1
00:00:00,330 --> 00:00:04,130
OK so now we're on the machine and we need to escalate.

2
00:00:04,350 --> 00:00:07,370
So I'm not going to show you the enumeration process.

3
00:00:07,370 --> 00:00:13,170
I think we've hammer that pretty hard at least from a power up or a wind piece perspective or how we

4
00:00:13,170 --> 00:00:14,460
would define this.

5
00:00:14,460 --> 00:00:20,220
We're on an already P section which gives us an advantage that gives us the view advantage we get to

6
00:00:20,220 --> 00:00:24,720
click around and really look at things like a regular user would.

7
00:00:24,720 --> 00:00:27,680
So what we can do is just look at what's in front of us.

8
00:00:27,700 --> 00:00:33,690
Anytime I have an already P and I have a session that's intentional through the machine that I'm going

9
00:00:33,690 --> 00:00:39,140
to look around because there's probably stuff here that the creator of the box wants us to find.

10
00:00:39,390 --> 00:00:45,270
One thing is in the recycle bin we found that h h you PD dot XY.

11
00:00:45,280 --> 00:00:51,000
Now we have no idea what it is but if we go into Internet Explorer and we start looking around there

12
00:00:51,360 --> 00:00:56,340
I like to snoop so internal explorers on the first things I look at or your browser or anything because

13
00:00:56,340 --> 00:01:01,200
I want to see what you're looking at or if you had any data you're hiding or anything.

14
00:01:01,200 --> 00:01:06,450
So Internet Explorer is a great place to go look and I just look through the history here.

15
00:01:06,450 --> 00:01:11,670
Favorites are a great place to look to sometimes box graders or put information in there or little bits

16
00:01:11,730 --> 00:01:13,770
of little bits of hints.

17
00:01:13,800 --> 00:01:16,890
So this is what we're getting here is we're getting a hint in the history.

18
00:01:16,890 --> 00:01:23,070
If you look at the next dot gov they're looking at a CV 20 19 dash 13 88.

19
00:01:23,130 --> 00:01:30,790
Now if you looked at that Zero Day Initiative video it said hey we need this h you PD that you see.

20
00:01:30,960 --> 00:01:37,680
So my guess is this person thinks that there is this escalation opportunity here and they are playing

21
00:01:37,680 --> 00:01:42,660
around with it and then they delete the file but they actually didn't cleared out completely.

22
00:01:42,660 --> 00:01:46,110
So what we're going to do is we're just going to restore this file.

23
00:01:46,110 --> 00:01:51,300
This might take a second because this box is kind of slow but go ahead and drag the file to your desktop

24
00:01:54,920 --> 00:01:58,040
and now let's make sure that we close out of Internet Explorer.

25
00:01:58,040 --> 00:02:01,400
This is critical let's close out of Internet Explorer.

26
00:02:01,490 --> 00:02:07,790
The reason being when we run this exploit it's going to spawn Internet Explorer for us and it's going

27
00:02:07,790 --> 00:02:10,730
to spawn your next door running as systems.

28
00:02:10,730 --> 00:02:13,460
We want to make sure that it's all closed down.

29
00:02:13,460 --> 00:02:19,070
So now we're gonna do is we're going to right click on this age EPD and you want to double check the

30
00:02:19,070 --> 00:02:24,650
properties and make sure that there is no security feature here if it is just go ahead and click on

31
00:02:24,650 --> 00:02:35,860
block and then we're going to right click on this and say run as administrator.

32
00:02:35,910 --> 00:02:42,240
Now we're going to get the UAC prompt and this is a prompt that we've all probably seen before.

33
00:02:42,240 --> 00:02:44,840
It says Hey you don't have permission to do this.

34
00:02:44,880 --> 00:02:47,490
You need to run as an administrator.

35
00:02:47,580 --> 00:02:53,850
Now if we click show more details here we'll see that there is show information about the publisher's

36
00:02:53,910 --> 00:02:54,750
certificate.

37
00:02:54,750 --> 00:02:57,540
Here is where the flaw takes place.

38
00:02:57,540 --> 00:03:04,410
When we clicked on this issue by and we click to see the certificate what happens is this opens up Internet

39
00:03:04,410 --> 00:03:09,240
Explorer and it opens up Internet Explorer as system.

40
00:03:09,240 --> 00:03:14,670
So when we navigate to Internet Explorer now that he's gonna be open it's gonna be running a system

41
00:03:14,700 --> 00:03:19,290
and we're going to be able to pop a system level shell doing this.

42
00:03:19,340 --> 00:03:20,170
So let's go ahead and just hit.

43
00:03:20,200 --> 00:03:20,620
OK.

44
00:03:20,630 --> 00:03:23,690
Here and Internet Explorer should be running in the background.

45
00:03:23,700 --> 00:03:28,860
It's going to go ahead and hit no here you can see that it's trying to load this very sign.

46
00:03:28,860 --> 00:03:38,640
So I'm going to do is I'm just going to click on this little wheel here and select file save at

47
00:03:43,590 --> 00:03:48,480
Interior you're going to see that this air pops up we're just going to ignore it OK.

48
00:03:48,490 --> 00:03:52,050
So what we're going to do is we're going to go ahead and just type in here.

49
00:03:52,360 --> 00:04:04,210
We're gonna say see Windows system thirty two and then we're going to do an asterix dot Asterix Asterix

50
00:04:04,210 --> 00:04:13,780
period Asterix hit enter and it's going to say hey look here we're going to have all sorts of files.

51
00:04:14,120 --> 00:04:19,550
So one of the files that we're gonna have in here is going to be the command the CMT so scroll up just

52
00:04:19,550 --> 00:04:20,490
a little bit.

53
00:04:22,300 --> 00:04:24,610
And you'll see is here.

54
00:04:24,610 --> 00:04:33,280
We're going to go ahead just right click on that and say open.

55
00:04:33,470 --> 00:04:34,100
We're going to type in.

56
00:04:34,100 --> 00:04:34,670
Who am I

57
00:04:40,510 --> 00:04:43,140
and you see that we are authority system.

58
00:04:43,300 --> 00:04:51,340
So we have elevated this machine and this is crazy because this was a twenty nineteen late twenty nineteen

59
00:04:51,340 --> 00:04:51,850
exploit.

60
00:04:51,880 --> 00:04:57,850
So this is relatively new this is something that you still will see on perhaps some older machines or

61
00:04:57,850 --> 00:05:01,760
you might see this again in any sort of CTF environment.

62
00:05:01,780 --> 00:05:06,460
This is a really really nice one really new one and it's neat because it's something that we see all

63
00:05:06,460 --> 00:05:12,160
the time and it just opens up this Internet Explorer for us and all we have to do is open up a command

64
00:05:12,160 --> 00:05:12,510
prompt.

65
00:05:12,520 --> 00:05:14,480
Super super easy.

66
00:05:14,560 --> 00:05:16,680
So hopefully this is valuable for you.

67
00:05:16,750 --> 00:05:19,690
From here we're going to move on to the capstone of the course.

68
00:05:19,690 --> 00:05:21,100
I'm really excited.

69
00:05:21,100 --> 00:05:24,910
So I'll meet you over the capstone of the course when I explain the challenge and what we're going to

70
00:05:24,910 --> 00:05:25,500
do.

71
00:05:25,630 --> 00:05:27,460
And then we'll move on from there.

72
00:05:27,730 --> 00:05:29,250
And we're nearing the end of this.

73
00:05:29,280 --> 00:05:31,900
So hopefully you have been enjoying this so far.

74
00:05:32,260 --> 00:05:35,100
I'll catch you the next video as we talk about the course capsule.