Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

This lesson offers step by step instructions in how to re-establish a connection with the victim system. Participants learn how to establish a connection with a regular user account and how to escalate privileges to the other system account

Video Transcription

00:04
Hello, everyone. Welcome to the next section of our display class.
00:08
In this portion, we are going to be
00:12
re establishing a connection with our victim's system.
00:16
And this case, we are going to be establishing a connection with a
00:23
regular user account.
00:25
And I'm gonna show how to escalate your privileges to that of a system account.
00:32
All right, so first things first,
00:37
it's getting that exploit up and running here.
00:48
All right, So, first of all, I need to
00:51
make sure that my
00:55
ah handler is in place for the connection itself.
01:03
So I'm gonna go ahead and look at my options,
01:07
and these were sent from a previous session. One thing that's important to think about when you're using mass point is too pure act. We run the safe command.
01:18
This saves your configuration. And assuming that your database is up and running when you reconnect to the, uh, to the framework later, then you can sort of pick up where you left off.
01:30
All right, so my local host looks correct. My local port looks correct.
01:36
And showing me that my payload is a 32 bit
01:40
interpreter show
01:42
for windows,
01:45
so I'm gonna go ahead and start the handler
01:48
on the victim machine.
01:51
As I mentioned on previous
01:53
clips, you do need to find a way to get your
01:57
pay low to the victim.
01:57
Email.
02:00
Trojan. However you do, it doesn't really matter.
02:05
A 32 big payload here.
02:07
Now, if I go back to Cali, you can see that my mature recession has been established. What I meet needed immediately, though, is, uh,
02:17
check my user account. You can see that I am
02:21
regular user I e eight
02:23
when seven is the system and I user
02:27
is my, uh, my account.
02:30
So obviously, if I try to do something like get system,
02:35
it's not going to work.
02:38
But what I can do
02:39
is used the bypass USC
02:44
exploit from it, better split. This will allow me to be able to run the get system command with success.
02:53
So I'm going to the background, this process.
02:58
And now I need Thio
03:02
Do a quick search
03:10
user
03:13
access control and what I want to try is this one Here, Windows escalate USC protection by packs.
03:22
So this tries to bypass the normal pop up that you would you would see when you're trying to do something as an administrator. We're all familiar with the
03:31
the U. S. C pop ups where you type in the administrative password. But I'm gonna try to get a system account without
03:38
having the administrator password.
03:40
So I'm gonna go ahead and use
03:45
this exploit.
03:46
Let's let's do an info. First,
03:50
we can see that it uses a uses trusted publisher certificate through process injection, and this spawns a second show
04:00
so that that being in mind,
04:02
um, what we need to do is also pick a different port.
04:13
All right, so in the show only options
04:15
And we can see I want to attach this to session one
04:21
because that's the only one I have going right now.
04:29
And, dude, due to some strange behavior,
04:32
trying to exploit
04:34
the first time almost like this is not going to work
04:39
a little time out.
04:44
And even though I've got some environmental rebels set,
04:47
uh, for this particular exploit, they seem to only work. If you run a 1st 1 time, let a time out
04:56
and then go back and set your your l host and l port
05:00
you consent those beforehand. But it doesn't seem to actually take
05:02
a fact until you let this time out one time on its own.
05:06
Um, it might just be a bug with this particular module. Okay, so there's a time out.
05:17
Now, if I run show options, you'll notice that I get all the payload options. These weren't there before
05:23
I ran. Show options. Don't know why.
05:26
As I said, it's a minor thing to deal with.
05:30
You'll notice that our target has to be a 32 bid system.
05:33
So if you've got a 64 bit Windows seven user, you're gonna have to use some other technique to escalate your privileges to system level.
05:43
In any case, I'm gonna go ahead and set my local host
05:48
and I'm gonna send my local port to something else because I'm already using 4444
05:55
So I'll just use 5555
06:00
Now when I run, the Exploited should not time out.
06:04
And we can see that looks like I'm about to get my show. And there we have it. I've got a mature for her show. I've got two shells now.
06:11
Section one and session, too.
06:14
If I run, get you, I d.
06:15
I'm still my regular user
06:17
that I was before, But now they get system command should actually work.
06:23
And it did, uh, used the first technique had found, which was named pipe impersonation.
06:30
And now, if I talk, get your i d. You'll see that I am indeed a system account,
06:36
which means that I have full privileges on this system. And I can also verify that by running to get prints command
06:45
that shows me all the privileges that I have with this particular account.
06:48
I should have done this when I was logged in as a regular user, just to show that you only only get three privileges there
06:57
as a system account, however, I get quite a few more. So this is a big advantage.
07:04
Go back to our help screen,
07:06
and one of the commands
07:10
that we can now run is hashed up.
07:15
And that shows me all the hash is in the Sam database for this particular window system.
07:21
And this might be very useful because I can, for instance,
07:25
uh,
07:26
even though I've got a minister privileges, I may not want to
07:30
show evidence of changing the password or something, so I could
07:34
used the past the hash technique
07:38
to authenticate myself as administrator or as one of these other accounts,
07:44
my guest. Or
07:46
may I use your confident Kirk I have logged in with originally.
07:51
If I run a shell from here,
07:54
I've got a
07:58
and teeth authorities system account as a command show.
08:01
And this is the equivalent of being root, for instance, on a UNIX system.
08:07
Notice I didn't have to crack the password. I didn't have to,
08:11
um,
08:11
do a rainbow attack against these hashes or anything like that. I'm looking at the hatches after escalating my privileges so you can see that there's a great deal of benefit in using the bypass USC
08:24
exploit.
08:26
All right, that's it for this section. Thank you.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor