1
00:00:00,590 --> 00:00:00,900
OK.

2
00:00:00,930 --> 00:00:02,040
So here we are.

3
00:00:02,040 --> 00:00:07,780
We are ready to figure out this escalation and we know it has something to do with the windows subsystem

4
00:00:07,800 --> 00:00:09,260
for Linux.

5
00:00:09,300 --> 00:00:09,530
OK.

6
00:00:09,540 --> 00:00:10,920
So what can we do with that.

7
00:00:10,950 --> 00:00:12,490
Well we have a little cheat sheet guide.

8
00:00:12,510 --> 00:00:21,030
We talked about it and we know that w SL that EMC exists in Bashar e XY exists so we could try to find

9
00:00:21,030 --> 00:00:22,230
both of those really quick.

10
00:00:22,230 --> 00:00:30,330
So if we go to our terminal and we say something along the lines of where we do a dash are just means

11
00:00:30,330 --> 00:00:35,280
recursive and we're going to look in and see and I'm actually going to expand it to Windows.

12
00:00:35,280 --> 00:00:39,220
I think it's hiding in windows somewhere and we'll do a bashed out you.

13
00:00:39,240 --> 00:00:43,130
Now you could use a find or any other command that you would like against this.

14
00:00:43,140 --> 00:00:46,130
This is just how I use it to quickly find it.

15
00:00:46,170 --> 00:00:51,660
You can see there is the bashed out EMC and we could do another quick one of these where I copy this

16
00:00:52,810 --> 00:00:57,740
and we'll run it against the W S L that XY and see where those are hiding.

17
00:00:57,760 --> 00:01:06,940
Let's do a quick one on WFLD at EMC and I'm guessing it's in this when s x as folder as well because

18
00:01:06,940 --> 00:01:12,400
that's where everything else has been related to this Windows subsystem for Linux.

19
00:01:12,490 --> 00:01:19,090
So you can see the w a cell that XY here we can go ahead and run pretty much any of these and see what's

20
00:01:19,090 --> 00:01:19,650
going on.

21
00:01:19,660 --> 00:01:23,070
The Basha you see will bring up a bash command prompt.

22
00:01:23,590 --> 00:01:29,770
But remember we could do something quickly like a who am I on this w cell that XY and C.

23
00:01:30,190 --> 00:01:32,610
Now we can do like a quick paste and say Who am I.

24
00:01:32,620 --> 00:01:36,560
And it should return route and you can see there did return route.

25
00:01:36,670 --> 00:01:43,660
Now remember I told you that you can't run this but if you could w a cell Python Daschle you could run

26
00:01:43,690 --> 00:01:48,280
a python reverse shell or even a bind shell here and open up a port.

27
00:01:48,280 --> 00:01:51,010
However that's not the method of exploitation here.

28
00:01:51,010 --> 00:01:53,370
That's what the true escalation that we're going to do.

29
00:01:53,890 --> 00:02:01,480
So let's go ahead and just run the Bashar XY and drop into a command prompt here well a Linux terminal

30
00:02:01,480 --> 00:02:03,610
I should say OK.

31
00:02:03,630 --> 00:02:05,830
So it says teach you why name failed.

32
00:02:05,830 --> 00:02:06,720
Inappropriate.

33
00:02:06,730 --> 00:02:06,990
OK.

34
00:02:07,000 --> 00:02:07,470
That's fine.

35
00:02:07,570 --> 00:02:08,710
Let's just say Who am I.

36
00:02:08,720 --> 00:02:10,460
Root hostname.

37
00:02:10,600 --> 00:02:12,260
And we're on set nodes.

38
00:02:12,310 --> 00:02:14,260
But don't let this fool you.

39
00:02:14,260 --> 00:02:21,850
This is just the Linux SEC notes so you can do a quick you name dash and see what we're on we're on

40
00:02:21,850 --> 00:02:25,420
a Linux machine for Microsoft.

41
00:02:25,420 --> 00:02:28,340
So we're on this subsystem for Linux.

42
00:02:28,400 --> 00:02:31,160
Now we are in a non Titi y.

43
00:02:31,610 --> 00:02:37,760
So what we need to do is try to elevate or escape here and we're going to do a quick python and do a

44
00:02:37,760 --> 00:02:48,860
dash C and we'll do import peachy y and we'll do P.T. y dot spun and we'll go ahead and give it a bin

45
00:02:48,860 --> 00:02:50,510
bash and see if that works

46
00:02:53,870 --> 00:02:54,140
OK.

47
00:02:54,170 --> 00:02:59,090
Now you can see we have the route at SEC notes have you ever are concerned with t y escapes you see

48
00:02:59,090 --> 00:03:06,790
something along those lines you could do a t t y escape and Chichi is usually what I go with on a search

49
00:03:07,380 --> 00:03:09,500
spotting a T2 I shell this net sector.

50
00:03:09,530 --> 00:03:12,000
W.S. here is really really good.

51
00:03:12,070 --> 00:03:16,840
You just come in here click on it and you can see here's where the python command came from.

52
00:03:16,840 --> 00:03:23,080
I just did a bash instead of an S H there's echo there's all kinds of different options to try to spawn

53
00:03:23,110 --> 00:03:25,000
82 y shell.

54
00:03:25,060 --> 00:03:28,610
So now we have a t t y shell that's great.

55
00:03:28,810 --> 00:03:33,460
Now we haven't done any sort of Linux enumeration in this corpse because it's a Windows course.

56
00:03:33,490 --> 00:03:38,650
But some of the quick things that I like to do when I'm looking is I like to get a lay of the land and

57
00:03:38,650 --> 00:03:41,080
just say Hey what's my present working directory.

58
00:03:41,080 --> 00:03:41,710
I'm in route.

59
00:03:41,770 --> 00:03:46,180
OK are print working directory to it Ellis Dash.

60
00:03:46,180 --> 00:03:50,710
L.A. we could see OK well nothing going on here.

61
00:03:50,710 --> 00:03:56,350
We do have a batch history which we could try to type the history command or just try to cap that out.

62
00:03:56,350 --> 00:03:57,810
I always check the history command.

63
00:03:57,820 --> 00:04:02,110
That's one of the first things I check when I'm doing any sort of window or Linux privacy.

64
00:04:02,380 --> 00:04:04,140
I also do like a pseudo dash l.

65
00:04:04,150 --> 00:04:06,250
However I don't think that I'll run here.

66
00:04:06,250 --> 00:04:10,810
So I already see something very very interesting and this is actually really common.

67
00:04:10,810 --> 00:04:17,860
If you're doing sort of like Linux Pervez stuff if you do history you can see easy wins in history all

68
00:04:17,860 --> 00:04:19,540
the time is one of the quick wins.

69
00:04:19,780 --> 00:04:28,220
Look at this command here SMB client dash you administrator here's a password here's a 1 2 7 0 0 0 1

70
00:04:28,350 --> 00:04:28,940
seed.

71
00:04:29,680 --> 00:04:31,510
Well we can run this command.

72
00:04:31,510 --> 00:04:39,460
This is this is it we win we're we're going to get root we can run this command and this will give us

73
00:04:39,940 --> 00:04:43,240
a our access to the file system.

74
00:04:43,480 --> 00:04:45,670
So let's take a quick look I'll show you.

75
00:04:46,180 --> 00:04:51,040
If we just open up a new tab and we just paste that really quick and we give it the IP address instead

76
00:04:51,040 --> 00:04:57,610
of local we give it the IP address that it wants and we just say what else did it ask for anything.

77
00:04:57,970 --> 00:05:06,770
Wants us to see drive use a C and unless you can see OK we've got full access over this system but that's

78
00:05:06,770 --> 00:05:08,020
not really a shell.

79
00:05:08,180 --> 00:05:09,680
We could go in and we can get the.

80
00:05:09,710 --> 00:05:12,650
The flags are trying to capture the flag here.

81
00:05:12,680 --> 00:05:14,740
That's that's not the true way.

82
00:05:14,750 --> 00:05:17,570
So let's go ahead and exit out of this.

83
00:05:17,750 --> 00:05:20,960
Again I mentioned impact it before and I mentioned P.S. exact.

84
00:05:20,960 --> 00:05:24,220
Now I realize that maybe you've never used impact.

85
00:05:24,380 --> 00:05:30,620
It is expected that you know what it is at this point because this isn't a beginner level course fully.

86
00:05:30,740 --> 00:05:36,560
So I'm going to go ahead and just show you really quick so you can go in packet get hub if you've never

87
00:05:36,560 --> 00:05:37,100
heard of this.

88
00:05:37,100 --> 00:05:43,110
This secure off Corp right here you just click on this link very very easy to install.

89
00:05:43,160 --> 00:05:48,390
You can just do a quick clone or download grab this link here.

90
00:05:48,440 --> 00:05:49,780
I always put this in my opt.

91
00:05:49,820 --> 00:05:52,670
So I would go C.D. slash opt.

92
00:05:52,670 --> 00:05:59,330
I would say get clone paste this in here I'm not going to actually do it already have it hit enter on

93
00:05:59,330 --> 00:06:06,890
that then you can see into your impact folder and you could say Pip 3 install period and it will install

94
00:06:06,890 --> 00:06:07,530
it.

95
00:06:07,730 --> 00:06:12,800
Now I think the original calls for Pip install if you're on Cally 20 20 or later you're not going to

96
00:06:12,800 --> 00:06:17,780
have pip installed by default because now Python 3 is the way to go.

97
00:06:18,200 --> 00:06:24,490
So let's go ahead and imagine you've done all that or you have it ready to go.

98
00:06:24,510 --> 00:06:27,480
Let's take these credentials and try to do something with it.

99
00:06:27,480 --> 00:06:30,710
Now we did the P.S. exact before and we can try it again.

100
00:06:30,720 --> 00:06:33,420
I'm going to show you this is actually very real world.

101
00:06:33,840 --> 00:06:39,690
So say you tried to do P.S. exact it's an easy win you could do administrator and we can say something

102
00:06:39,690 --> 00:06:48,330
along the lines of paste that at 10 dot tend turned ninety seven OK it's going to try to connect it

103
00:06:48,330 --> 00:06:53,430
found the admin rightful share that means we have added privileges we can write to the admin share it's

104
00:06:53,430 --> 00:06:57,900
amazing that's what you want to see except what do we have happening.

105
00:06:57,900 --> 00:07:01,080
Looks like we have some sort of antivirus blocking this again.

106
00:07:01,350 --> 00:07:03,110
This is very common.

107
00:07:03,150 --> 00:07:09,930
So if I were to see this on an assessment I'm going to go ahead and try to kill this and maybe we can

108
00:07:09,930 --> 00:07:11,710
just do something else.

109
00:07:11,850 --> 00:07:14,060
So there's a few different exacts.

110
00:07:14,070 --> 00:07:19,490
There's an SMB exec which does very similar thing gives us kind of a half shell.

111
00:07:19,710 --> 00:07:22,190
So I'll try a W or SMB exact here.

112
00:07:22,200 --> 00:07:25,580
Another one is called w my exact I always try all three.

113
00:07:25,620 --> 00:07:30,800
You never know where you're going to get lucky and now you're in this semi interactive shells.

114
00:07:30,810 --> 00:07:35,860
You could say who am I and you're going to return authority system.

115
00:07:35,880 --> 00:07:38,790
So we are system on this machine.

116
00:07:38,790 --> 00:07:44,460
We do have a full shell we have full control we can utilize the net cap that we found.

117
00:07:44,470 --> 00:07:50,550
Go spawn a quick reverse shell and get another shell on this if we want something fully interactive

118
00:07:50,550 --> 00:07:52,460
as opposed to the semi interactive.

119
00:07:52,680 --> 00:07:56,030
But at this point this is full on edge of this machine.

120
00:07:56,130 --> 00:07:59,130
So I hope you were able to take it this far if you weren't.

121
00:07:59,130 --> 00:07:59,750
That's OK.

122
00:07:59,760 --> 00:08:05,270
You're in this class to learn so keep challenging yourself as we go through these challenges the challenges

123
00:08:05,270 --> 00:08:12,030
are to get a little bit harder as we go up until we get to the lab section of our course and then into

124
00:08:12,030 --> 00:08:12,900
the Capstone.

125
00:08:12,900 --> 00:08:18,180
So from here we're going to keep doing walkthrough and we're going to try to build up that mentality

126
00:08:18,180 --> 00:08:22,830
of how to do enumeration and you'll have a little bit of hints to kind of go along with it and then

127
00:08:22,830 --> 00:08:25,050
you'll build it all up as we go.

128
00:08:25,050 --> 00:08:26,310
So keep challenging yourself.

129
00:08:26,310 --> 00:08:32,970
This is a struggle that's absolutely OK but I will see you in the next section where we're going to

130
00:08:32,970 --> 00:08:38,520
be covering impersonation attacks and this is some of my favorite I gets down to real world and some

131
00:08:38,520 --> 00:08:41,460
of this and we're going to do one of my favorite hack the box machines as well.

132
00:08:41,490 --> 00:08:44,190
So I will see you guys in the next section.