Hello, everyone. Welcome to the next section of our display class.
In this portion, we are going to be
re establishing a connection with our victim's system.
And this case, we are going to be establishing a connection with a
regular user account.
And I'm gonna show how to escalate your privileges to that of a system account.
All right, so first things first,
it's getting that exploit up and running here.
All right, So, first of all, I need to
ah handler is in place for the connection itself.
So I'm gonna go ahead and look at my options,
and these were sent from a previous session. One thing that's important to think about when you're using mass point is too pure act. We run the safe command.
This saves your configuration. And assuming that your database is up and running when you reconnect to the, uh, to the framework later, then you can sort of pick up where you left off.
All right, so my local host looks correct. My local port looks correct.
And showing me that my payload is a 32 bit
so I'm gonna go ahead and start the handler
on the victim machine.
As I mentioned on previous
clips, you do need to find a way to get your
pay low to the victim.
Trojan. However you do, it doesn't really matter.
A 32 big payload here.
Now, if I go back to Cali, you can see that my mature recession has been established. What I meet needed immediately, though, is, uh,
check my user account. You can see that I am
regular user I e eight
when seven is the system and I user
is my, uh, my account.
So obviously, if I try to do something like get system,
it's not going to work.
is used the bypass USC
exploit from it, better split. This will allow me to be able to run the get system command with success.
So I'm going to the background, this process.
access control and what I want to try is this one Here, Windows escalate USC protection by packs.
So this tries to bypass the normal pop up that you would you would see when you're trying to do something as an administrator. We're all familiar with the
the U. S. C pop ups where you type in the administrative password. But I'm gonna try to get a system account without
having the administrator password.
So I'm gonna go ahead and use
Let's let's do an info. First,
we can see that it uses a uses trusted publisher certificate through process injection, and this spawns a second show
so that that being in mind,
um, what we need to do is also pick a different port.
All right, so in the show only options
And we can see I want to attach this to session one
because that's the only one I have going right now.
And, dude, due to some strange behavior,
the first time almost like this is not going to work
And even though I've got some environmental rebels set,
uh, for this particular exploit, they seem to only work. If you run a 1st 1 time, let a time out
and then go back and set your your l host and l port
you consent those beforehand. But it doesn't seem to actually take
a fact until you let this time out one time on its own.
Um, it might just be a bug with this particular module. Okay, so there's a time out.
Now, if I run show options, you'll notice that I get all the payload options. These weren't there before
I ran. Show options. Don't know why.
As I said, it's a minor thing to deal with.
You'll notice that our target has to be a 32 bid system.
So if you've got a 64 bit Windows seven user, you're gonna have to use some other technique to escalate your privileges to system level.
In any case, I'm gonna go ahead and set my local host
and I'm gonna send my local port to something else because I'm already using 4444
So I'll just use 5555
Now when I run, the Exploited should not time out.
And we can see that looks like I'm about to get my show. And there we have it. I've got a mature for her show. I've got two shells now.
Section one and session, too.
If I run, get you, I d.
I'm still my regular user
that I was before, But now they get system command should actually work.
And it did, uh, used the first technique had found, which was named pipe impersonation.
And now, if I talk, get your i d. You'll see that I am indeed a system account,
which means that I have full privileges on this system. And I can also verify that by running to get prints command
that shows me all the privileges that I have with this particular account.
I should have done this when I was logged in as a regular user, just to show that you only only get three privileges there
as a system account, however, I get quite a few more. So this is a big advantage.
Go back to our help screen,
and one of the commands
that we can now run is hashed up.
And that shows me all the hash is in the Sam database for this particular window system.
And this might be very useful because I can, for instance,
even though I've got a minister privileges, I may not want to
show evidence of changing the password or something, so I could
used the past the hash technique
to authenticate myself as administrator or as one of these other accounts,
may I use your confident Kirk I have logged in with originally.
If I run a shell from here,
and teeth authorities system account as a command show.
And this is the equivalent of being root, for instance, on a UNIX system.
Notice I didn't have to crack the password. I didn't have to,
do a rainbow attack against these hashes or anything like that. I'm looking at the hatches after escalating my privileges so you can see that there's a great deal of benefit in using the bypass USC
All right, that's it for this section. Thank you.