1
00:00:00,470 --> 00:00:00,780
All right.

2
00:00:00,780 --> 00:00:03,840
So here we are at our telnet session.

3
00:00:03,990 --> 00:00:11,610
Now when we spoke in the last video we talked about the command key slash list being the big hint of

4
00:00:11,610 --> 00:00:18,290
what we need to do and when we talk about methodology this is just another tool to add to your toolkit.

5
00:00:18,360 --> 00:00:21,370
From here there's a lot of different paths that we can take.

6
00:00:21,600 --> 00:00:29,580
We can utilize this telnet session which is a shell and utilize this to navigate around perhaps we can

7
00:00:29,580 --> 00:00:38,010
try to run some sort of power shell or run a tool like wind peas or like power up etc. see what the

8
00:00:38,010 --> 00:00:38,960
lay of the land is.

9
00:00:38,970 --> 00:00:43,770
We can absolutely even just look for hints around the environment itself.

10
00:00:43,770 --> 00:00:49,680
We can navigate see if there's anything in the security folder or this user of security their desktop

11
00:00:49,680 --> 00:00:50,850
documents.

12
00:00:50,850 --> 00:00:55,770
If there's anything in the program files we're going to do our due diligence and kind of just will work

13
00:00:55,770 --> 00:00:56,880
down a checklist.

14
00:00:56,940 --> 00:00:59,850
And that's the point we're at is we're just working on a checklist.

15
00:00:59,850 --> 00:01:06,750
So even though I show you the escalation path here it's just to show you a tool for your toolkit.

16
00:01:06,750 --> 00:01:13,650
So keep this in mind again from the very first or second video I so told you to take good notes.

17
00:01:13,650 --> 00:01:15,000
Add this to your notes.

18
00:01:15,090 --> 00:01:15,410
OK.

19
00:01:15,420 --> 00:01:21,310
So what we're looking at is a command key forward slash list.

20
00:01:21,850 --> 00:01:30,540
If I could type its command key for its socialist and you're going to see here that we have currently

21
00:01:30,540 --> 00:01:34,710
store credentials of the target of access administrator.

22
00:01:34,710 --> 00:01:36,120
So that's great.

23
00:01:36,120 --> 00:01:38,820
And we have a domain password stored.

24
00:01:39,690 --> 00:01:44,940
So we're going to use a tool called run as Dot EMC which is built into windows.

25
00:01:44,940 --> 00:01:50,220
Now I'm going to copy a command because you just saw what happened when I fat fingered this and I fat

26
00:01:50,220 --> 00:01:51,060
finger all the time.

27
00:01:51,060 --> 00:01:58,160
So I'm going to copy the command and then you can just copy this as well while I'm speaking about it.

28
00:01:58,180 --> 00:02:04,820
So what the command is is we're going to run system 30 to run as that EMC and we're gonna say hey I

29
00:02:04,820 --> 00:02:12,890
want to use the user access administrator and with this user of access administrator I want to run the

30
00:02:12,920 --> 00:02:18,550
save creds save create is just hey I'm going to use the same credentials that are here for me.

31
00:02:18,790 --> 00:02:28,510
We're going to run command EMC a forward slash see and then we're going to just copy over the route

32
00:02:28,730 --> 00:02:29,220
text.

33
00:02:29,260 --> 00:02:30,280
We're going to type it out.

34
00:02:30,280 --> 00:02:36,970
This is basically an echo command we're gonna type out the command and drop it into the security folder

35
00:02:36,970 --> 00:02:38,230
of route texts.

36
00:02:38,230 --> 00:02:41,360
Now there's a lot of different ways that we can do this.

37
00:02:41,440 --> 00:02:47,440
We could say hey I want to run commando AC and just run a copy and we can copy the file over.

38
00:02:47,440 --> 00:02:49,020
So we have options right.

39
00:02:49,030 --> 00:02:51,860
So the type commands just one way of doing this.

40
00:02:52,030 --> 00:02:54,100
Now we're using full parts here.

41
00:02:54,100 --> 00:03:00,220
There's a chance that we could just use run as that XY and command XY which is always good just practice

42
00:03:00,220 --> 00:03:03,070
with using full path in case the path isn't there.

43
00:03:03,070 --> 00:03:06,740
So if you were to come in here and try this and it doesn't give you any inclination in whether or not

44
00:03:06,740 --> 00:03:12,850
it's working or not or whether or not the the run as is working at all then you might lose your mind

45
00:03:12,850 --> 00:03:17,390
and say you know I'm sure this is it but maybe there's a different path out there and just abandon ship.

46
00:03:17,560 --> 00:03:21,100
So you don't want to you don't want to do that you want to make sure that you call the full pass just

47
00:03:21,100 --> 00:03:21,700
to be safe.

48
00:03:21,730 --> 00:03:28,700
So here we are if we hit enter on this and we just now type in Dir you could see we've grabbed this

49
00:03:28,760 --> 00:03:30,020
route that takes.

50
00:03:30,720 --> 00:03:38,210
And we could prove concept by just doing a type here if we say type route that takes and see if this

51
00:03:38,210 --> 00:03:44,750
works on the avenue we should get access denied so access is denied but now we've copy that file why

52
00:03:44,780 --> 00:03:48,120
because we're acting as the administrator on this machine.

53
00:03:48,120 --> 00:03:53,570
And that's really the big takeaway is if you have the ability to run as you've a lot of flexibility

54
00:03:53,990 --> 00:03:56,090
you can run different commands.

55
00:03:56,090 --> 00:04:02,180
We ran a command that you see with a flashy imagine the flexibility and types of commands that you can

56
00:04:02,180 --> 00:04:07,240
run just because we did a type here or we could do a copy doesn't mean we can't do other commands here

57
00:04:07,250 --> 00:04:08,920
that could be beneficial to us.

58
00:04:08,990 --> 00:04:12,480
So hopefully that gets your wheels spinning as to how powerful this is.

59
00:04:12,590 --> 00:04:14,750
You could think of this just as like a pseudo command.

60
00:04:14,780 --> 00:04:17,930
I'm going to run sudo as this user.

61
00:04:17,940 --> 00:04:23,090
So if you're familiar with Linux same thing we're running as a user the only benefit here is we don't

62
00:04:23,090 --> 00:04:25,750
have to have the credentials they're stored for us.

63
00:04:25,850 --> 00:04:27,380
So it's super nice.

64
00:04:27,500 --> 00:04:29,640
So that's it for this lesson.

65
00:04:29,660 --> 00:04:31,640
I'll catch you over in the next section.