Part 3 - Privilege Escalation on Win7-32

Video Activity

This lesson offers step by step instructions in how to re-establish a connection with the victim system. Participants learn how to establish a connection with a regular user account and how to escalate privileges to the other system account

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Description

This lesson offers step by step instructions in how to re-establish a connection with the victim system. Participants learn how to establish a connection with a regular user account and how to escalate privileges to the other system account

Video Transcription
00:03
>> Hello everyone, welcome to the next section
00:03
of our display class.
00:03
In this portion, we are going to
00:03
be reestablishing a connection with our victim system.
00:03
In this case, we are going to be
00:03
establishing a connection with a regular user account.
00:03
I'm going to show how to
00:03
escalate your privileges to that
00:03
>> of your system account.
00:03
>> First things first, let's
00:03
get Metasploit up and running here.
00:03
First of all, I need to make sure that
00:03
my handler is in place for the connection itself.
00:03
[NOISE] I'm going to go ahead and look at my options.
00:03
These are set from a previous session.
00:03
One thing that's important to
00:03
think about when you're using
00:03
Metasploit is to periodically run the safe command.
00:03
This saves your configuration and assuming that
00:03
your database is up and running when you reconnect
00:03
to the framework later,
00:03
then you can pick up where you left off.
00:03
My localhost looks correct,
00:03
my local port looks correct.
00:03
It's showing me that my payload is
00:03
a 32-bit meterpreter shell for Windows.
00:03
I'm going to go ahead and start the handler [NOISE].
00:03
On the victim machine,
00:03
as I mentioned in previous clips,
00:03
you do need to find a way to get your payload to
00:03
the victim email Trojan.
00:03
However you do, it doesn't really matter.
00:03
I have got a 32-bit payload here.
00:03
Now if I go back to Kali,
00:03
you can see that my meterpreter
00:03
session has been established.
00:03
What I need to do immediately though is check
00:03
my user account and you can see that I
00:03
am a regular user IE8.
00:03
Win 7 is the system and IEUser Is my account.
00:03
Obviously if I try to do something like
00:03
get system, it's not going to work.
00:03
But what I can do is use the bypass
00:03
UAC exploit from Metasploit.
00:03
This will allow me to be able to
00:03
run the get system command with success.
00:03
I'm going to background this process.
00:03
Now I need to [NOISE] do a quick search.
00:03
[NOISE]
00:03
User access control.
00:03
The one I want to try is this one here,
00:03
windows escalate, UAC protection bypass.
00:03
This tries to bypass the normal popup that you
00:03
would see when you're trying
00:03
to do something as an administrator.
00:03
We're all familiar with the UAC pop-ups,
00:03
retyping the administrator password.
00:03
But I'm going to try to get a system account
00:03
without having the administrator password.
00:03
I'm going to go ahead and use this exploit.
00:03
Let's do an info first.
00:03
We can see that it uses
00:03
trusted publishers certificate
00:03
>> through process injection.
00:03
>> This spawns a second shell.
00:03
That being in mind,
00:03
what we need to do is also pick a different port.
00:03
[NOISE] I'm going to show my options.
00:03
We can see I want to attach this to session
00:03
1 because that's the only one I have going right now.
00:03
Due to some strange behavior,
00:03
if I try to run exploit,
00:03
the first time, I most likely is not
00:03
going to work. It will time out.
00:03
Even though I've got some environment variables
00:03
set for this particular exploit,
00:03
they seem to only work if you run it first onetime,
00:03
let it time out, and then go
00:03
back and set your L host and L port.
00:03
You can set those beforehand,
00:03
but it doesn't seem to actually take
00:03
effect until you let this time out onetime on its own.
00:03
It might just be a bug with this particular module.
00:03
So there's no timeout.
00:03
Now if I run Show Options,
00:03
you'll notice that I get all the payload options.
00:03
These weren't there before
00:03
I ran Show Options. Don't know why.
00:03
As I said, it's a minor thing to deal with.
00:03
You'll notice that our target
00:03
>> has to be a 32-bit system.
00:03
>> If you've got a 64 bit Windows seven user,
00:03
you're going to have to use some other technique
00:03
to escalate your privileges to system level.
00:03
Any case, I'm going to go ahead and set my local host.
00:03
I'm going to set my local port to something
00:03
else because I'm already using 4444.
00:03
I'll just use 5555.
00:03
Now when I run the exploit,
00:03
it should not timeout.
00:03
We can see that it looks like I'm
00:03
about to get my shell and there we have it.
00:03
I've got a meterpreter shell.
00:03
I've got two shells now.
00:03
Session 1 and session 2.
00:03
If I run getuid,
00:03
I'm still my regular user that I was before.
00:03
But now the get system commands should actually
00:03
work and it did.
00:03
It use the first technique that
00:03
found which was named Pipe Impersonation.
00:03
Now if I type getuid,
00:03
you'll see that I am indeed a system account,
00:03
which means that I have full privileges on this system.
00:03
I can also verify that by running
00:03
the get privs command that shows me
00:03
all the privileges that I
00:03
have with this particular account.
00:03
I should have done this when I was logged in as
00:03
a regular user to show
00:03
that you only get to three privileges there.
00:03
As a system account,
00:03
however, I get quite a few more.
00:03
This is a big advantage.
00:03
We can go back to our home screen.
00:03
One of the commands that we can now run is hashdump.
00:03
This shows me all the hashes in
00:03
the same database for this particular window system.
00:03
This might be very useful because I can,
00:03
for instance, even though
00:03
I've got administrator privileges,
00:03
I may not want to
00:03
show evidence of changing a password or something.
00:03
I could use the pass the hash technique
00:03
to authenticate myself as
00:03
administrator or as one of these other accounts,
00:03
like guest or the IEUser account
00:03
that I logged in with originally.
00:03
If I run a shell from here,
00:03
I've got a nt Authority System account
00:03
as a command shell.
00:03
This is the equivalent of being root,
00:03
for instance, on a Unix system.
00:03
Notice I didn't have to crack a password.
00:03
I didn't have to do
00:03
a rainbow attack against
00:03
these hashes or anything like that.
00:03
I'm looking at the hashes
00:03
just after escalating my privileges.
00:03
You can see that there's a great deal of benefit in
00:03
using the bypass UAC exploit.
00:03
That's it for this section. Thank you.
Up Next