Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to episode number 41 off the privilege escalation Siri's when those obligation and service is my name is Alejandro Gonna and I'll be your instructor for today's session.
00:12
The learning operatives of the session is to understand the concepts behind this technique and also applied and execute commands to gather information so we can actually escalate privileges. So let's get down to business. Shall we Let me just grab or Windows based here.
00:29
And, you know, uh, our goal in this session is to use Wait. Permissions are to, you know, to elevate our privileges.
00:37
You know what permissions on application service is? Processes, folders, whatever that has worked. Permission Zobel use. It'll try to find those witnesses so we can actually escalate privileges. For example, we can start by checking. You know, we'll be checking a lot of access rights,
00:56
so we should grab a copy of the Axis
00:59
C h k, that ex execute herbal from the tool and, you know, tool from the cyst. Internal sweets. I just had this page up in here so you can, you know, see the link and unloaded. This is not by the fault with style in windows, which is, you know, a shame for Windows system administrators because it contains a lot of
01:19
cool features and tools
01:21
you can use. But, you know, it's also Paradies for for penetration testers, because at the end, whatever is used for good purposes, it is unfortunately used also for bad purposes. So, yeah, you know, ashamed for system administrators that it's not installed.
01:38
I didn't also ashamed for
01:41
penetration testers that we can actually leverage the functionalities in this says internals. Sweet. You know.
01:49
Yeah, well, I already downloaded. Here. Let me just go to that folder
01:57
so you can actually see here, but I'm talking about
02:01
users.
02:06
Um, cece Insurance hopes this stuff,
02:10
and as you can see, eat contains a lot of tools. Ah,
02:15
you know, P s exact. They want the famous one p s ex sec, and, you know, it contains a lot off tools the one will be using right now. Eyes that access C h k. You know, just fool again from since internals, um, you know, we'll be using that to actually check permissions, but let me start
02:36
Theis session with
02:38
checking the window service. Is there some quick wings to be found here. For example, nowadays, Windows system won't contain both. Honorable service is per se. I mean, you know, you have to check. Um, either way. For example, there was something called Golden Ticket,
02:58
which is what's exploited, really? Also exploit I you know,
03:01
you can google it and see what it's looked like. I believe there are some X P machines are still out there, you know, nowadays is mostly Windows 10 Windows eight. And you know, this is not longer vulnerable to this golden ticket exploit. Unless the society mean it's really, really
03:21
I don't wanna use some bad word here, but, you know, you get the idea
03:25
s Oh, yeah, that's first double checking. The service is I will be used the S e Q c spolar, the S E. You know, tool can be used to query, you know, car figure and manage. Window service is so sc absurd. Que si
03:43
ah schooler.
03:46
And we'll see some useful information here, like, you know, the finally path. Name something like that. Notice, order group. You know, you could data. You can see a lot of information. We can see permissions that its user level has
04:01
you can you know we'll use Ah, the access C h k uh,
04:05
tool. I get again from the cyst. Internals, guys, this will not again being stalled by default in windows. So let me just
04:15
access C h k. You know, Dash, uh, you see Q b
04:19
and you know, schooler
04:23
hopes
04:24
and we'll see more, more. Um,
04:28
um, tools in here service our access, you know, building administrators. I can't figure this by the fall on purpose, eh? So we can actually, you know, see how noah vulnerable service like, Well, looks like, you know, reading right.
04:45
I will be seeing administrators on and off.
04:47
All has access to it, you know? You know, you can
04:51
actually get different permissions when you're actually elevating your privileges. But that's it. That's the idea. With the access T c h k a tool, you can automatically check if we can. Right now we have right accesses. The window service is
05:11
ah, would Sir Tain user
05:13
again? Well, you do have in this case, but you know, you can check that You can also
05:19
check, uh, using access ch gate for regrettable folders and files. Like for example, Let me just write the commanding here once again. Such. Okay, let me just raise this thk uh,
05:33
you the Lucy Q b, for example. You can actually check all all these flags, but just using the question mark, and that will be it. I mean, just check for, for example, authenticated
05:47
users
05:50
and see what comes from no match. No matching objects found. That's okay. We Can you just check different things? Like
05:59
maybe
06:00
I don't know. For example, everyone
06:04
okay, let me just
06:05
modified these flags. Like, for example, I don't want to use that like you tell us. You,
06:11
uh maybe
06:13
all the all the flags again. You can actually check the flags, Let me
06:17
leave the same flax and changed the user instead. But you can take other flags for other options. Simple users in here
06:27
on objects. Much found. That's OK. That's idea. Woo, run this commands to see if we catch the right to something. And, for example, you can actually check with service's permissions. Maybe we can. We can reconfigure anything. Um,
06:43
for example, let me change flax. This time you don't leave c Q B
06:48
and no much found. Maybe everyone
06:53
no, no much found. That's OK, that's the point. Will need to actually check for those to see if this is kind of the sticky bit version off the linens, operator system, dedicated users
07:08
and how much has found. The point is that you can actually search for all this commands informations to see if we can find something you, uh you know, by reconfiguring the service's we can run any binary that we choose and, you know, get the privileges collection process Don.
07:27
Now our show, unfortunately, power shell is not a thing in escalating privileges because most of the time is not installed or maybe not installed, but not enable or not fully enabled on the Windows operating system. And if it is,
07:43
uh, it's not us. Allow privileged user are now allowed to to use it. Or, you know, maybe it's not enable and you're not allowed to enable it, because you will have to, you know,
07:55
have administrative permissions to actually elevate privileges. But the power shell is actually really powerful of if, for some reason it's enabled, you can just fire a shell. Ah, but you know, even even after you escalated privileges, I have the recommended to use Barbara shell
08:15
because, you know,
08:16
again, it will. It will. It will give you a lot of information. Like we're really are, Um
08:22
um super user. You know, our administrators in here. And by the way, uh,
08:28
let's are made this by using this script.
08:33
This script is really cool. You can No. You can learn to use power shell and perform test manually. But as I show you in the Olympics privilege escalation module, we also have, ah, kind of, ah ah, script or, you know, a powershell script
08:50
seeking executed and get more information.
08:52
So let me just give you a run. Just copy that link here. Just copy base here into into into Ah, I really did. It is located here, you know, test
09:03
that p s one on. And you just have to go for the power shelf.
09:09
Um,
09:11
shell, by the way. And, you know, just city desk top by the way again. This is not, you know, like enable. But if all you have thio, use the a set dash execution policy command up our shell command to actually enable this,
09:28
and obviously you have to be administrated to enable that. So
09:33
you know, that's where the problem resized to use Baur Shell to escalate village. Now, after you have escalated privileges, running power shell is like one of the main things you have to do is at the end. As I told you in in previous videos,
09:48
after your privilege escalation process, you still have to enumerate all the system because maybe you were unable to find information as ah lo privilege you, sir. But now that you have administrative privileges, you may be fine, although useful information to go to another machine
10:07
too. You know, maybe, you know, you know, read basil words from other machines, especially
10:13
when you're actually like
10:15
trying to escalate privileges. And you have, uh,
10:18
being able to actually
10:22
create exploits for for the privilege escalation and you're inside.
10:26
You're,
10:28
for example, domain controller, which will contain all the credentials for all the people. Maybe you were unable to to find sensitive information. A silo privilege you, sir. But you know, now that your administrator, you might be able to actually find
10:43
good some goodies so you can actually go to another machine. So yeah, we're in a powerful up. I'm sorry. Power shall exploit
10:50
Oh, our script in this case, you know, there's tons off information you can find on Google, But, you know, this script will automate the process, and it will give you some useful information. Uh,
11:03
for example, if I just let me give you an example that I'm talking about to enable its shell script if I'm here and I said set
11:13
dash execution policy, and I put it like a now remarked Signed?
11:20
Uh, yeah,
11:22
it will give me Ah, you know, uh, an exception, because I'm not, um, administrator is denied to changed execution policy for the fall of machine scope store Windows Publisher in the run administrator option. Okay, I'm not administrators of How could I do that? That's the problem.
11:39
But now that we're administrators, you can actually simple just run this script,
11:43
like test a p s.
11:46
And it will give us, you know, all the information that I have been showing you so far. But you know, it will automate it for us, and it will give you some
11:54
maybe pointers where we can actually go to and in the scripts. And, you know, uh, maybe see, we can actually find out how we can actually escalate religious like, let me go to the beginning. Off script. And again, remember the hot fixes. This is just basically executed the system information command system in Foca, man.
12:13
And you know, we'll see a lot of finishing here.
12:16
Never Information. What? Stick? The card that we're using. The servers are peacock cache table. Remember that we saw all these commands in our previous video for Windows Privilege escalation, routing table network connections, connected drivers.
12:35
For example. If we haven't s and B
12:39
uh,
12:39
service running the school beaver useful firewall configuration, maybe the fire will We can find it. Find out if if if the fire well, it's actually blocking incoming connection, but not is not blocking outgoing connection. So maybe we can do that. Something Something without information.
12:58
Current user use for privileges. Obviously, I'm you know, again, administrator.
13:03
Local users locked in users. Credential. Meijer.
13:09
You know, we can find a lot of information here. Processes running processes. Maybe again. I told us I told you the previous video. Isom some some back in the day I used
13:22
actually an activator southward to escalate privileges, so yeah, don't discard any anything crazy that you see here somewhere Registry for example, Uh, and you get the idea
13:33
you can actually see that, for example, is startup commands. You actually try to change or, you know, override some of them, See if you can actually run it. When administrative privileges, something like that. You get the idea
13:56
what is achieved by the command S C. Q C spolar. Well, as I told you at the beginning of the video, the Sikh command is used to query comfort your or manage when the service is soap. This case were checking that service. What is Ah, chamber the command Access C H K.
14:16
Well, this is Ah, sis. Internal sweet command or tool
14:20
again, it's not enabled by the following windows. You have two downloaded. So if you don't actually have permissions to download it to cer tain folders, you will have to check with folders you have permissions to and maybe download. This is internal tools in allocation.
14:37
Andi stole these used torno check accesses,
14:41
checked permissions that you have, maybe for all the users or for your specific users for processes, service's folders, applications and everything. So this is really cool applications up again. It's not enable or not. Is not downloaded by default windows.
15:00
In this video, we learned the concepts behind this technique. Hang we implemented on executed some commands to help us escalate privileges.
15:07
Supplements materials again. Mustering Caroline is with advance penetration test in and fast security windows. Privilege Escalation.
15:16
Looking forward in the next video, we'll cover module. ADA will start with module eight, which is basically a penetration testing simulation exercise will cover from the better beginning. I mean, from from, you know, pre engagement things like getting the contract signed, what could kind of contract. You have to get
15:33
what kind of report you may have 2% maybe defining the scope
15:37
and we'll, you know, go through the entire process until we actually have to, you know, percent the final findings and, you know, everything that is in the Middle East basically just exploited vulnerabilities in getting remote command remote control on the machines.
15:52
Well, that's it for today, folks. I hope you enjoyed the Bay Area and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor