1 00:00:00,690 --> 00:00:06,690 And let's use one piece now of it when piece GitHub. 2 00:00:08,540 --> 00:00:14,620 The first it takes you here, right, and this is pretty awesome, you think, oh, this is cool. 3 00:00:14,650 --> 00:00:19,210 You know, we've got some exes, we got some bats that net 4.5 is required. 4 00:00:20,780 --> 00:00:25,660 If you click into this, you'll see some solution files, which is an executables. 5 00:00:25,670 --> 00:00:27,370 You might be wondering, like, how do you run this? 6 00:00:28,480 --> 00:00:32,320 Now, it turns out you actually have to compile this in visual studio, which means you need to, you 7 00:00:32,320 --> 00:00:36,880 know, download Visual Studio, set it up and you could do that and actually have a Windows host here. 8 00:00:37,240 --> 00:00:40,500 And I can walk you through that process, but it's a lot easier if you get it pre compiled. 9 00:00:41,320 --> 00:00:45,820 And so what we're going to do is we're going to go to a new relatively new collection called the Short 10 00:00:45,820 --> 00:00:49,920 Collection, Sharp Collection GitHub. 11 00:00:49,960 --> 00:00:58,060 This is just a collection of applications that were written in C, sharp and pre built them in all of 12 00:00:58,060 --> 00:01:00,450 the required dot net framework versions. 13 00:01:01,360 --> 00:01:08,530 So, you know, this is really nice because it's an automated system that just, you know, checks for 14 00:01:08,530 --> 00:01:12,640 any new comments against any of the major C sharp repositories. 15 00:01:12,640 --> 00:01:14,690 And it just adds them into this rebo. 16 00:01:15,580 --> 00:01:20,920 So we've got stuff for like, you know, sweet potato, which is the local escalation for Windows boxes. 17 00:01:21,400 --> 00:01:25,390 We've got a seat belt, which is kind of like Power Up and Watson. 18 00:01:25,690 --> 00:01:28,480 And it's also on the same category as one piece. 19 00:01:28,870 --> 00:01:29,140 Right. 20 00:01:29,180 --> 00:01:34,480 This is local when this escalation based on these configurations and then there's like S.T. cards, 21 00:01:34,480 --> 00:01:37,990 which is kind of like Mimecast, but a little bit better with a bunch of other things. 22 00:01:38,930 --> 00:01:40,200 So let's go ahead and find one piece. 23 00:01:40,210 --> 00:01:42,670 But before we do that, we need to know what Donnette version we're at. 24 00:01:44,980 --> 00:01:46,890 Donette version command line. 25 00:01:59,070 --> 00:02:00,240 So I can look at the registry. 26 00:02:02,830 --> 00:02:05,830 And it looks like if we go here, we should be able to find it. 27 00:02:06,280 --> 00:02:12,060 Copy that and we can actually go into the registry like this. 28 00:02:12,670 --> 00:02:15,220 So, you know, I just seeded into each local machine. 29 00:02:15,320 --> 00:02:21,370 That's because Powell has this thing called providers, which allows you to navigate various data structures 30 00:02:21,370 --> 00:02:22,360 just like your local drive. 31 00:02:22,390 --> 00:02:23,490 So this is really, really cool. 32 00:02:25,360 --> 00:02:30,970 And I'm in the machine provider are just backspace, all of us out. 33 00:02:33,750 --> 00:02:34,470 That didn't work. 34 00:02:34,890 --> 00:02:35,670 Maybe it's not there. 35 00:02:35,760 --> 00:02:36,420 Let's try this one. 36 00:02:37,630 --> 00:02:38,060 Nope. 37 00:02:42,400 --> 00:02:52,000 I see Microsoft that works, let's go big, crazy joy Lefrak forward slash net. 38 00:02:54,420 --> 00:02:56,220 So it is just net framework set up. 39 00:03:02,600 --> 00:03:05,540 And there we go, we have version for. 40 00:03:08,690 --> 00:03:10,500 But we probably need to see the NDP. 41 00:03:14,330 --> 00:03:16,850 Yeah, so we're voting for. 42 00:03:20,280 --> 00:03:24,170 And we can get an exact version here, four eight zero three three seven six one. 43 00:03:26,040 --> 00:03:30,570 So we need to know that we're at version four because now if we to short collection, we can grab that 44 00:03:30,810 --> 00:03:31,370 diversion. 45 00:03:32,880 --> 00:03:36,060 Now, we don't know if it's a 64 bit or or 30 bit. 46 00:03:36,530 --> 00:03:39,900 Let's just try a 64 bit application for now. 47 00:03:43,680 --> 00:03:45,360 Copy lake location 48 00:03:49,440 --> 00:03:54,480 AISI zero, get cajoles, shift me. 49 00:03:56,010 --> 00:03:56,430 Enter. 50 00:04:03,540 --> 00:04:07,530 Nice, we've got it now, let's just make sure we got it. 51 00:04:11,290 --> 00:04:12,530 No, that's not right. 52 00:04:12,560 --> 00:04:20,050 So this e-mail document, if we actually bless this, you'll see it actually has a Atima document that's 53 00:04:20,050 --> 00:04:20,890 named as Daddy. 54 00:04:22,810 --> 00:04:23,500 Let's fix that. 55 00:04:26,140 --> 00:04:27,430 Yeah, we want the raw link. 56 00:04:27,910 --> 00:04:28,210 Right. 57 00:04:28,210 --> 00:04:30,090 Click Kovalik location. 58 00:04:30,460 --> 00:04:34,120 That's why it's always good to verify what you download with the file in zero. 59 00:04:34,240 --> 00:04:36,960 We get to be in there. 60 00:04:39,740 --> 00:04:40,800 All right, so. 61 00:04:41,970 --> 00:04:42,840 What happened here? 62 00:04:47,980 --> 00:04:52,990 You know, we're probably at this link, yeah, this Rollingstone still isn't what we need, we need 63 00:04:52,990 --> 00:04:56,290 this download thing here, because if you look at the stats part, you see it actually ends in that 64 00:04:56,290 --> 00:04:56,770 Yuxi. 65 00:04:57,310 --> 00:05:00,190 This one ends in war equals true. 66 00:05:00,520 --> 00:05:03,820 So Vimla, poppy, like location. 67 00:05:05,380 --> 00:05:06,520 Let's remove the other ones. 68 00:05:16,090 --> 00:05:21,040 We've got one piece found one piece, and this is a 30 but executable? 69 00:05:22,030 --> 00:05:23,400 Well, it's a P thirty two. 70 00:05:23,410 --> 00:05:24,400 It's actually 64 bit. 71 00:05:24,660 --> 00:05:26,440 But the point is, it's a dot net assembly. 72 00:05:26,650 --> 00:05:27,700 This is exactly what we need. 73 00:05:28,240 --> 00:05:34,300 And our Web service told us out of this directory, out of the home box control directory, import 80. 74 00:05:35,140 --> 00:05:42,180 So back in our show, we should be able to get this you get which is an alias for invoke Web request. 75 00:05:42,790 --> 00:05:47,710 And this will allow us to download this file 14 10. 76 00:05:48,700 --> 00:05:53,920 Now, before we do this, let's make sure we are in the right director because we run one piece from 77 00:05:53,920 --> 00:05:54,970 a restricted directory. 78 00:05:54,970 --> 00:05:56,230 It might get blocked by AVY. 79 00:05:56,800 --> 00:05:59,410 So we want to make sure we're in the right directory before we try to run this. 80 00:06:00,490 --> 00:06:04,660 Let's go back to Hectors directory. 81 00:06:06,910 --> 00:06:08,080 Let's go back to documents. 82 00:06:09,470 --> 00:06:09,880 All right. 83 00:06:09,880 --> 00:06:13,750 So that we get to 14, 10. 84 00:06:15,010 --> 00:06:26,560 When BP's daddy acce oh, when BP's daddy exi nice, here's one picture here and you can see the HDB 85 00:06:26,560 --> 00:06:30,310 request went through so that we can run it, 86 00:06:33,550 --> 00:06:34,240 see what we get. 87 00:06:36,120 --> 00:06:43,730 All right, when peace is finished, it took about one minute, maybe a little less than that. 88 00:06:44,510 --> 00:06:49,610 So I see a lot of red and that's good for us because it means that usually something we can grab or 89 00:06:49,610 --> 00:06:50,660 exploit or abuse. 90 00:06:51,560 --> 00:06:53,470 So we get one piece, let's start. 91 00:06:54,110 --> 00:06:58,520 So Red indicates special privilege or an object or something as mis configured. 92 00:06:58,520 --> 00:06:58,820 Right. 93 00:07:00,530 --> 00:07:06,540 That's generally what we're looking for now, just to start, you can see that there's no Paracha logging 94 00:07:06,540 --> 00:07:07,600 enabled, right? 95 00:07:07,620 --> 00:07:12,170 So we can use Paracha all day on this box in abusive ways and it will not be logged. 96 00:07:12,180 --> 00:07:13,200 So that's really good to know. 97 00:07:13,710 --> 00:07:16,500 We also notice that there's a history file called console history. 98 00:07:16,500 --> 00:07:16,740 Right. 99 00:07:17,340 --> 00:07:21,680 This is interesting because it's kind of like a bad history by the control AC. 100 00:07:22,320 --> 00:07:22,800 I do. 101 00:07:23,910 --> 00:07:26,130 Let's see if I go to my home directory. 102 00:07:26,700 --> 00:07:27,540 I do, cat. 103 00:07:29,160 --> 00:07:31,350 Bash history. 104 00:07:32,380 --> 00:07:37,510 Enter, you see, this is a catalog of all the commands I've been typing, right, this is on Linux. 105 00:07:37,510 --> 00:07:41,950 Well, on Windows is something similar in Paracha, and it's called this console history. 106 00:07:42,550 --> 00:07:42,900 Right. 107 00:07:42,910 --> 00:07:45,730 So this might be interesting. 108 00:07:45,730 --> 00:07:51,460 If we can see what commands the user typed, we might get some clues and what we need to do right to 109 00:07:51,460 --> 00:07:52,320 compromise this box. 110 00:07:52,330 --> 00:07:56,680 It could be clear text credentials that were entered as arguments to specific commands. 111 00:07:56,980 --> 00:07:58,390 So much goodness that can come out of that. 112 00:07:59,110 --> 00:08:00,490 And let's just continue to scroll down. 113 00:08:02,080 --> 00:08:03,510 By the way, lapse is not installed. 114 00:08:03,520 --> 00:08:07,450 So that means if they this is the local administrator password solution. 115 00:08:07,690 --> 00:08:11,710 So, you know, if we had multiple machines that this was a real engagement. 116 00:08:11,710 --> 00:08:16,690 You had multiple machines and they were all using the same local administrator password, then you can 117 00:08:16,690 --> 00:08:18,610 use that to pivot from one machine to the next. 118 00:08:19,450 --> 00:08:24,280 And there are some other things that are not enabled that's going to definitely help us in our exploitation 119 00:08:25,090 --> 00:08:25,930 of this machine. 120 00:08:27,110 --> 00:08:29,730 You can see here we can right. 121 00:08:31,260 --> 00:08:35,380 We can actually create directories on the C drive and there's no way we detect it. 122 00:08:35,380 --> 00:08:36,040 That's awesome. 123 00:08:36,430 --> 00:08:38,350 So we can basically work under the radar. 124 00:08:38,950 --> 00:08:39,310 Right. 125 00:08:40,810 --> 00:08:42,130 And we could go down basically. 126 00:08:42,130 --> 00:08:43,150 I'm just looking for the red. 127 00:08:46,460 --> 00:08:51,230 I have access to the home folder already knew that, let's go down, go down, and this is interesting, 128 00:08:51,860 --> 00:08:53,450 modifiable services. 129 00:08:55,070 --> 00:08:57,890 So I can't modify a service binary, right. 130 00:08:58,550 --> 00:09:01,260 But I can modify registry locations, what it's saying. 131 00:09:01,520 --> 00:09:02,450 So this is interesting. 132 00:09:03,200 --> 00:09:05,840 A service typically runs this the system. 133 00:09:07,570 --> 00:09:13,930 And it's mapped to a binary that exists on the file system somewhere, if it's standard user has right 134 00:09:13,930 --> 00:09:19,120 access to the folder containing the binary, they can possibly replace it with a nefarious process, 135 00:09:19,570 --> 00:09:21,550 restart the service or restart the box. 136 00:09:22,540 --> 00:09:31,090 And then if that executable happens to be interpretor or some other evil binary, then if it shovel's 137 00:09:31,090 --> 00:09:36,310 a shell to the attacker, the shell will reach the attacker with the privileges of the service account 138 00:09:36,310 --> 00:09:42,460 that is running the binary, which means the attacker would have system access to the machine, which 139 00:09:42,460 --> 00:09:44,260 is just like administrator's God mode. 140 00:09:44,770 --> 00:09:45,100 Right. 141 00:09:45,130 --> 00:09:48,160 We don't have that ability, but we can write to the registry. 142 00:09:48,700 --> 00:09:50,350 And that's that's what this election is about. 143 00:09:50,770 --> 00:09:54,760 You can see here Hektor can take ownership of all these keys. 144 00:09:55,090 --> 00:09:58,600 And we're going to confirm this using Access Checker, which is a source internal tool. 145 00:09:59,140 --> 00:10:02,320 But this is very, very interesting. 146 00:10:02,320 --> 00:10:11,650 Right, because if we can modify the image path of a binary in the registry, we might be able to gain 147 00:10:12,880 --> 00:10:14,770 vertical privilege escalation that way. 148 00:10:17,870 --> 00:10:18,860 Let's keep going down here. 149 00:10:21,110 --> 00:10:22,950 Let's see the other hijacking. 150 00:10:22,970 --> 00:10:24,290 Nothing there, nothing there. 151 00:10:27,860 --> 00:10:29,840 Yeah, nothing else is really interesting here. 152 00:10:32,160 --> 00:10:33,060 That I'm seeing. 153 00:10:36,610 --> 00:10:41,260 This bar did exist unattended example, but you can see the password was deleted, sometimes you can 154 00:10:41,260 --> 00:10:47,230 find it in these unattended files, which is just a way for network administrators to automate the deployment 155 00:10:47,230 --> 00:10:48,430 of posts. 156 00:10:48,850 --> 00:10:53,350 And when you automate things, sometimes you need to put passwords so things happen automatically and 157 00:10:53,350 --> 00:10:56,320 remnants of it can be left behind, which you can retrieve from here. 158 00:10:56,820 --> 00:10:57,790 But it's been removed. 159 00:10:58,830 --> 00:10:59,290 There we go. 160 00:11:00,120 --> 00:11:09,610 So let's go ahead and do get whoops get content content on that file that showed us. 161 00:11:10,590 --> 00:11:14,510 So the of history, these are the only commands that are executed, that's quite interesting. 162 00:11:15,930 --> 00:11:18,170 Let's go ahead and look at these commands. 163 00:11:18,180 --> 00:11:24,390 Let's go ahead and get Access Checker by the internals on here so that we can corroborate what we're 164 00:11:24,390 --> 00:11:25,070 seeing in one piece. 165 00:11:25,080 --> 00:11:30,210 I always like to use multiple tools to confirm what I'm seeing here. 166 00:11:30,210 --> 00:11:34,560 We go to CNN's ballot access check. 167 00:11:35,490 --> 00:11:36,580 Copy location. 168 00:11:37,140 --> 00:11:37,890 Go back here. 169 00:11:39,540 --> 00:11:40,260 Zero. 170 00:11:40,410 --> 00:11:41,600 We get control. 171 00:11:41,610 --> 00:11:44,400 Should be all right. 172 00:11:44,410 --> 00:11:47,310 Zero unzip access check. 173 00:11:48,460 --> 00:11:55,800 So now we've got this file in the route of this Web server, which we can now pull from Hacker's Machine. 174 00:11:57,340 --> 00:11:58,050 So let's do that. 175 00:11:58,800 --> 00:12:04,920 IEX, your request for 10 access. 176 00:12:05,130 --> 00:12:07,560 Check this one, a 64 bit version. 177 00:12:11,820 --> 00:12:13,530 Use basic parsing. 178 00:12:16,900 --> 00:12:20,090 What am I doing that's not what we're supposed to do, we're going to get to get it. 179 00:12:29,220 --> 00:12:34,280 And the output is going to be access check 64 taiyaki. 180 00:12:36,940 --> 00:12:38,020 All right, so it looks like. 181 00:12:40,540 --> 00:12:41,660 We have the request here. 182 00:12:42,130 --> 00:12:43,870 We didn't get our prompt back. 183 00:12:47,040 --> 00:12:48,660 All right, so it looks like something broke. 184 00:12:48,960 --> 00:12:52,000 Now, you might say, oh, no, we just lost our shell, right. 185 00:12:52,710 --> 00:12:55,900 The worries right now, I'm glad this happened because I want to show you how easy it is to get it back. 186 00:12:56,550 --> 00:13:00,600 Listen, to put 443 go back to berp. 187 00:13:02,950 --> 00:13:03,760 Patrol space. 188 00:13:05,440 --> 00:13:10,900 We're back here and we're going to talk about everything back, right, he's an ethical sector. 189 00:13:13,200 --> 00:13:14,700 Because fidelity. 190 00:13:16,690 --> 00:13:22,000 Password to to which you get a string credential object is there. 191 00:13:24,570 --> 00:13:29,400 And then before we run, the evil command need to make sure we are listening to port. 192 00:13:31,030 --> 00:13:38,860 Four for three again to get our public show, and we couldn't execute it. 193 00:13:40,200 --> 00:13:41,800 Now we're back in business with Hector. 194 00:13:43,730 --> 00:13:49,480 Dashed out to file copies of the request go through this time. 195 00:13:49,530 --> 00:13:50,510 Sheldon, hang with it. 196 00:13:50,510 --> 00:13:52,220 Here you see it. 197 00:13:52,220 --> 00:13:53,060 And can we run it? 198 00:13:58,240 --> 00:13:59,890 Think I have this going the wrong way. 199 00:14:02,050 --> 00:14:02,980 Yes, we can. 200 00:14:04,300 --> 00:14:06,330 So what do we want to do here? 201 00:14:08,630 --> 00:14:12,920 Well, we just want to verify what we saw in one piece, right, with the registry rights. 202 00:14:13,730 --> 00:14:18,200 So let's see if the registry. 203 00:14:20,640 --> 00:14:26,760 So we run access, check her email account name, and then we have all these flags we can run. 204 00:14:27,960 --> 00:14:29,790 OK, later, registries. 205 00:14:29,850 --> 00:14:37,710 This will show his name is a registry key, so we can then specify a specific registry, key mortgages 206 00:14:37,720 --> 00:14:38,820 protected from One-Piece. 207 00:14:42,110 --> 00:14:49,240 Show only objects that I write access to, I can recurse and suppress the errors that looks like they'll 208 00:14:49,250 --> 00:14:49,660 be good. 209 00:14:56,060 --> 00:14:59,600 And then, of course, they need to put the registry can, that's the one we got from One-Piece. 210 00:15:00,900 --> 00:15:01,890 So we'll just put it in. 211 00:15:13,650 --> 00:15:20,310 Yeah, so, again, we're getting pretty much what we saw from one piece with riot control, you know, 212 00:15:20,370 --> 00:15:24,650 R.W. Redway, Hector, Hector can write to this registry can. 213 00:15:24,690 --> 00:15:26,870 Right, you know, to all this. 214 00:15:27,990 --> 00:15:29,610 So this is going to be interesting for us. 215 00:15:30,600 --> 00:15:33,180 So let's go ahead and do some stuff here. 216 00:15:33,720 --> 00:15:39,420 First one I want to do is I want to get all of the registry keys that are relevant to this. 217 00:15:43,140 --> 00:15:43,830 It kill him. 218 00:15:44,220 --> 00:15:53,430 Let's go to system current controls that services. 219 00:15:55,810 --> 00:15:58,720 I think they start at the end to see all the services right? 220 00:15:59,110 --> 00:16:00,610 I just look at all the services on the box. 221 00:16:00,620 --> 00:16:01,080 Here we go. 222 00:16:01,660 --> 00:16:10,540 Let's say that the variable, you name it, services right now, we can just type services and get a 223 00:16:10,540 --> 00:16:11,330 list of all the services. 224 00:16:11,350 --> 00:16:13,120 So these are all services on the box. 225 00:16:14,450 --> 00:16:19,880 Now, you know, I want to make sure I only get services that are running a system and that I can restart, 226 00:16:20,780 --> 00:16:22,170 right, because that's what we're going to need. 227 00:16:22,190 --> 00:16:24,070 We want the service to run a system so we can escalate. 228 00:16:24,080 --> 00:16:27,750 We need to be able to restart it so that we can, you know, execute or exploit. 229 00:16:28,940 --> 00:16:31,850 So what can we do to do that? 230 00:16:31,880 --> 00:16:34,010 Well, let's go and start looking through some of these fields. 231 00:16:35,480 --> 00:16:35,930 Here we go. 232 00:16:36,100 --> 00:16:39,830 Let's like the object name field contains the account that the service is running at. 233 00:16:40,220 --> 00:16:43,010 The service name is P.S. Child name. 234 00:16:43,460 --> 00:16:49,280 So child name search is a service running our system and it started as four. 235 00:16:49,850 --> 00:16:51,910 So we need to get a list of all the service start numbers. 236 00:16:52,910 --> 00:16:54,530 Let's do that real quick. 237 00:17:07,170 --> 00:17:10,920 Service start type values, that was better. 238 00:17:12,130 --> 00:17:12,620 Here we go. 239 00:17:13,060 --> 00:17:17,350 So we want Manuell, this service does not start automatically, it must be mainly started by the user. 240 00:17:18,880 --> 00:17:21,850 So what type equals three, four, start? 241 00:17:23,980 --> 00:17:28,690 Let's build this query out, we can take services. 242 00:17:30,370 --> 00:17:38,280 And we can pipe it to where object, this is kind of like a filter, and in this block we can say we 243 00:17:38,290 --> 00:17:44,130 want to get the services returned that meet this criteria. 244 00:17:47,490 --> 00:17:52,630 The object name is equal to local system, right? 245 00:17:53,520 --> 00:17:58,560 By the way, this little crazy thing right here, this just means take the current object passed along 246 00:17:58,560 --> 00:18:00,700 the pipeline is the pipe. 247 00:18:01,140 --> 00:18:02,420 This is called the pipeline. 248 00:18:03,000 --> 00:18:06,510 We're passing the results of this object into this object. 249 00:18:06,930 --> 00:18:09,730 And this actually literally says this object, the current object. 250 00:18:10,230 --> 00:18:16,410 Take this property from the current object, which is object name, which contains, you know, the 251 00:18:16,410 --> 00:18:21,740 account, destroying the object and only return the services that object running its local system. 252 00:18:22,170 --> 00:18:22,440 Right. 253 00:18:23,220 --> 00:18:24,270 So all these should say. 254 00:18:26,400 --> 00:18:35,090 Local system for the name, for example, would like a select object object name, yeah, Eco-System, 255 00:18:35,100 --> 00:18:35,360 right. 256 00:18:40,930 --> 00:18:47,590 And these all of the services, but we also want to make sure that the star type is Manuell. 257 00:18:55,250 --> 00:19:02,200 So in here, we can put again the current object start is equal to three, right? 258 00:19:05,000 --> 00:19:06,950 And that's what this is for here to start. 259 00:19:06,980 --> 00:19:12,560 So these are all the services running as system that have a manual start so we can actually set this 260 00:19:12,560 --> 00:19:16,940 to like possible I say is hackable 261 00:19:19,940 --> 00:19:20,540 right now. 262 00:19:20,540 --> 00:19:21,530 We can say is hackable. 263 00:19:22,760 --> 00:19:23,750 The list of all those. 264 00:19:26,270 --> 00:19:31,280 Now, this gets interesting, how do we determine our permissions, how can we determine I mean, we 265 00:19:31,280 --> 00:19:34,430 can write to these services, right? 266 00:19:35,840 --> 00:19:40,730 But we need to make sure that we pick a service that we can actually restart. 267 00:19:41,340 --> 00:19:44,980 Yeah, there's a difference between writing to the registry and restarting a service. 268 00:19:44,990 --> 00:19:45,940 Those are two different permissions. 269 00:19:46,370 --> 00:19:53,040 So the way to find that out is by using a built in Windows command called the ESTIE show. 270 00:19:53,930 --> 00:19:54,830 So if we go here. 271 00:19:58,870 --> 00:19:59,440 Here it is. 272 00:20:06,320 --> 00:20:10,500 The services security descriptor using the security descriptor definition language. 273 00:20:11,630 --> 00:20:16,170 This will tell us the permissions on the service. 274 00:20:16,200 --> 00:20:16,930 So let me show you something. 275 00:20:19,750 --> 00:20:21,760 He says, you can do something like this, right? 276 00:20:22,090 --> 00:20:29,620 Let's try this for the SD show, expect a service here. 277 00:20:31,300 --> 00:20:34,570 This one w a you serve. 278 00:20:36,690 --> 00:20:42,060 Did that work because it's trying to convert this into a command light, so let's run it like this, 279 00:20:43,840 --> 00:20:48,450 it's one command with the S.E.C. and then try it that way. 280 00:20:55,360 --> 00:20:55,880 There we go. 281 00:20:56,380 --> 00:21:01,420 It's all we have is this really, really complicated looking security, descriptive definition, language 282 00:21:02,170 --> 00:21:05,640 and what this means, this is a discussion discretionary access list, OK? 283 00:21:06,760 --> 00:21:14,320 And this means that it is an except it's a it's an accepted access control list. 284 00:21:15,850 --> 00:21:18,850 Each of these values and here are pairs, so this is one pair. 285 00:21:19,830 --> 00:21:20,740 This is another pair. 286 00:21:21,250 --> 00:21:23,410 This is another pair, another pair. 287 00:21:23,910 --> 00:21:25,780 They're all pairs and they all mean something. 288 00:21:26,170 --> 00:21:26,980 And it's stuck at the end. 289 00:21:26,980 --> 00:21:29,330 Means something to this means authenticating users. 290 00:21:30,190 --> 00:21:34,070 This is both an administrator and this system counts. 291 00:21:34,810 --> 00:21:35,330 I know this. 292 00:21:35,480 --> 00:21:36,360 Just Google it, right? 293 00:21:36,370 --> 00:21:43,540 If you go to like Steidl, stop, start, restart permissions. 294 00:21:45,850 --> 00:21:46,400 Try this one. 295 00:21:47,290 --> 00:21:48,350 Yeah, so this is the one. 296 00:21:48,850 --> 00:21:56,470 So, again, you can look at the progression that shows you this and you can read up on the spot you 297 00:21:56,470 --> 00:21:58,750 see here, Arpey inservice start. 298 00:21:59,680 --> 00:22:00,460 That's what we want. 299 00:22:02,070 --> 00:22:05,120 As are the other ones, like a dedicated users system. 300 00:22:05,300 --> 00:22:09,210 So we want everything that has his Arpey because we want to make sure we have permission to start the 301 00:22:09,210 --> 00:22:09,690 service. 302 00:22:10,440 --> 00:22:10,770 Right. 303 00:22:11,340 --> 00:22:18,120 So we want this every service that has AP and is for authenticate users because we are an authenticated 304 00:22:18,120 --> 00:22:23,820 user, we are not about an administrator and we are not running a system. 305 00:22:24,990 --> 00:22:27,940 So how can we do that? 306 00:22:27,960 --> 00:22:29,510 Well, let's see. 307 00:22:30,600 --> 00:22:33,530 Let's look at this is hackable thing again. 308 00:22:34,440 --> 00:22:36,560 What do we call it is hackable, right? 309 00:22:38,380 --> 00:22:40,210 If you look at the child name, 310 00:22:43,300 --> 00:22:44,020 all the services 311 00:22:48,790 --> 00:22:56,060 that are running a system and that we can that are such a manual, if we could create a loop to get 312 00:22:56,060 --> 00:23:01,840 to all these services right, then we can look to see. 313 00:23:03,590 --> 00:23:10,160 We can basically pass that service name to that SC show command and then do some projects to see if 314 00:23:10,620 --> 00:23:14,030 have an people flag there, which means that we also have permission to restart it. 315 00:23:14,690 --> 00:23:19,160 So basically we're saying I want to find all services running a system that has a manual and that I 316 00:23:19,160 --> 00:23:19,670 can restart. 317 00:23:20,000 --> 00:23:26,570 Let me show you what I mean so I can say for each just call the variable when each iteration service 318 00:23:27,020 --> 00:23:32,770 in is hackable DOPs child name, whatever they do here. 319 00:23:32,960 --> 00:23:44,030 Well, I want to print out that EDL command and I served in a variable called S DL. 320 00:23:45,200 --> 00:23:50,390 We're going to say C and D for which I see a C SD show service. 321 00:23:51,680 --> 00:23:55,880 Right, we're passing the service on each iteration to this command is going to be taking this variable 322 00:23:57,200 --> 00:23:59,060 and then we just run a little if condition against it. 323 00:23:59,240 --> 00:24:11,930 We'll see, like if FTL is a match for some projects, we'll fill it in in a moment. 324 00:24:13,940 --> 00:24:18,190 Then we can just basically say put out that service. 325 00:24:19,100 --> 00:24:19,390 Right. 326 00:24:20,360 --> 00:24:21,410 So what are we ready for that rejects? 327 00:24:21,470 --> 00:24:22,240 Let's go back up here. 328 00:24:25,090 --> 00:24:31,810 And let's grab that SDD output that we did earlier, so I actually can't go back far enough to get Tuckerman's, 329 00:24:31,810 --> 00:24:33,880 what I'm going to do, we'll grab this right. 330 00:24:35,200 --> 00:24:36,130 So we're going here. 331 00:24:36,850 --> 00:24:38,860 You will click copy. 332 00:24:39,930 --> 00:24:45,930 And they're going to go to her and they show you how we can build right to select this. 333 00:24:47,770 --> 00:24:51,940 This is a great site for building projects, I'm going to go and delete everything out of here, delete 334 00:24:51,940 --> 00:24:52,600 everything out there. 335 00:24:54,500 --> 00:24:57,430 OK, so here's the thing. 336 00:24:57,460 --> 00:24:58,210 We just want to get. 337 00:24:59,590 --> 00:25:06,970 We want to search for Arpit right in any number of characters until we get to see my call instead of 338 00:25:07,360 --> 00:25:08,080 calling, I call in. 339 00:25:08,950 --> 00:25:11,290 So we did something like Arpit. 340 00:25:12,170 --> 00:25:16,640 These characters all look like they're either the capitalized. 341 00:25:16,640 --> 00:25:24,520 So we can say character class either capitalized so we can say any number of characters, either Z as 342 00:25:24,520 --> 00:25:25,380 of the star does. 343 00:25:25,960 --> 00:25:27,790 The question mark makes it optional. 344 00:25:29,020 --> 00:25:36,920 And then what we want to do is we want to look for the three semicolons and, you know, that's what 345 00:25:36,960 --> 00:25:39,120 we want to match right here, see how match this one. 346 00:25:39,130 --> 00:25:42,460 I didn't match anything else because remember, this is not an administrator. 347 00:25:43,120 --> 00:25:43,780 It's a system. 348 00:25:43,900 --> 00:25:44,800 You don't care about those. 349 00:25:45,940 --> 00:25:49,420 Really care about this, so this works, let's grab it. 350 00:25:59,730 --> 00:26:03,120 All right, let's pause here and see what happens if we have any typos. 351 00:26:04,210 --> 00:26:13,000 Yes, that's what we want to say, to say that as a variable control a warning, this can start. 352 00:26:17,440 --> 00:26:21,490 These are the services we can start, so let's just start with this one, since we were looking at that 353 00:26:21,490 --> 00:26:22,030 one earlier. 354 00:26:23,970 --> 00:26:26,140 Let's do you get item property? 355 00:26:28,510 --> 00:26:34,600 And actually, let's see what we can type of this, let's go back into power, shall a local box get 356 00:26:34,600 --> 00:26:39,880 help, get item property damage parameters. 357 00:26:42,390 --> 00:26:42,900 Star. 358 00:26:47,110 --> 00:26:51,330 So really, what we only need is just, I believe, just the path, yeah. 359 00:26:51,340 --> 00:26:52,590 Specified the path to the item. 360 00:26:53,860 --> 00:26:55,560 So it's not the path to this item. 361 00:26:58,020 --> 00:27:08,340 So HLM System, Current Control Set Services, WUSA, you serve. 362 00:27:09,820 --> 00:27:10,990 All right, let's make this big picture. 363 00:27:12,640 --> 00:27:13,190 Here we go. 364 00:27:13,600 --> 00:27:14,830 You know, it's the image path here. 365 00:27:17,500 --> 00:27:20,500 So our goal is to replace this image path with an arbitrary command. 366 00:27:22,060 --> 00:27:25,660 And then restart the service, since we have restored rights to the service. 367 00:27:26,770 --> 00:27:27,670 So let's try it. 368 00:27:27,880 --> 00:27:34,750 Let's go back here, set out on property and let's see what parameters we can do it set out in property, 369 00:27:36,310 --> 00:27:45,670 get help set item, property, parameter start, see? 370 00:27:48,290 --> 00:27:49,800 Name specify the name of the property. 371 00:27:49,820 --> 00:27:54,140 OK, we want that went that we want where we want. 372 00:27:55,490 --> 00:27:58,530 Let's make it big until I see your mother's image path. 373 00:27:58,730 --> 00:28:07,190 That's what we want to set so we can say image path and I believe there was a value. 374 00:28:09,050 --> 00:28:10,970 Let's go back to path. 375 00:28:11,450 --> 00:28:16,050 Type value specifies the value of the property up Detroit. 376 00:28:16,340 --> 00:28:16,820 Right. 377 00:28:16,820 --> 00:28:23,030 Control easy and thus do value and set it to food. 378 00:28:23,930 --> 00:28:24,200 Right. 379 00:28:24,200 --> 00:28:25,730 Just to test that, we can actually write. 380 00:28:27,060 --> 00:28:30,300 To this path and to get item property. 381 00:28:31,430 --> 00:28:38,780 Bam, making right now, the interesting thing here is that you can actually discover in this host that 382 00:28:38,780 --> 00:28:42,080 there's a job that runs that continually overwrites this image path. 383 00:28:42,080 --> 00:28:44,510 So we only have a few seconds to. 384 00:28:46,110 --> 00:28:54,720 Essentially, co-star in that cat payload on our local box downloaded the vector machine into a wireless 385 00:28:54,740 --> 00:29:03,300 directory which bypasses ad blocker, and then you execute the binary because if you wait too long in 386 00:29:03,300 --> 00:29:08,100 really just a matter of seconds, then this is this value is going to be overwritten with the original 387 00:29:08,490 --> 00:29:11,140 with the original image path and our show will die. 388 00:29:11,790 --> 00:29:16,920 We're also going to discover after the show we're gonna have to quickly create another show from that 389 00:29:16,920 --> 00:29:20,130 from that shell and a new process so that we can have persistance in the box. 390 00:29:20,460 --> 00:29:22,900 And I'll show you what I mean in a second. 391 00:29:22,920 --> 00:29:25,370 So let's go ahead and do this first. 392 00:29:25,440 --> 00:29:26,850 Let's make sure that this is still here. 393 00:29:28,590 --> 00:29:29,050 Still set of. 394 00:29:29,070 --> 00:29:30,210 All right. 395 00:29:31,290 --> 00:29:34,320 So let's go ahead and move into our wireless directory. 396 00:29:37,040 --> 00:29:38,760 Let's see Windows system. 397 00:29:38,760 --> 00:29:42,720 Thirty two CPU drivers color. 398 00:29:43,830 --> 00:29:45,540 So if you Google this directory 399 00:29:47,850 --> 00:29:56,770 and we go to let's leave this page at Blocher bypass within. 400 00:30:00,910 --> 00:30:02,280 What type of my GitHub? 401 00:30:09,450 --> 00:30:11,610 List of generic methods for bypassing Blocher. 402 00:30:12,450 --> 00:30:13,050 Here we go. 403 00:30:13,450 --> 00:30:14,580 Now, what is App Lucker? 404 00:30:14,580 --> 00:30:18,960 The application white listing App Locker has been with us for a while. 405 00:30:22,170 --> 00:30:24,210 Yeah, so Habchi, you control which apps? 406 00:30:25,920 --> 00:30:30,620 Can be run on the on the operating system. 407 00:30:32,420 --> 00:30:36,380 So it's really good, of course, when you want to, like, basically say these are only the approved 408 00:30:36,380 --> 00:30:38,900 apps, anything other than this won't be able to run. 409 00:30:39,860 --> 00:30:44,060 This works because these directives are typically permitted by bloggers. 410 00:30:44,090 --> 00:30:49,340 If you can get something bad to run out of these directories, then you can potentially bypass outworker 411 00:30:49,340 --> 00:30:51,470 and float under the radar. 412 00:30:51,500 --> 00:30:58,520 So as we're going to try to do here, first, we need to get Ngarkat posted on our local box. 413 00:30:59,480 --> 00:31:06,610 So let's do that exodus locate in Sidiki. 414 00:31:07,550 --> 00:31:08,660 We found it. 415 00:31:09,020 --> 00:31:10,640 Let's see here. 416 00:31:12,960 --> 00:31:13,580 Got this one. 417 00:31:22,240 --> 00:31:23,900 All right, so we've got Ngarkat posted here. 418 00:31:23,920 --> 00:31:24,400 That's sweet. 419 00:31:24,850 --> 00:31:29,350 So let's go back here to Lazy and let's run it again. 420 00:31:37,430 --> 00:31:43,640 And we are going to actually save it as I explore why I explore, because 421 00:31:46,790 --> 00:31:51,500 that is the process name for Internet Explorer 422 00:31:55,580 --> 00:31:56,210 I cannot type. 423 00:31:58,240 --> 00:32:00,820 Yeah, Windows Internet Explorer by Microsoft, right? 424 00:32:00,850 --> 00:32:05,620 So we're also trying to bypass, you know, any static strings that might be in place by masquerading 425 00:32:05,620 --> 00:32:08,560 as a benign application to that. 426 00:32:10,290 --> 00:32:12,500 Now we have to explore, but this is really not Ngarkat, right? 427 00:32:13,830 --> 00:32:15,690 So now we've got the cap. 428 00:32:16,200 --> 00:32:16,890 Let's go back. 429 00:32:17,340 --> 00:32:19,170 You can notice if we try to run this again. 430 00:32:21,330 --> 00:32:25,590 Now it shows that it's been overwritten, right, so we only had a few seconds to get this done, so 431 00:32:25,590 --> 00:32:30,500 we need to overwrite this again, but this time we need to overwrite it with our next payload. 432 00:32:31,590 --> 00:32:34,350 So this is what we're going to do to set up a property. 433 00:32:37,300 --> 00:32:40,190 Instead of this, we're going to put in this. 434 00:32:44,830 --> 00:32:45,760 Joseph P.. 435 00:32:49,480 --> 00:32:51,520 Copy control should be. 436 00:32:52,900 --> 00:32:54,460 And what are we going to do here? 437 00:32:54,490 --> 00:32:55,030 Well. 438 00:32:57,210 --> 00:33:08,310 We want to connect back to our machine for forgery and we want to shovel power out to us right then 439 00:33:08,310 --> 00:33:13,830 when we say get out and property, when the service restarts, it should cause that cat to connect back 440 00:33:13,830 --> 00:33:18,900 to us and point for further and send us a powerful shell back over here. 441 00:33:19,620 --> 00:33:22,020 Zero oil wrap for three. 442 00:33:24,180 --> 00:33:25,470 And let's see if we can do this. 443 00:33:29,670 --> 00:33:35,190 Start service could be the you serve. 444 00:33:39,310 --> 00:33:42,370 And nothing happened, and if you notice. 445 00:33:45,440 --> 00:33:51,620 Everything I read back, right, and control is that we need to do this from that local machine directory, 446 00:33:52,160 --> 00:33:52,940 so we go back here. 447 00:33:53,990 --> 00:33:54,650 Let's go back up. 448 00:33:55,940 --> 00:33:57,230 Let's go back into this directory. 449 00:34:16,380 --> 00:34:18,940 Right, so we want to do this again 450 00:34:21,730 --> 00:34:28,990 and then get the item property, see, now it looks good and we want to do the start the service. 451 00:34:29,620 --> 00:34:31,780 Croisette, do we have a show? 452 00:34:32,380 --> 00:34:33,850 Still no show. 453 00:34:36,400 --> 00:34:37,840 Now, why is there no show? 454 00:34:42,730 --> 00:34:44,100 Toisa, let's see. 455 00:34:47,800 --> 00:34:49,330 They get the name of the binary, right? 456 00:34:58,450 --> 00:34:59,660 I explore that he. 457 00:35:07,880 --> 00:35:16,280 Oh, let's see, I explored at that age, yes, this is Ngarkat, because I run Helpern and you can 458 00:35:16,280 --> 00:35:17,150 see that's what it is. 459 00:35:19,700 --> 00:35:21,060 Hmm, interesting. 460 00:35:23,350 --> 00:35:24,930 Why isn't it working? 461 00:35:28,400 --> 00:35:29,990 This man really does have to play with stuff. 462 00:35:33,640 --> 00:35:36,490 Ten, ten, 14, ten, four, four, three. 463 00:35:39,410 --> 00:35:41,330 Power shell. 464 00:35:48,060 --> 00:35:49,050 There's Paracel. 465 00:35:51,340 --> 00:35:53,350 Still no service being started. 466 00:35:54,820 --> 00:35:55,660 Misspell the name. 467 00:36:01,000 --> 00:36:02,560 No, it's the right name. 468 00:36:05,510 --> 00:36:07,270 It's starting from the wrong directory. 469 00:36:25,540 --> 00:36:26,350 You still said. 470 00:36:28,900 --> 00:36:33,560 You know, we're running again, so let's just see if we can manually. 471 00:36:37,050 --> 00:36:41,580 Do this, so I'm going to try to just run this. 472 00:36:43,900 --> 00:36:45,760 Isn't that cat back to me? 473 00:36:47,020 --> 00:36:50,800 Without the service starts, I'm just troubleshooting it to figure out why this isn't working, because 474 00:36:50,800 --> 00:36:51,430 it should work. 475 00:36:55,790 --> 00:36:56,710 So that did work. 476 00:36:58,960 --> 00:37:01,310 Of course, I'm still Hector, right? 477 00:37:02,650 --> 00:37:03,220 But. 478 00:37:05,590 --> 00:37:08,110 So this means we can actually run Netcare from that folder. 479 00:37:09,250 --> 00:37:10,080 So that's OK. 480 00:37:11,090 --> 00:37:12,160 Our syntax is OK. 481 00:37:20,080 --> 00:37:21,310 What is wrong here? 482 00:37:25,740 --> 00:37:27,050 It's like this got rewritten again. 483 00:37:32,110 --> 00:37:33,680 Now, I can see PowerShares there. 484 00:37:37,100 --> 00:37:38,570 Right, so this actually looks good. 485 00:37:40,120 --> 00:37:41,600 You just have to restart service. 486 00:37:47,840 --> 00:37:49,250 Oh, it's looking for the service name. 487 00:37:53,330 --> 00:37:57,640 Now we've got a shout, you know, I don't know why it worked that time, it didn't work before, but 488 00:37:57,680 --> 00:38:00,170 this just shows you why you need to do this now. 489 00:38:01,560 --> 00:38:02,930 You will notice we are systems. 490 00:38:02,970 --> 00:38:07,530 You might think, oh, great, we did it, we escalate the system, we did, but the show is going to 491 00:38:07,530 --> 00:38:11,180 die in a few seconds because it's going to be overridden very, very quickly. 492 00:38:12,770 --> 00:38:21,200 By the default image path for the way you serve application, so we don't really have a lot of time, 493 00:38:21,560 --> 00:38:27,530 what we can do is it is time to watch this, see its dad. 494 00:38:28,400 --> 00:38:35,210 So this is what we have to do to get this to work, set up for four, three listener control and then 495 00:38:35,210 --> 00:38:36,380 shift to a quote. 496 00:38:38,030 --> 00:38:48,320 And I'm also going to set up in Volpi fifty three dinars because that's also a part that's usually allowed 497 00:38:49,580 --> 00:38:53,170 outbound in the target organization. 498 00:38:54,140 --> 00:38:58,610 And so now we've got four hundred and fifty three listening what we need to do. 499 00:39:00,270 --> 00:39:07,810 Is basically where we need to quickly just do a couple of things right. 500 00:39:07,830 --> 00:39:10,700 We need to quickly run this again, right? 501 00:39:11,040 --> 00:39:11,820 Get on property. 502 00:39:12,910 --> 00:39:14,740 And it makes us a little bit bigger. 503 00:39:17,460 --> 00:39:22,300 We're going to have to replace this image path and then quickly from a show, starting a show to connect 504 00:39:22,300 --> 00:39:23,590 back to the show. 505 00:39:25,750 --> 00:39:26,410 So that when. 506 00:39:27,720 --> 00:39:32,280 This shell dies, will live in this process, which is a different process, which is a different shell. 507 00:39:32,350 --> 00:39:33,870 OK, hope that makes sense. 508 00:39:34,080 --> 00:39:35,970 In order for this to happen, we need to rebuild it. 509 00:39:35,970 --> 00:39:41,370 So I'm going to go ahead and open up text at it and I'm just going to rebuild it so we can just copy 510 00:39:41,370 --> 00:39:42,090 and paste this thing. 511 00:39:44,650 --> 00:39:45,100 This. 512 00:40:01,840 --> 00:40:05,730 Right, so we want to have this on a clipboard ready to go see. 513 00:40:06,510 --> 00:40:06,790 All right. 514 00:40:06,790 --> 00:40:10,870 So now we want to do it's going to be very fast when we do this. 515 00:40:11,350 --> 00:40:12,010 Let's go back here. 516 00:40:13,750 --> 00:40:25,240 Get out in property, we see their image path is wrong, set the path to our next listener, confirm 517 00:40:25,240 --> 00:40:25,890 that it's correct. 518 00:40:27,180 --> 00:40:32,070 It is now we will quickly start the service. 519 00:40:34,240 --> 00:40:36,850 W you a you serve. 520 00:40:40,250 --> 00:40:42,560 The show Josephite. 521 00:40:45,040 --> 00:40:50,200 And now we've got to show a system so now when this shall appear to us. 522 00:40:52,180 --> 00:40:54,280 It won't matter because we'll live in this process down here. 523 00:40:55,030 --> 00:40:57,340 You can actually see that happen if you wait a moment. 524 00:40:57,370 --> 00:40:57,970 It's pretty cool. 525 00:40:59,800 --> 00:41:03,430 Right now, you can see the shells that. 526 00:41:07,100 --> 00:41:13,940 The showstopper is Hector, but our system shows that this one isn't that right? 527 00:41:14,660 --> 00:41:17,110 We live on Shamas lived on. 528 00:41:17,450 --> 00:41:18,440 So that's great. 529 00:41:18,740 --> 00:41:19,670 We've gotten to system. 530 00:41:19,850 --> 00:41:20,710 Now, what are we going to do? 531 00:41:20,990 --> 00:41:22,400 Well, next lecture, I'm going to you. 532 00:41:22,400 --> 00:41:29,420 We're actually going to already be into the box and we're going to take a look around the file system, 533 00:41:29,420 --> 00:41:35,330 the registry settings, the isover and the logs, so we can look at, you know, the artifacts that 534 00:41:35,330 --> 00:41:36,920 were left behind through our stack. 535 00:41:37,170 --> 00:41:37,480 Right. 536 00:41:37,490 --> 00:41:39,410 I will see you in the next lecture.