any 481 00:18:29,640 --> 00:18:31,799 user on the system can access that 482 00:18:31,799 --> 00:18:34,320 service or interact uh with the service 483 00:18:34,320 --> 00:18:36,080 and we'll ex we'll actually explore that 484 00:18:36,080 --> 00:18:38,919 for unquoted service paths or the Y 485 00:18:38,919 --> 00:18:40,280 there we are that's the vulnerability 486 00:18:40,280 --> 00:18:42,440 there you can see we have the AWS light 487 00:18:42,440 --> 00:18:44,880 agent there so no quotes or spaces 488 00:18:44,880 --> 00:18:47,880 detected there and we can possibly uh 489 00:18:47,880 --> 00:18:49,480 exploit that and of course we have the 490 00:18:49,480 --> 00:18:52,440 actual unquoted Service uh uh the actual 491 00:18:52,440 --> 00:18:54,799 unquoted service here that uh we will be 492 00:18:54,799 --> 00:18:57,480 exploiting so no quotes or spaces 493 00:18:57,480 --> 00:18:59,679 detected all right 494 00:18:59,679 --> 00:19:02,360 so um of course this is um this will 495 00:19:02,360 --> 00:19:04,520 tell you whether you can modify uh any 496 00:19:04,520 --> 00:19:06,240 service or registry and in this case you 497 00:19:06,240 --> 00:19:08,159 can see that we can essentially modify 498 00:19:08,159 --> 00:19:10,559 the registry Service uh which again has 499 00:19:10,559 --> 00:19:13,000 been set up to demonstrate this dll 500 00:19:13,000 --> 00:19:15,240 hijacking that's uh the win piece 501 00:19:15,240 --> 00:19:17,400 directory so that's really not relevant 502 00:19:17,400 --> 00:19:20,559 there unquoted service path so there we 503 00:19:20,559 --> 00:19:23,720 are it identifies that uh as well there 504 00:19:23,720 --> 00:19:25,400 and then of course we have an auto run 505 00:19:25,400 --> 00:19:27,919 program there uh so on and so forth so 506 00:19:27,919 --> 00:19:29,440 you can see already already with win 507 00:19:29,440 --> 00:19:31,080 peas we've been able to identify the 508 00:19:31,080 --> 00:19:33,520 actual services that we can exploit uh 509 00:19:33,520 --> 00:19:35,480 in the case of uh you know the unquoted 510 00:19:35,480 --> 00:19:37,960 service path as well as insecure service 511 00:19:37,960 --> 00:19:40,039 permissions as well as the weak registry 512 00:19:40,039 --> 00:19:41,919 permissions and then of course you can 513 00:19:41,919 --> 00:19:44,440 go through it and uh you know enumerate 514 00:19:44,440 --> 00:19:47,000 as much information as possible uh 515 00:19:47,000 --> 00:19:48,480 regarding the type of privilege 516 00:19:48,480 --> 00:19:51,559 escalation uh Vector you you want to use 517 00:19:51,559 --> 00:19:54,039 right so this this is all path injection 518 00:19:54,039 --> 00:19:56,559 so on and so forth let's uh scroll right 519 00:19:56,559 --> 00:19:59,200 over here so it looks like we have 520 00:19:59,200 --> 00:20:01,720 unquoted um and space detected there 521 00:20:01,720 --> 00:20:03,720 that doesn't look like it's 522 00:20:03,720 --> 00:20:07,200 vulnerable and uh let's just scroll here 523 00:20:07,200 --> 00:20:08,760 there we are we have the scheduled 524 00:20:08,760 --> 00:20:11,480 applications here so this is uh this 525 00:20:11,480 --> 00:20:13,240 will essentially check if you can modify 526 00:20:13,240 --> 00:20:16,080 other users scheduled binaries so uh 527 00:20:16,080 --> 00:20:20,039 there we are it looks like this is uh s 528 00:20:20,039 --> 00:20:23,080 save credentials dobat and uh we can 529 00:20:23,080 --> 00:20:25,159 perform some DL hijacking there although 530 00:20:25,159 --> 00:20:28,280 that's not really important to us uh the 531 00:20:28,280 --> 00:20:30,840 other information here uh that I was 532 00:20:30,840 --> 00:20:32,400 trying to highlight because that's quite 533 00:20:32,400 --> 00:20:35,080 important there we are right so uh right 534 00:20:35,080 --> 00:20:37,080 over here this will look for cus tickets 535 00:20:37,080 --> 00:20:40,120 if you are on a an active directory 536 00:20:40,120 --> 00:20:42,960 environment and uh it'll then tell you 537 00:20:42,960 --> 00:20:44,840 the actual Security package credential 538 00:20:44,840 --> 00:20:46,200 so it's you can see it's telling us that 539 00:20:46,200 --> 00:20:49,720 we're using net ntlm version two so keep 540 00:20:49,720 --> 00:20:51,280 that in mind if you're trying to perform 541 00:20:51,280 --> 00:20:53,600 password cracking now it's already given 542 00:20:53,600 --> 00:20:56,159 us our hash here so we can use these 543 00:20:56,159 --> 00:20:58,360 hashes in different ways and we'll also 544 00:20:58,360 --> 00:21:00,200 be exploring how to perform the past the 545 00:21:00,200 --> 00:21:02,120 hash attack which I've explored 546 00:21:02,120 --> 00:21:04,039 previously uh so you really don't need 547 00:21:04,039 --> 00:21:05,880 to crack credentials unless it's 548 00:21:05,880 --> 00:21:08,840 necessary uh but we get uh you know 549 00:21:08,840 --> 00:21:10,640 passwords or credentials from other 550 00:21:10,640 --> 00:21:12,400 services or applications and in this 551 00:21:12,400 --> 00:21:14,799 case you can see that we get a puty 552 00:21:14,799 --> 00:21:17,480 session and we get the proxy username 553 00:21:17,480 --> 00:21:19,520 and proxy password so we've been able to 554 00:21:19,520 --> 00:21:21,400 gather information there Cloud 555 00:21:21,400 --> 00:21:23,400 credentials nothing there unattended 556 00:21:23,400 --> 00:21:25,960 files we have the unattended XML file 557 00:21:25,960 --> 00:21:28,559 which can possibly contain uh the 558 00:21:28,559 --> 00:21:31,520 Windows administrator credentials if uh 559 00:21:31,520 --> 00:21:33,799 the file has not been uh redacted but in 560 00:21:33,799 --> 00:21:36,279 this case we get the administrator uh it 561 00:21:36,279 --> 00:21:38,159 looks like the password there and this 562 00:21:38,159 --> 00:21:40,159 is of course for the you uh for the 563 00:21:40,159 --> 00:21:42,720 admin user so we can possibly try and 564 00:21:42,720 --> 00:21:44,440 authenticate because we've already got 565 00:21:44,440 --> 00:21:47,120 the credentials uh so let's actually try 566 00:21:47,120 --> 00:21:49,480 that now uh do I need to log out or can 567 00:21:49,480 --> 00:21:52,440 I just switch my current session there 568 00:21:52,440 --> 00:21:55,679 um yeah so I'm just going to sign out of 569 00:21:55,679 --> 00:21:58,840 that um and we'll give that a couple of 570 00:21:58,840 --> 00:22:01,240 seconds there and uh let me see if I can 571 00:22:01,240 --> 00:22:03,520 copy that I'm pretty sure that has been 572 00:22:03,520 --> 00:22:06,200 in base 64 encoded but you can pretty 573 00:22:06,200 --> 00:22:08,760 much log in uh let's see if we can log 574 00:22:08,760 --> 00:22:11,279 in like so 575 00:22:11,279 --> 00:22:14,159 um yeah let's just sign out anyway we'll 576 00:22:14,159 --> 00:22:16,679 I think we might lose 577 00:22:16,679 --> 00:22:19,279 our we might lose our interpreter 578 00:22:19,279 --> 00:22:21,679 session but that's fine uh we can try 579 00:22:21,679 --> 00:22:23,960 the admin or administrator I think 580 00:22:23,960 --> 00:22:26,440 that's the correct user 581 00:22:26,440 --> 00:22:28,679 administrator and we can paste it in 582 00:22:28,679 --> 00:22:30,039 there if this doesn't work then we can 583 00:22:30,039 --> 00:22:32,200 try and base you can try and decode it 584 00:22:32,200 --> 00:22:33,520 so I'll hit 585 00:22:33,520 --> 00:22:36,960 enter um looks like y it looks like 586 00:22:36,960 --> 00:22:39,720 there's an issue with the 587 00:22:39,720 --> 00:22:42,720 authentication um so what we can do is 588 00:22:42,720 --> 00:22:44,880 let's try and base let's try and decode 589 00:22:44,880 --> 00:22:46,600 it so I'm just going to create a file 590 00:22:46,600 --> 00:22:49,120 here called hash and I'll paste in the 591 00:22:49,120 --> 00:22:51,200 hash there and we can then decode it 592 00:22:51,200 --> 00:22:54,880 using the base 64 utility so basic4 593 00:22:54,880 --> 00:22:57,480 decode hash and it looks like the 594 00:22:57,480 --> 00:22:59,880 password is pass password one 12 three 595 00:22:59,880 --> 00:23:02,440 right so uh let's just take a note of 596 00:23:02,440 --> 00:23:07,000 that um there we are and uh we you can 597 00:23:07,000 --> 00:23:09,600 also utilize other tools if you want um 598 00:23:09,600 --> 00:23:11,600 so I'm just going to log in Via RDP 599 00:23:11,600 --> 00:23:14,720 again uh let me just go back in here and 600 00:23:14,720 --> 00:23:17,919 let me just copy the command there and 601 00:23:17,919 --> 00:23:19,679 uh we can then log in as administrator 602 00:23:19,679 --> 00:23:21,120 and let's see whether that actually 603 00:23:21,120 --> 00:23:23,919 works because we pretty much uh have you 604 00:23:23,919 --> 00:23:27,400 know evaded any of this here so 1 2 3 605 00:23:27,400 --> 00:23:29,840 and we'll change that to administrator 606 00:23:29,840 --> 00:23:31,960 but of course we're not going to rely on 607 00:23:31,960 --> 00:23:34,520 this because the unattended file uh I'll 608 00:23:34,520 --> 00:23:35,960 I'll get to that in a second and what 609 00:23:35,960 --> 00:23:37,720 it's used 610 00:23:37,720 --> 00:23:40,720 for um it looks like we have an issue 611 00:23:40,720 --> 00:23:45,039 there um let me just try and add 612 00:23:45,039 --> 00:23:49,200 uh sorry trying it enter was that part 613 00:23:49,200 --> 00:23:51,520 of the password uh yeah so I think what 614 00:23:51,520 --> 00:23:54,240 I'll do we can also try the admin user 615 00:23:54,240 --> 00:23:56,720 uh because it's not specified what user 616 00:23:56,720 --> 00:23:59,240 within the unattended files 617 00:23:59,240 --> 00:24:01,600 uh is uh you know the user account for 618 00:24:01,600 --> 00:24:03,159 this particular password but we can 619 00:24:03,159 --> 00:24:04,760 check it it looks like it's the admin 620 00:24:04,760 --> 00:24:07,080 user so there we are we're able to log 621 00:24:07,080 --> 00:24:09,559 on as the admin user and we should have 622 00:24:09,559 --> 00:24:12,200 elevated our privileges right so again 623 00:24:12,200 --> 00:24:14,440 as I said wipas is an extremely powerful 624 00:24:14,440 --> 00:24:15,960 tool and that's really what I'm trying 625 00:24:15,960 --> 00:24:18,279 to demonstrate here uh this is one of 626 00:24:18,279 --> 00:24:20,320 the vectors that you can utilize and we 627 00:24:20,320 --> 00:24:21,960 pretty much explored it I believe it's 628 00:24:21,960 --> 00:24:24,520 covered uh somewhere here it may have 629 00:24:24,520 --> 00:24:26,120 been covered although I'm not really 630 00:24:26,120 --> 00:24:28,159 sure but there we are you can utilize 631 00:24:28,159 --> 00:24:29,320 that and that's something that I've 632 00:24:29,320 --> 00:24:31,279 covered in my book so you can actually 633 00:24:31,279 --> 00:24:33,640 learn more about that right so uh the 634 00:24:33,640 --> 00:24:35,360 unattended file if you're not familiar 635 00:24:35,360 --> 00:24:37,679 with it is a configuration file that's 636 00:24:37,679 --> 00:24:39,919 created to uh you know it's essentially 637 00:24:39,919 --> 00:24:42,279 created when you're Mass installing uh 638 00:24:42,279 --> 00:24:44,559 Windows systems uh you know uh on a 639 00:24:44,559 --> 00:24:46,840 network so let's say you've been tasked 640 00:24:46,840 --> 00:24:48,559 uh to actually install uh you know 641 00:24:48,559 --> 00:24:51,760 windows on more than five systems uh you 642 00:24:51,760 --> 00:24:53,600 can automate the account creation 643 00:24:53,600 --> 00:24:55,640 process through the unattended uh 644 00:24:55,640 --> 00:24:57,559 configuration file where you can specify 645 00:24:57,559 --> 00:24:59,960 the administrative credentials and any 646 00:24:59,960 --> 00:25:02,240 other you know operating system specific 647 00:25:02,240 --> 00:25:04,640 configurations that you want set up 648 00:25:04,640 --> 00:25:07,399 during the installation process so again 649 00:25:07,399 --> 00:25:08,840 sometimes it's not cleaned up by 650 00:25:08,840 --> 00:25:11,360 administrators so if it's not cleaned up 651 00:25:11,360 --> 00:25:13,200 you can get the admin credentials from 652 00:25:13,200 --> 00:25:14,640 there and you don't have to go through 653 00:25:14,640 --> 00:25:16,840 the process of elevating your privileges 654 00:25:16,840 --> 00:25:18,880 manually and of course Al interpreter 655 00:25:18,880 --> 00:25:21,600 session uh right over there died uh 656 00:25:21,600 --> 00:25:23,799 because we you know we signed out so we 657 00:25:23,799 --> 00:25:25,760 didn't set up persistence so we can just 658 00:25:25,760 --> 00:25:28,520 terminate that there and we list out our 659 00:25:28,520 --> 00:25:30,559 sessions uh I think we've lost all our 660 00:25:30,559 --> 00:25:33,320 sessions do we have um there we are 661 00:25:33,320 --> 00:25:36,080 there we are okay so what we can do is 662 00:25:36,080 --> 00:25:39,840 generate a new um it looks like that job 663 00:25:39,840 --> 00:25:40,799 is still 664 00:25:40,799 --> 00:25:45,080 running uh yeah so job skill and we can 665 00:25:45,080 --> 00:25:46,840 then hit exploit again generate the 666 00:25:46,840 --> 00:25:48,520 power Shell Code execute it with the 667 00:25:48,520 --> 00:25:50,440 admin user and we'll then get a 668 00:25:50,440 --> 00:25:52,600 meterpreter session with administrative 669 00:25:52,600 --> 00:25:55,080 privileges all right so I think I've 670 00:25:55,080 --> 00:25:57,320 covered how to use win peas as I said 671 00:25:57,320 --> 00:25:59,440 you can take a look at the help menu if 672 00:25:59,440 --> 00:26:01,600 you're looking for specific sets of 673 00:26:01,600 --> 00:26:03,840 information uh but I would recommend you 674 00:26:03,840 --> 00:26:06,000 know running it at least um at least 675 00:26:06,000 --> 00:26:07,880 once uh running it by the default 676 00:26:07,880 --> 00:26:09,760 configuration at least once and then 677 00:26:09,760 --> 00:26:11,720 going through all the information step 678 00:26:11,720 --> 00:26:13,240 by step because you really don't want to 679 00:26:13,240 --> 00:26:15,520 miss out anything there all right so now 680 00:26:15,520 --> 00:26:17,200 that we've taken a look at how to 681 00:26:17,200 --> 00:26:19,440 identify these vulnerabilities these 682 00:26:19,440 --> 00:26:22,039 privilege escalation uh vulnerabilities 683 00:26:22,039 --> 00:26:24,039 in the next set of uh set of videos will 684 00:26:24,039 --> 00:26:26,120 be exploring these privilege escalation 685 00:26:26,120 --> 00:26:28,559 attack vectors and taking a look at they 686 00:26:28,559 --> 00:26:30,600 can be exploited in order to elevate our 687 00:26:30,600 --> 00:26:32,919 privileges uh we've already explored one 688 00:26:32,919 --> 00:26:34,760 of them but I didn't want to get into 689 00:26:34,760 --> 00:26:36,320 that but I just wanted to show you how 690 00:26:36,320 --> 00:26:39,919 powerful uh this tool is um all right so 691 00:26:39,919 --> 00:26:41,520 that's going to be it as I said uh the 692 00:26:41,520 --> 00:26:43,440 log for Shell video will be coming out 693 00:26:43,440 --> 00:26:45,000 so stay tuned for that it's going to be 694 00:26:45,000 --> 00:26:46,480 an in-depth video that covers 695 00:26:46,480 --> 00:26:49,399 exploitation as well as patching uh and 696 00:26:49,399 --> 00:26:50,960 yeah we'll be taking a look at that as 697 00:26:50,960 --> 00:26:52,760 well let me know what you guys think in 698 00:26:52,760 --> 00:26:54,120 the comment section if you want to reach 699 00:26:54,120 --> 00:26:56,039 out to me you can do so on our Discord 700 00:26:56,039 --> 00:26:57,960 server uh the link to that is in the 701 00:26:57,960 --> 00:26:59,279 description description section or you 702 00:26:59,279 --> 00:27:02,200 can contact me directly via Twitter and 703 00:27:02,200 --> 00:27:03,799 yeah thank you very much for watching 704 00:27:03,799 --> 00:27:07,840 and I'll be seeing you guys in the next 705 00:27:07,840 --> 00:27:10,640 video a huge thank you to all of our 706 00:27:10,640 --> 00:27:12,480 patreons your support is greatly 707 00:27:12,480 --> 00:27:14,240 appreciated and this is a formal thank 708 00:27:14,240 --> 00:27:16,720 you so thank you Shamir Douglas Ryan car 709 00:27:16,720 --> 00:27:19,919 sandor Michael Busby sidab doozy deim 710 00:27:19,919 --> 00:27:22,360 Bari Dustin umpr and Michael Hubbard 711 00:27:22,360 --> 00:27:24,279 your support is greatly appreciated and 712 00:27:24,279 --> 00:27:26,200 you keep us making even more high 713 00:27:26,200 --> 00:27:28,440 quality content for you guys so thank 714 00:27:28,440 --> 00:27:31,440 you 715 00:27:34,080 --> 00:27:37,180 [Music]51681