Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to episode number 39 off the privilege Escalation Siri's when those operating systems, My name is Alejandro Gonna And I'll be your instructor for today's session.
00:12
The Learning Argha Tibbs off. The decision is to understand the concepts behind this technique and apply and secure the commands to gather information so we can actually escalate privileges in the Windows operating systems. So get let's get down to business shall way.
00:28
Let me just grab. Ah, well, will not be using that window. Uh, the Kali common line. I will be using windows directly, but we use to the shell just so
00:39
we can you can see another window. That is not Kali once again
00:44
thought him and just maybe put this in a bigger position. And that's it
00:49
s Oh, yeah. First, uh, let's you know
00:54
the starting point of this, you know, off gathering information for Windows is obviously the same as the asses the leanings, previews, modules and sessions You already have. Ah, lo privilege, shell or terminal. There's actually, you know, can't connect back to Ford. And
01:14
two, you're attacking machine, and you can actually connect today
01:17
victims machine. So, uh, initially will want to quickly gather some essential information so we can get, you know,
01:25
the footprint of the operating systems. You're in AA and, you know, I said the situation and see what's the best path to put forward. Remember that it is super easy to go down the rabbit hole
01:37
with no information you may gather. So what I'm trying to do with all these beauties is to give you all the information and all the commands and all the ideas you can think of
01:46
so you can first gather as much information as possible is just like the initial steps were performed in people in previous videos, like gathering all the information poor scanning everything. This is the same gathering as much information as you can from the victim's system
02:02
so you can actually put it together and see what's Beth Path and maybe combined two different information from two different systems or two different, you know,
02:10
techniques and and actually escalate villages successfully. So let's first, let's find out what operating systems you're connected to. I mean, maybe you already know that, but, you know, always dumping this information is really useful, so you can actually go to sister
02:29
system in full command
02:31
and, you know, loading hot fixing everything. They will give you all the information off this upper assistant. As you can see, he will also give you the hot chicks There are actually installed. I will show you more commands to actually tailored all this out. But maybe you want something specific. Like, for example, maybe
02:51
system beautiful, same command.
02:53
But you actually want to, you know,
02:55
fine String.
02:59
Ah,
03:00
forward slash B
03:01
for Will lash for was Let's see.
03:06
And, you know, maybe we want to get the operating system name, for example. Or maybe also, we will also want to check. I don't know, let me see. Like, something like,
03:17
maybe they always version
03:20
so we can see it in the output. Something like that. You could Abia.
03:23
And again we wait for doubt, foot and yeah, we get the information we were looking for. Um, so this is kind of, you know, maybe with this information, remember or all trusted database for for exploits, which is exploitive, e
03:40
you could just simply copy that. And, you know, they always brush him specifically
03:45
and see if there's, you know, a privilege escalation exploit for that operates system or that colonel version Specifically, Uh, maybe it's a simple as that may be, just downloading that exploit and and actually just, you know,
04:00
get information from that O. R. Actually escalated privileges directly from that exploit will be good. And, you know, you can start your privileges collision process in that way. Uh, you know, uh,
04:15
they let me give you another idea. For example, if you want to see the hole's name, um, you know, maybe that could be something useful, like host name,
04:28
and, you know, simple is that maybe you already maybe you're you're really performing lateral movement or vertical movement. Ah, And you saw that name that was actually communicating with other machine, maybe to crown job or something like that.
04:43
So maybe you you really know that this machine is actually connecting to a web server.
04:47
Oh, or something like that. Or these users actually performing. I don't know, uh, queries to a database. You can actually go to the other, compromise its machines and actually start a listener and, you know, wait for disconnection or something like that. I don't know. I'm just giving you ideas so you can think of something that and you can actually, uh, who am I,
05:09
um, command. And it will leave the use of your actually connected to and you know, it will print the user You can actually have seen. You know, the whole of my command is not available in some Windows operating systems. Like they're all ones. I If I go to my windows explain machine that the one we use in other medias
05:28
If I tied like Matt, type that command, it will not work. So maybe you could do something different,
05:32
like echo the output off
05:35
them.
05:36
They use her name
05:40
and, you know, close that one out, and it will give you that the same output.
05:46
So, um,
05:47
now we have these basic information we can least other user accounts on the on this machine and bu around useless information, you know, a bit more in detail. We can Maybe we can already see what they know. Alejandro gonna use her.
06:03
You know, maybe it's part off administrator group, which will be ideal, which in this case it is. You know,
06:10
I'm just giving you ideas. That's it, For example, Net users
06:15
and, you know, administrator, which is, What am I right now? Ah, for example, guests and something like that. And maybe waking when I list something specific, like
06:24
need users. Um, just, uh,
06:29
But they use for here
06:30
and, you know, see more information about this specific user.
06:34
You get the idea. You can't. You can list everything from that. You, sir, Um,
06:40
another command or another thing that you know that Well, no, Uh, we need to know about the user information's for the moment. Maybe
06:49
next we went, we went to list the network in that is that is in this machine. I mean, what's connected to this machine and what rules does it, you know, impose on those connections. So first, let's have a look at the, you know, available were interfaces and routing table. Like
07:09
the fame was I p config.
07:11
You know, some basic information we can therefore was lush all
07:15
I think. Ah, also, Dash will work. Yeah, um and you will give you more information that that the simple command I peek and feeble. Do you, um,
07:27
another thing that you can actually listen. There is a routing table. You can just type route
07:32
and then print
07:34
and he will give you the writing table. As you can see, this is really useful information again. Maybe you'll really sell the machine name connecting to another machine that you're really compromised. They will help you to actually. Now double check that. Or maybe see, that is actually connecting to another machine that you didn't have an idea off or something like that. I mean,
07:53
did you get the point? Or maybe you'll really compromised this machine. And while you're doing it's actually, uh,
07:58
for trying to perform a little movement or vertical moment. And you can use this technique as well to give you all this information. And you can also check the air p this place average resolution, protocol cash, for example, table for all the available interfaces. And this is a simple command as well.
08:18
Just air, Air P,
08:20
uh, dash A
08:20
and we'll leave you all these useful information. Maybe you want to perform air p poisoning or are poisoning attack, which is basically telling the router or the switch or whatever. You know, network device is in between
08:37
telling you that you actually have that Mac outer specifically So any package that will come to that router or, you know, stretch or whatever.
08:46
Um, you know, layer Thio devices in the network. Whatever comes that way, it will send to my i p or send it to me because I have that Mac address and that will be alike. Like maybe trying to perform a man in the middle attack or something like that. He will help you with that.
09:05
You know, that brings us thio the active network connections and fire Will rules are us always or nets that command
09:15
and dash in a n o b,
09:20
for example, it will give you all this information. Uh, with the B, for example,
09:24
we were this information, you know, just listing the active connections. For example, we can use net. Shh. You know, the following two Nets h commands A will show you our example of the man's They're not, you know, universal across every operating system. Maybe Osama Berry systems are different.
09:43
The firewalls maybe have a different configuration, or the operating system might be. I have replicated the command. For example,
09:52
in all versions, off windows, for example, you can just have a net a sage, firewall
09:58
and, um, show a state
10:05
net essay. Oh, Nate Net. It's a steep Wow Natu sage fire will. And he will give you some information about the fire will. But you know it will tell you that this is deprecate ID. So you can just type nets say nets h
10:20
on, then go to advance or a d B.
10:26
Uh, fire will. Well, not necessarily a bad ***, but, you know, a TV firewall, and then fire will.
10:33
And he will give you the information you're looking for. Um, you know,
10:37
maybe, you know, he's playing
10:41
play all the options,
10:43
This play, all the commands,
10:46
firewall, for example, Something like that.
10:48
And he will give you least of India, you know?
10:54
So, uh,
10:56
but for example, you can also type
10:58
net a sage.
11:01
Ah, fire will show. Come faith.
11:03
And he will give you more information about that.
11:07
Um,
11:09
you know, you can get all this from the fire. Well, maybe you are. You know, you're an administrator, user, but you want thio escalate thio the main controller use or something like that. You can actually change firewall settings or something. You can do it through this, command us well.
11:26
And finally I will take a brief. Look at the what is running
11:31
on the on this compromise machine. For example, as scheduled, task crime jobs, running processes, service is installed drivers and something like that, for example, off. Let me just type this command
11:45
for this. Will check this played, You know, the output off off all scheduled task. You know, Let me just type it so you can sit out. But here, so is h im sorry. Ch task
12:00
query.
12:07
What did I do wrong?
12:09
A C h a s c h
12:13
tasks. Oh, forget about this
12:16
s at the end. Sorry. And as you can see, we'll have a pretty good deal of information here. Uh, maybe you're looking for something specific. You can always try to grab it, like, kind of a wreck. Command Elinor's. You can use a fine string
12:33
in windows, and you can see there's a lot of information in there. Uh, next you can actually use the command task list, um, to see the running processes again. Okay. Finally, it didn't
12:48
You can actually check, um,
12:50
that the ansari um
12:52
cast list
12:56
command seeking again. Check all the running processes
13:01
and, you know, we have a good deal of processes as well. Maybe I recall some time getting nowhere and the Polish escalation process. And I saw an anti virus software running as this process. Remember the name of the anti by Rudo.
13:18
But it was running in the night, You know, the list thing I thought that this device will help me
13:24
to escalate privileges. Well, inter sound that the anti virus had, ah, privilege, escalation, vulnerability. And I actually used that line ability to escalate through just so done. Discard any any service. Oh, our software running on the computer. You have to
13:41
may your investigation. And I know this sounds like a lot of work because it is
13:46
You will have to, you know, maybe check the service at what version of the service sexually running. Or you know, what version of this process of replication is running and you will have to actually search for privilege Escalation exploits as well. Um, next, just like another type that you could do you It's just
14:05
like net start,
14:07
and it will give you more information off of the processes and service is running this machine.
14:13
Um, for example, you can also, you know,
14:18
use query for third party drivers, even by you know, by companies that I actually have a reputation of being a security again, I use an anti virus suffered to actually escalated privileges. So again, take a closer look Awful. The service's and and and applications and processes running under on the machine,
14:35
for example. Um,
14:39
you know, let me just leave your command
14:41
driver query,
14:43
and again, it will give you a lot off information again. Don't discard. Like, for example, if you see Ah, for example, be little wife of Filtered. Um, I don't know, beautiful machine, boss. You can even you can even actually use the hyper visor.
15:01
You know, the one that is controlling the utilization of your machine.
15:05
You can actually use that as well as you can imagine. I'm using parlance to fertilize my machines, but, you know, maybe you're using on up box or I'm out.
15:15
Um
15:16
bm or something like that. I can assure you. Yeah, if I go to two or are always useful,
15:22
let me just
15:24
grab the Saudi here
15:26
and let me just start here again. If I go to, uh, explode out of its and I go to something like being worth or something like that.
15:37
Ah, we will find a good deal of information exploits here or part of little son. I've bored, You know,
15:46
you'll find something. Bottle of remote application server by list that stop Burton machine escape. Okay, you can see that. I mean, you can jump from the host to the I'm sort of. From the guest, the host machine. I mean, yeah, you can maybe compromise the server.
16:03
That is Bert Wise. But you can jump to the ho to the host,
16:06
ah, machine or server and may be compromised the rest off the brutalized foreign server farm that they're holding in that machine. So that's a really good deal for you.
16:18
So that's the point. Dundee's don't discard any suffered any process, any service running. You have to make your homework and, you know, apply the techniques that we saw in the previous
16:32
modules for for leanings, which again you have to apply. Maybe they're obviously not the same commands,
16:38
but they are definitely the same idea. So you can actually get information from from this machine.
16:45
Uh, what is achieved by the command system in fourth? Well, as the names just it will give you all the information needed for you to um you know, find out more about the operating system you're running on in this case, Windows, obviously.
17:03
Ah, what is achieved with the command A S C H tasks? Well, it will print all the schedule task at the crime jobs you have on there under under operating on the windows books that you're actually trying to s college privilege.
17:18
Um, And this video, we'd learn the concepts behind this technique, and we implemented on executed some commands to help us escalate privileges. Supplemental materials muster. And Colleen is for a bass penetration test in, Uh, yeah, this is the same
17:34
buck that will we will use for both leaders and windows. And I believe this post from got milk, which is mainly focus on on Lena's privilege escalation. But it had some good pointers for, you know, for dis commands how to order them and how to actually
17:55
you can actually use them to your privilege, escalation advantage
17:59
and looking forward in an Expedia will cover the windows. The Windows management instrument station, Common line, a tool, you know, also known us. W m i c
18:11
Uh, yeah. I hope that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor