Welcome to the privilege escalation, lab walkthrough,
buckle your seat belts because we're gonna be here for a while. So the unintended exploitation path that I had hinted at is using PS execs on the Windows box.
If we are able to figure out the user name and password
which you've seen before. Right? Administrative password on the Windows box and use I am packet PS exact. You saw this in the slides
that I showed you about using PS execs. But if I do this, who am I?
That's the easy way. Now let's go to the intended exploitation path.
So if we go and I hinted it was it was a web based exploitation path.
So if we go 1921681 19,
you'll notice a file server
that looks interesting.
Also, if you look at the link is Readyto, H F s
And we have a version at 2.3
so we can use search blight for Readyto.
And we see we have a python script here.
So you can do this on medicine ploy it or you can do it not. I'm gonna show you how to not do it on the display because we don't rely on my display for Oh SCP.
So what I will do is search exploit.
and I'm going to take a look at this now. It's pad
Again, we're looking at code, we're reading the code. We need to understand what we need to change here.
So I see local I. P. And local port number again. They put comments here, which is very nice.
So I need to put my box
and whatever report I want my neck cat listener on it will tell you
your neck catalyst needs to be on a web server. Well, why don't we just use our web server? We can leave that. Well, let's make this 5555 will make things a little different here,
I'm going to use locate net cat dot e x C.
And here's net cat. So, I'm gonna put this or move this.
Also copy. It might be the better way to go.
You can't die E X C.
Okay. So now I need to start my server. Right. System.
CTL Start Apache two.
So now I'm going to need to do
Start my neck cat, listener
is I'm going to try to run this script
There we go. Says you may need to run a few times, but now we are on user one's desktop.
So now we want to do is escalate privileges. Right. Who am I
Were user net. Users User one. Are we administrator? No, we're not.
So what we want to do is I talked about the power up script
So what I can do is locate power up.s one
and I see it here. So I want to do is
So what I'm gonna do is I need to use cert util download this.
All right. We see that. We got that. We can check directory. We see that.
So, I need to go into power Shell. Now,
what I'm gonna do is import
So it's checking, we see, checking for unquoted service path and it found it right.
I found some other things as well.
But let's take a look at unquoted service path.
We see we have temp unquoted path. Well, that's a clue. Right.
So you guys saw this in the in the
unquoted XC and if we can start or stop this service,
we can get a shell as system.
So I'm not gonna use power up. I'm gonna make my own thing here. So I will
payload is windows Shell, reverse TCP
We're gonna do format is execute herbal and we're gonna do unquoted dot e x c.
Just waiting for this to
there we go. Make that
so I want to use certain until again. But why don't I just change directories to attempt
you can see that I am in the root directory from my user.
So root that shell should be in here, cert. Util
unquoted dot T. X. C. Unquoted dot T. X C.
Now we can try to see if we can start or stop this service.
So the service names unquoted service.
So I'm going to get a power shell
and also start my listener.
So see access is denied. So what do I do now? I can try to shut down this machine
and restart it and see what happens.
So if we restart this unquote E X. C. That should make our shell or activate our shell here.
But it might take a while
because when we give the shutdown signal, I think it gives it about a minute
to shut down. So we have to wait here patiently
So we we see the system has restarted here to kick this off.
So now again, we're waiting patiently to see if we get a shell here
So we have successfully gotten from user one
Well, we don't even need that to system so I can
Furano SCP land. You're gonna change directory. Users
change directory administrator,
change directory desktop.
And we see that there's a flag there flagged at txT
So there you go. There is your proof flag right there.
All right. So that's the Windows machine.
Both unintended and intended exploitation path. Now, let's pivot over
But what I'm going to do is
make another video for that. So if you want to go over the Windows machine,
go ahead. Um, but this is part one for the Windows machine, and I will make a part two for the Lennox machine.