Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 40 Off the privilege escalation Siri's win those management instrumentation Common line.
00:09
My name is Alejandro Gonna and I'll be instructor for today's session.
00:13
The learning our objectives is to understand the concept behind this technique and apply and execute commands to gather information so we can actually escalate privileges. So let's get down to business, shall we? First let me just grab my always cool will not be used in the college
00:31
terminal will be using
00:34
just the previous video or Windows machine right here
00:38
again. This is just to show you a different screen because they weaken. Just connect to S H to the big time machine. But, you know, just to show you a different scrape this time
00:48
let me first try to give you some background of the windows management instrumentation. Come on, Line two or you know, don't you make just for short You know, this is perhaps one of the windows most powerful common line tool. This tool can be very practical for information gathering on post explosion ation.
01:07
You know, fully explaining the nature, the commands and the functionality of the Dublin make tool will take a full, you know, Saberi course on its own. I will try to give you the basics so you can, actually, you know, get the idea of what you can achieve with this tool. And maybe you can just after that Google
01:26
the commands to, you know, to get more
01:30
detailed information for your for your app. Privilege escalation process.
01:34
Ah,
01:37
unfortunately, some default configuration of Windows did not allow the access to the W Mick unless the uterus administrator, uh,
01:47
it seems that the any version of the windows expedient not allow to access access the W Mick command from allowed privilege account or for ah, yeah, low shell account.
02:00
Uh, but, you know, this is not the same from Windows seven onwards. Um, you know, Windows eight. When those 10 the one we're using right now allowed users are Lao privilege users to use the W make
02:14
ah, quit. He operated system without modifying any sense. I guess this is because the remember that there was a change in how the access control model
02:23
worked before Windows X, p and windows be stopped. Remember that old application were fatally because some of them were not able to run properly because they needed administrative privileges, which you cannot, you know, you were unable to give our application. That is he.
02:42
When the change was made before with those x p
02:45
and then Windows Vista
02:46
because it changed actually changed from discretionary access control model to mandatory access control model there to, you know, access control models. But, you know, this is not part of the off the other cpq or so maybe if you have any doubt from that, you can cool those models and you will see what I'm talking about. But yeah,
03:07
this is true for again will be used in the w
03:10
make command on window stand. Obviously, I'm a privilege you, sir, but, you know, um, you can execute the same command with allow privilege, user
03:21
to give you an idea of how extensive this tool is or you know all the options. You have to run this command. Let me just type here. W
03:30
make forward slash question Mark.
03:32
And this will give you a good idea. President. You to continue escaped to stop. You know, more, more more options, more options, more options and more options. Do you get the idea? So the next step in our you know,
03:47
Uh uh,
03:50
delicious collation process is to look for some quick security fails. Um, we can easily, you know, used to to upgrade or permissions or escalate privilege. The first and most obvious things we need to look at the, you know, patch level. There's no need to worry. You know,
04:10
if we can affect the operating system will be just squaring this options. Um, so, you know, let me just
04:17
for example, check with doubly make up If we're the install patches that we have on this operating system, for example. So the command will be doubly make Ah
04:30
g f e get
04:32
so we're interested in the caption field description.
04:39
Ah, maybe hot.
04:42
Nope. Sorry. Heart fix i d. It may be installed
04:46
on
04:47
something like that. Hopes Sorry about that is Q f e. Sorry. Sorry. Sorry, sorry, sorry. Let me go back
04:57
and apologies once again.
05:00
And you know they will give us some good idea what is installed Once not remember the commander we saw in the previous video? Well, this is more detail, or this is just to get that specific detail. Want you to see for example, sis
05:17
system as his info
05:19
hopes or a system in four,
05:23
and these will dump kind of the same thing. But, you know, maybe not as tale as we like to culturally, to the w make a man which would leave us more information about it. It will give us the link, and you can, as you can imagine looking at more fields here or more flags to see more information as your wish
05:43
assault whisk with Windows. That output isn't exactly ready to use the best ways to look for religious collection exploits. And, look, you know, maybe they have a specific K B number. Like, for example, we already know that this thing stall So maybe
05:59
we can see if there's an exploit that was used before this installation or even leverage this installation
06:05
to escalate privileges You confined. You find out if the machine, for example, with this command, if if the machine is actually vulnerable to the famous eternal blow the one though we we were using the windows expect machine. Um,
06:21
afternoon, Mary. You know, after getting all this information from the operating system, you can, you know, maybe find out
06:32
grip, see what patches are actually start a specific patches for like, for example, if you know that, for example. But you already know that matched those that took place and you saw a specific batch that was, you know, maybe telling you that what you were able to escalate privileges, you can just
06:50
fine. And you don't get the same command just a place in command and
06:55
used the fine string, which is the reversion of the window's fine string.
07:00
You may be like
07:03
filter. It is our hope sort filter decided by I don't know,
07:08
uh, que vi number something like that and write a number like, for example, let me just copy paste this one right here
07:15
and just based it in
07:17
You'll quit animal. Tell me Okay isn't stuff. And, for example, if I just make you a number, we're number up. I know
07:25
once a tree, for example. Oops.
07:28
Once a tree, um,
07:30
and things not installed, it will not return any information. So let's assume that view from the patches. They realize that this was a really big fixed for you or for the operator system before the Windows operating system.
07:44
Maybe you can actually use this query to see if the package in stall is if it's not installed the jackpot.
07:50
You get your exploit to actually escalate religious. Now we can search for configuration files used to automatically or manually installed updates. This configuration files contain a lot of sensitive information. Says that such as the operating system, product key and administrator pass work.
08:11
But we're not. You know, what we're most interested in is in the admin password.
08:15
We can use that to, you know, obviously escalated privileges. So typically, these are, you know, they're some directors that contain conf. You oration files. Um,
08:26
you know, however, it's always a good idea. As I told you at all, the previous medias your enumerated, this the operating system, you're gathering as much information as possible from the operating system. So just check this. Maybe this, um,
08:43
locations is not a good idea. Uh, so let me just
08:48
give you, for example, some locations here so you can actually get take a look.
08:52
I would just go to my
08:54
to my
09:00
Colin machines so you can actually see what I'm talking about. Let me just up on the body here so you can go to these locations these locations are not necessarily in place. For example, in my Windows 10 machine are not in place, but I can assure you is worth looking if they're presented,
09:18
presented in your operating system or the or the operating system or your victim. So
09:24
just you can, you know, be aware of that. So then I again you should check in the entire operating system so you can see if there's no more information in that
09:35
area. The next thing we'll look for it is, you know, on a strange registry, said and call. Always install elevated.
09:43
Ah, if the settings is unable or if you actually exist, sometimes it is not enable or doesn't exist out. Like, for example, I don't have a setting here
09:54
in the operating system, but it allows users thio off any privilege to install packages, files. *** administrator. It seems like a big security flaw to me because that you know that you will create a lot of privilege user in the first place
10:13
on restrict their years of the operating system.
10:16
But give him the ability to stop problems. US administrators. That doesn't seem right. Imagine me installing. I don't know. Net cat or something like that as administrator and their retrain trying me back a reversal if you actually find out on your query on your registry.
10:33
Ah, jackpot. You actually found the
10:37
You know that. What? The thing that you were looking for, like for example, wreck Query, which basically is just quitting the registry and
10:46
h k l m
10:50
um,
10:50
suffered
10:54
policies
10:56
Microsoft
10:58
windows,
11:01
who's
11:03
installer
11:05
and always,
11:07
always install elevated.
11:13
As you can see, the system was unable to find specified registry key or value. So I don't have it, you know, install or or used. Let me
11:26
let me go here. Yeah, I want to check it out like,
11:31
ah, again.
11:33
Ohh ki sub word policies Windows
11:37
Yeah,
11:39
and you can see that I don't have in anywhere in displays like we're really, um, Windows Microsoft with those installer. And there's not even any Stahler in here
11:52
is you can see there's no installer for her or registry entry for that. So I don't have any solid. But, you know, it's always a good thing that you have. Todo is always something you have to check to see if you know you can actually start something. Ah, suddenly elevated user in. If you do, you can do that. I mean, jackpot again.
12:11
You can easily elevate your privileges
12:13
to finish off this session.
12:16
Well, do something. You know, some quicks searching on the operating system and, you know, maybe hope to just too far something useful or something. Something sensitive that we can use to escalate privileges. Like, you know, for example,
12:33
the commander I'm about to type Right now we search for the file system
12:37
for file names containing cer tain keywords. Like, for example, you can
12:41
you think the key word passwords or credit or credentials are that convict or something like that I like
12:48
dear,
12:50
For with less s and like
12:52
is the word passed
12:56
pass And I will also like to use
13:01
the word creds
13:05
or something like that
13:05
and we'll tell me a lot of information. Okay. Okay. Pas password. Pass a PS pas work
13:13
which is located in since internals directly, I will see will cover this is internal suite in the next episode, which is a really cool application that we can use.
13:24
For example, search files. Oh, asserting files that can save key work and, you know, generate a lot I'll put or something like that. Like, for example, find string
13:37
forward slash I bus work.
13:41
And, you know, maybe the XML files or something like that.
13:46
I don't have any file with that description. That's okay. Maybe that any file, for example?
13:52
Okay, now that t x t and you get the idea, you can actually Okay, here's won't file with passwords. What? The word with the word passports. A list?
14:01
Uh, you can, you know, use again. The same, uh, wreck query command, You know, to actually look for key words on the under registry. Like, let me give you an example. Here. Right. Query.
14:20
Um
14:22
h key. Such key
14:24
h k l m
14:26
forward last f by his work
14:30
for once lush t.
14:31
Like, for example. Maybe it rake
14:35
forward Lush s,
14:37
and he will down me a lot of information. The one that contained the cure password. So maybe you want to search for the one that contain the word. I don't know whatever word you're looking for, you can actually use that command. Tiu c. What I put is there.
14:50
Ah, so to simplify things, there's there's, uh we actually have ah,
14:56
kind of remember that the script that we selling a previous video to to automate Aro for, ah, linens, privilege escalation, which was written in person. We actually have, um,
15:11
another another ah, useful link that you can use or useful off. No link. But this will. Ah, that any, uh, but file or, you know, yeah, Windows, the script file where you can use it for your information gathering
15:30
or bullish escalation.
15:31
Ah,
15:33
process is from they always trusted Fastest security, Kathy. Security
15:41
windows.
15:43
And this guy contained, you know, it has a lot off youthful information that you can actually use. Ah, tutorial scripting. Uh, and you know, you can actually download the tools from from this guy to actually, uh,
15:58
performed all this tusk automatically and not, you know, bother with all the, you know, typing the commands and everything. But, you know,
16:07
that's always maybe, ah, you know, automatic tools, my work for some situations. But in other situations, you will have to type all this manually. And that's the point. I just want to show you guys What's the best way to do that? Another special mention, You know, I will not, you know, use the commanding here because that will
16:27
imply a lot of work in a lot of another. Basically another
16:32
cyber acres dedicated to Only that is the power power exploit, which is an excellent power shell framework written by math Grab vert. I believe you spell his last name, You know. Ah, as long as you search for power exploit, you will see what what the outer is,
16:52
which is basically Taylor to reverse engineer. Forensics and pendency been testing task, so yeah, you can also use power she'll commands to try to escalate privileges. But most of the time, when you're allowed privilege a low privilege in windows,
17:11
maybe using power shall commands. He's not a good idea, because at the end,
17:14
that would be locked. And maybe your activity will be this copper. So you have to be a selfie. It's possible maybe checking manually is that you know, go to process. But you can use fast security thio scripting to actually, you know, automate all your ah
17:33
information gathering
17:34
techniques.
17:41
Let me just close this out.
17:42
What is the tea by the command? W make forward slash question, Mark. Well, this is basically just to show you all the options that you have under Windows management instrumentation command line, which is a lot of options are way saw a couple of them, like for check in the heart fixing style. But, you know,
18:03
this command will show you all the options you have
18:04
in the dollar. You make command.
18:07
What is it? Cheaper. The command find strain on and, you know, password. And then the files. Well, basically is just thio try to find, you know, certain type files for a key word. In this case, the key word spaz word. And the files are
18:23
XML that any that t x t and see any file in the operating system
18:29
has the word buzzword inside.
18:32
In this video, we'll learn the concepts behind this technique and were implemented on executed some commands to help us escalated privileges supplement materials. As always, the book Master and Colin is for lance penetration intestine and in this case, faster security windows. Foolish escalation post good reads
18:52
in the next video will cover the windows applications and service is
18:56
well, that's it for today, folks. I hope you get the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor