1 00:00:00,180 --> 00:00:06,450 So now that we have compromised at this particular machine, we've established a foothold on the victim 2 00:00:06,450 --> 00:00:11,730 host, we now need to look around, we need to explore, we need to orient ourselves to get a sense 3 00:00:11,730 --> 00:00:12,720 of the lay of the land. 4 00:00:13,350 --> 00:00:14,700 And so what are we going to do here? 5 00:00:14,730 --> 00:00:20,910 Well, you know, we could simply try to drop tools like windpipes or jaws or a seat belt or power up 6 00:00:21,120 --> 00:00:22,980 or Watson or Sherlock on this box. 7 00:00:22,980 --> 00:00:27,120 We could run a script and just try to enumerate all the potential escalation vectors. 8 00:00:27,780 --> 00:00:31,230 Alternatively, what I'd like to do here is give you a manual approach. 9 00:00:31,240 --> 00:00:37,290 I want you to see under the covers so that you can get a better idea of how these particular attacks 10 00:00:37,290 --> 00:00:38,120 are executed. 11 00:00:38,580 --> 00:00:40,890 It's one thing to click a button and escalate your privileges. 12 00:00:40,890 --> 00:00:42,690 It's another to know what's happening under the hood. 13 00:00:43,050 --> 00:00:48,970 So you might just want to observe and see if there's anything we can do to achieve vertical escalation. 14 00:00:49,620 --> 00:00:52,410 So let's start with the net user commands, right? 15 00:00:53,290 --> 00:01:01,260 If we just type a net user security and of course, I type of that net user security, we can see this 16 00:01:01,260 --> 00:01:07,050 particular user is a local group member of the Telnet clients group, which makes sense because we're 17 00:01:07,050 --> 00:01:08,430 telling that it into this box right now. 18 00:01:08,790 --> 00:01:12,270 But you can see we are a low point of user net users. 19 00:01:13,290 --> 00:01:18,120 We can see there is no user on the box engineer and administrator, which we don't have access to, 20 00:01:18,120 --> 00:01:22,620 of course, because we're not an admin and a guest user, which is a low account. 21 00:01:22,620 --> 00:01:24,390 So it's not really different from our account here. 22 00:01:24,720 --> 00:01:29,280 Sometimes horizontal escalation makes sense, but escalating to a guest user doesn't really make sense 23 00:01:29,280 --> 00:01:30,270 in this particular case. 24 00:01:31,290 --> 00:01:35,760 So let's take a look at the folders that are present on this box. 25 00:01:37,200 --> 00:01:38,040 We type the error. 26 00:01:39,390 --> 00:01:40,650 Actually, I didn't mean to do this. 27 00:01:41,460 --> 00:01:42,480 That will show us everything. 28 00:01:42,480 --> 00:01:44,430 But let's just do a diary first. 29 00:01:45,270 --> 00:01:48,690 You can see we have three folders, right, administrator? 30 00:01:48,690 --> 00:01:49,620 Public and security. 31 00:01:49,620 --> 00:01:51,480 So these are the three accounts that have logged into this box. 32 00:01:51,480 --> 00:01:55,980 At some point, you have timestamps over here that gives you some idea of when and when the folders 33 00:01:56,190 --> 00:01:57,690 or the initial login occurred. 34 00:01:58,860 --> 00:02:04,090 Let's just try the public account first, because we can't exactly login as an administrator right now. 35 00:02:04,090 --> 00:02:05,580 But let's just see what's in this public folder 36 00:02:09,420 --> 00:02:10,920 and let's take a look at everything there. 37 00:02:11,130 --> 00:02:15,210 Space fogie, you see there is a desktop folder 38 00:02:18,810 --> 00:02:21,750 and there is a link file. 39 00:02:22,380 --> 00:02:24,600 This is a shortcut, OK? 40 00:02:24,600 --> 00:02:25,560 This is a shortcut file. 41 00:02:26,270 --> 00:02:28,260 And let's see if we can read it. 42 00:02:29,880 --> 00:02:35,230 Right, would type control of the center, we could see that we cannot read that. 43 00:02:35,250 --> 00:02:37,050 That's probably because I didn't put it in quotes. 44 00:02:37,380 --> 00:02:38,850 So let's try to do that now. 45 00:02:40,320 --> 00:02:43,140 And it looks really, really messy because it's a binary file. 46 00:02:43,470 --> 00:02:49,500 But what we can say here is that there is a common. 47 00:02:50,650 --> 00:03:00,010 Inside this shortcut runs and it looks like it's trying to run something as a user on this particular 48 00:03:00,010 --> 00:03:07,090 box access because right, if I type hostname, you can see that name is Access as the administrator 49 00:03:07,510 --> 00:03:13,000 and we're passing the sacred switch and then we're including the path to an executable. 50 00:03:13,720 --> 00:03:21,130 So what this looks like is that when someone clicks this particular link, it will execute a program 51 00:03:21,130 --> 00:03:27,270 called Access that Easy, using credentials that have been saved by the local administrator. 52 00:03:28,660 --> 00:03:28,830 Right. 53 00:03:28,990 --> 00:03:31,000 That's the way I read this now. 54 00:03:31,570 --> 00:03:37,070 We can validate it is by looking at the command list. 55 00:03:37,090 --> 00:03:44,200 If we type Komansky, you can see if we do command key space for such list, we can be available credentials 56 00:03:44,200 --> 00:03:44,800 on the box. 57 00:03:48,310 --> 00:03:53,560 And we can see here currently stored credentials, access administrator domain password. 58 00:03:53,560 --> 00:03:53,800 Right. 59 00:03:54,110 --> 00:03:54,870 That this is what we want. 60 00:03:54,880 --> 00:03:56,220 Now, we have a couple of different options here. 61 00:03:56,320 --> 00:03:58,180 Let me go back to this. 62 00:04:00,580 --> 00:04:01,390 We could. 63 00:04:01,900 --> 00:04:02,200 We could. 64 00:04:02,200 --> 00:04:02,440 We could. 65 00:04:02,440 --> 00:04:02,860 We could. 66 00:04:03,830 --> 00:04:14,030 Simply pass a different command to run as right, we could pass maybe a command to create a file. 67 00:04:15,130 --> 00:04:20,980 And maybe a batch file and in that batch file, there's a command to create a local user account so 68 00:04:20,980 --> 00:04:28,390 that when we execute this script, it will create a local user account because it would run with administrative 69 00:04:28,390 --> 00:04:32,980 privileges or we could just pass a reverse shell to this instead of this access that we get past, like, 70 00:04:33,250 --> 00:04:36,310 you know, a virtual parameter, maybe Ngarkat, maybe machine. 71 00:04:37,010 --> 00:04:39,240 But that wouldn't give us the credentials of this administrator. 72 00:04:39,370 --> 00:04:43,060 And we want the credentials because we might be able to use that to pivot to another account. 73 00:04:43,420 --> 00:04:45,320 Right, if those credentials are reused somewhere. 74 00:04:45,940 --> 00:04:50,920 So the way to do that is to use the data protected API. 75 00:04:51,730 --> 00:04:54,060 This is a API that's built into windows. 76 00:04:54,070 --> 00:04:55,210 It's called API. 77 00:04:55,510 --> 00:05:03,190 And you can use this with Mimecast offline so that we execute operational security, good OPSEC and 78 00:05:03,190 --> 00:05:08,380 we're going to basically run Mimecast offline and we're going to see if we can decode a master key file, 79 00:05:09,220 --> 00:05:14,020 which will then use to decode a credential file which will contain the credentials for this administrator 80 00:05:14,020 --> 00:05:14,380 user. 81 00:05:14,590 --> 00:05:15,850 So let me show you how this is done. 82 00:05:16,360 --> 00:05:21,650 And first, let's take a look at this sacred switch to see if we can find out exactly what it does. 83 00:05:22,330 --> 00:05:25,020 So I flip over to this Windows box I have set up. 84 00:05:25,210 --> 00:05:28,540 We can take a look at it, open a command prompt. 85 00:05:31,510 --> 00:05:34,660 But if you're wondering what this box is, this is the flare VM. 86 00:05:36,160 --> 00:05:43,450 So if you go to Google and you type fire flare fire, I flare VM. 87 00:05:43,480 --> 00:05:43,960 Here it is. 88 00:05:44,980 --> 00:05:51,430 You'll see this is a Windows ISO that includes a bunch of advanced malware analysis tools and essentially 89 00:05:51,430 --> 00:05:53,530 just down the windows saw from TechNet. 90 00:05:54,040 --> 00:06:00,700 And then all you do is you go on to this install script and you just run it on the box and it puts pulls 91 00:06:00,700 --> 00:06:03,220 out a ton of tools that are very useful for reversing malware. 92 00:06:03,640 --> 00:06:07,180 So I'm going to show you how to set that up in this lecture because, well, that's not really the scope 93 00:06:07,180 --> 00:06:13,420 of this particular lecture, but it's a good way that you can set up a VM for analysis and doing experiments 94 00:06:13,420 --> 00:06:14,170 and that sort of thing. 95 00:06:15,820 --> 00:06:22,510 So if we go here, let's see if we can get to run as we can, and you can see if we should grow up a 96 00:06:22,510 --> 00:06:22,890 little bit. 97 00:06:24,490 --> 00:06:27,910 There is a safe, quiet option and it says to use credentials previous to say by the user. 98 00:06:28,330 --> 00:06:32,780 So now we know for sure that's what it's doing, is trying to use the credentials save by the administrator. 99 00:06:32,830 --> 00:06:33,120 Right. 100 00:06:33,880 --> 00:06:36,670 So let's see how we can get these credentials off the box. 101 00:06:37,210 --> 00:06:39,460 If we Google like these papy. 102 00:06:41,830 --> 00:06:45,460 Let's see these Pappe saved maybe. 103 00:06:47,530 --> 00:06:51,340 Here we go, operational guidance for offensive user Bapi abuse. 104 00:06:52,210 --> 00:06:55,780 This is a long article, I encourage you to read the whole thing, but the part we really need is the 105 00:06:55,780 --> 00:06:57,880 path to the master key and the credential key. 106 00:06:58,780 --> 00:07:01,060 And here he says these keys are located here. 107 00:07:01,540 --> 00:07:02,530 This is where we want to go. 108 00:07:02,650 --> 00:07:03,240 We'll start here. 109 00:07:03,250 --> 00:07:04,990 OK, so let's go to minimize. 110 00:07:04,990 --> 00:07:05,350 That's. 111 00:07:07,290 --> 00:07:18,270 Let's go to that folder, CD, the users security app data roaming Microsoft, and by the way, if your 112 00:07:18,270 --> 00:07:24,210 shell is slow or it feels broken, you could type of power Shell TAC file tax base and then I'll give 113 00:07:24,210 --> 00:07:25,200 you a partial prompt. 114 00:07:25,890 --> 00:07:31,380 And then if you did something like P.S. version, I still have backspace. 115 00:07:31,560 --> 00:07:32,220 That's kind of annoying. 116 00:07:32,940 --> 00:07:34,320 Fergin version table. 117 00:07:35,010 --> 00:07:39,450 You see what version of our show we're in, which is to point out just an alternative to using the built 118 00:07:39,450 --> 00:07:40,590 in telnet session. 119 00:07:41,140 --> 00:07:47,130 Of course, you could also just get the reverse shell from the shell with the same privileges of this 120 00:07:47,130 --> 00:07:47,820 current user. 121 00:07:49,500 --> 00:07:56,920 And that's another option, but I'm going to get out of this for now and let's see what we have here. 122 00:07:58,080 --> 00:08:02,340 The IRS pays for such a we have this protective order. 123 00:08:02,880 --> 00:08:07,830 Let's go in there and we need to see what our options are. 124 00:08:08,700 --> 00:08:09,810 We have a said we're going to need this. 125 00:08:09,810 --> 00:08:15,330 This is the security identifier for the security user and we're going to need this parameter to pass 126 00:08:15,330 --> 00:08:16,140 to cats. 127 00:08:16,170 --> 00:08:20,400 So let's press control Gypsie, go over to our other VM. 128 00:08:20,790 --> 00:08:23,250 She's open notepad and place it in. 129 00:08:26,580 --> 00:08:27,630 Where else do we need her? 130 00:08:27,640 --> 00:08:28,190 Let's see. 131 00:08:28,470 --> 00:08:31,440 We can go into this folder. 132 00:08:32,970 --> 00:08:33,960 We are spaceports. 133 00:08:35,220 --> 00:08:42,750 And this file over here is the master key you type and we try to view it. 134 00:08:43,380 --> 00:08:54,450 We won't be able to, but we can use Circuital to essentially encode it base64 style and then we'll 135 00:08:54,450 --> 00:08:59,100 be able to essentially expel it from the box and then decode it on our Flávia. 136 00:08:59,220 --> 00:09:00,390 I'll show you what I mean in the moment. 137 00:09:01,230 --> 00:09:06,210 So let's see, there's a code switch to decode the base64 encoded file and there's an encode switch. 138 00:09:06,600 --> 00:09:12,090 We want to encode the father base64 to make for easy transport and we'll save it to the temp directory. 139 00:09:12,840 --> 00:09:16,590 So let's just do certa util. 140 00:09:19,710 --> 00:09:20,640 In code. 141 00:09:22,700 --> 00:09:30,920 File, name, and we'll save it to the temp folder with the same name, and we have to submit to a file. 142 00:09:33,830 --> 00:09:38,420 Why, because he says in code file, right, you have to submit to a file somewhere, so that's what 143 00:09:38,420 --> 00:09:39,250 we're doing it this way. 144 00:09:39,800 --> 00:09:46,880 Presenter It says it completed so that we should be able to view it if we do type C calling backslash 145 00:09:46,880 --> 00:09:49,690 temp, backslash the name of the file. 146 00:09:50,150 --> 00:09:53,330 We've got it here so we can take the certificate and copy it. 147 00:09:57,560 --> 00:10:00,700 Good, Joseph C. Let's go back over to Flavien. 148 00:10:02,520 --> 00:10:03,640 Open an e-mail pad. 149 00:10:06,330 --> 00:10:08,190 Paste it in and we'll just save this on the desktop. 150 00:10:11,420 --> 00:10:12,110 Let's see. 151 00:10:14,800 --> 00:10:15,190 That's Tom. 152 00:10:19,540 --> 00:10:24,100 Master Key was called Master Key Safe, very cool. 153 00:10:25,920 --> 00:10:26,730 Let's go back here. 154 00:10:27,200 --> 00:10:30,180 The other thing we need to do, if you read the rest of this article, is you'll discover that there's 155 00:10:30,180 --> 00:10:31,350 also a credential. 156 00:10:33,520 --> 00:10:33,910 File. 157 00:10:36,680 --> 00:10:38,030 Let's see if we can find it. 158 00:10:43,390 --> 00:10:47,860 Here we go shopping with Windows seven, the credential manager allows users to store credentials for 159 00:10:47,870 --> 00:10:50,520 website to network resources credential fasel stored here. 160 00:10:50,530 --> 00:10:54,310 So we need the credential file, so we need to go to this path. 161 00:10:55,030 --> 00:10:58,720 And actually, it's this path here, which I think is the same thing. 162 00:10:59,440 --> 00:11:01,870 But let's and see if we can get that credential file out the same way. 163 00:11:03,310 --> 00:11:10,600 So that dot, dot, dot, dot space for such a and we need to go to the credentials folder 164 00:11:14,800 --> 00:11:15,880 and here's the other file. 165 00:11:16,300 --> 00:11:19,960 So we'll copy this guy and we'll just run. 166 00:11:19,960 --> 00:11:21,060 Certainly tell him this as well. 167 00:11:23,830 --> 00:11:34,390 Certainly to encode this and we'll save it into the folder, the same name, and we'll just type that 168 00:11:34,390 --> 00:11:34,750 file. 169 00:11:37,930 --> 00:11:40,570 Photocopy copy this over to our Windows VM. 170 00:11:50,220 --> 00:11:51,390 We'll just call this credential. 171 00:11:56,050 --> 00:11:57,070 All right, very cool. 172 00:11:58,210 --> 00:12:05,650 Now that we've got both files here, we can use Circuital to decode them, right? 173 00:12:06,290 --> 00:12:06,760 That's top. 174 00:12:09,640 --> 00:12:18,560 We've got the master key and we've got the credential file for decirte util, decode, master key that 175 00:12:18,580 --> 00:12:23,230 text and we will save it with the ID. 176 00:12:26,140 --> 00:12:29,140 From our session here, so let's get it, let's see what was it called? 177 00:12:30,870 --> 00:12:31,890 This the name right here. 178 00:12:33,480 --> 00:12:37,140 See, it's for the master key, which just closes out. 179 00:12:38,830 --> 00:12:39,790 That will say this. 180 00:12:44,940 --> 00:12:45,750 Where does administrator 181 00:12:48,420 --> 00:12:49,810 CDC calling users 182 00:12:54,590 --> 00:12:56,730 just hop? 183 00:12:59,090 --> 00:12:59,480 S.. 184 00:13:00,740 --> 00:13:01,180 Tactic. 185 00:13:01,550 --> 00:13:01,940 OK. 186 00:13:05,340 --> 00:13:09,480 Decode, it's a file name, and we want to save it with its result. 187 00:13:11,850 --> 00:13:12,880 Well, whatever. 188 00:13:12,900 --> 00:13:15,210 I didn't copy the whole thing, but it got me what I needed. 189 00:13:15,790 --> 00:13:16,720 Actually, that's bothering me. 190 00:13:16,740 --> 00:13:18,390 Let's just rename this what it's supposed to be. 191 00:13:19,080 --> 00:13:20,400 There we go. 192 00:13:25,500 --> 00:13:25,830 All right. 193 00:13:25,830 --> 00:13:26,580 So I try to rename it. 194 00:13:26,610 --> 00:13:27,000 That's fine. 195 00:13:27,000 --> 00:13:30,980 I'll just leave it the way it is and we'll do the same thing for the other file. 196 00:13:30,990 --> 00:13:37,080 Certainly you tell you tell Decode credential. 197 00:13:38,010 --> 00:13:42,810 And we'll try to say this with the other name, if we can, for the credential file. 198 00:13:44,490 --> 00:13:45,060 Here we go. 199 00:13:46,140 --> 00:13:50,400 See back over to the. 200 00:13:53,010 --> 00:13:54,720 And it looks like that worked good. 201 00:13:54,900 --> 00:13:59,160 So we actually don't need these guys anymore, so we don't confuse ourselves. 202 00:14:01,680 --> 00:14:02,100 All right. 203 00:14:02,680 --> 00:14:06,690 So now that we've got these here, we need to disable Windows Defender and then download Mimecast. 204 00:14:24,550 --> 00:14:26,360 Manage settings, all right. 205 00:14:26,380 --> 00:14:29,890 It looks like it's disabled and everything else is disabled. 206 00:14:29,920 --> 00:14:30,250 Good. 207 00:14:31,060 --> 00:14:37,390 All right, so let's grab me the cards where we compiled version Meimi cards, GitHub. 208 00:14:37,420 --> 00:14:38,550 Yeah, looks good. 209 00:14:43,690 --> 00:14:44,830 Gravid latest release. 210 00:14:48,640 --> 00:14:49,330 Grab Zipp. 211 00:14:53,610 --> 00:14:59,820 Hopefully it'll download without being destroyed by the antivirus, since we already disable the antivirus, 212 00:15:00,390 --> 00:15:01,110 it's extracted. 213 00:15:04,200 --> 00:15:07,110 Let's go to the downloads folder and see where it is. 214 00:15:11,420 --> 00:15:13,810 Jump in here, there we go. 215 00:15:14,380 --> 00:15:15,300 All right, let's run. 216 00:15:15,310 --> 00:15:21,730 Maybe that's the first thing I want to do is just look at the EDP API cash. 217 00:15:22,000 --> 00:15:23,650 You'll see there's nothing there, right? 218 00:15:24,640 --> 00:15:29,390 Moustaki cleared and the credentials are cleared, but we're about to change that. 219 00:15:29,890 --> 00:15:38,530 So what we can do is we can say DP API Master Key in and we're going to put the master key as input 220 00:15:39,370 --> 00:15:40,540 desktop with the name of it. 221 00:15:40,750 --> 00:15:41,500 This is it right here. 222 00:15:47,900 --> 00:15:48,560 Said. 223 00:15:50,410 --> 00:15:50,770 Here. 224 00:15:55,290 --> 00:16:00,660 And then the password for this particular user, go back here. 225 00:16:00,930 --> 00:16:01,290 Grab it. 226 00:16:01,740 --> 00:16:02,400 Let's see. 227 00:16:03,350 --> 00:16:03,680 Oops. 228 00:16:05,940 --> 00:16:09,390 Kat Crans is the password for security. 229 00:16:15,440 --> 00:16:16,580 And I believe that's it. 230 00:16:17,330 --> 00:16:18,410 Let's just go and presenter. 231 00:16:20,650 --> 00:16:25,060 That was David Pappe Cash still out there, I we did something wrong. 232 00:16:26,370 --> 00:16:30,940 I might need to pull in the full path to this file and pass that here. 233 00:16:31,600 --> 00:16:34,690 So let's see if we can get that shift right click. 234 00:16:36,730 --> 00:16:39,430 Copyists path go up. 235 00:16:40,720 --> 00:16:41,310 Can I go up? 236 00:16:42,040 --> 00:16:42,640 Yes. 237 00:16:44,260 --> 00:16:45,060 Me around. 238 00:16:45,810 --> 00:16:48,870 Let's take this out right quick paced. 239 00:16:50,340 --> 00:16:50,900 Let's try now. 240 00:16:51,340 --> 00:16:51,940 Yes. 241 00:16:54,100 --> 00:16:56,910 Now, if we run the cash, we'll see. 242 00:16:56,920 --> 00:16:59,740 We have the credentials and the cash and the master key in the cash. 243 00:17:00,280 --> 00:17:00,850 Very good. 244 00:17:01,660 --> 00:17:11,320 OK, so now all we need to do is use this master key to decrypt the credential, file the Pappe credit 245 00:17:11,320 --> 00:17:17,920 in and we'll put in that file that we had this guy copy this path. 246 00:17:22,010 --> 00:17:31,500 Right, click and I copy that shift, right, click, copy as pass, right click. 247 00:17:31,520 --> 00:17:32,020 There we go. 248 00:17:34,170 --> 00:17:38,940 And look at that, they've got the clear text credential, Bob, for the administrator. 249 00:17:39,420 --> 00:17:40,610 That's what we do this right now. 250 00:17:40,620 --> 00:17:44,730 We can use this password against other assets in the environment. 251 00:17:44,730 --> 00:17:50,670 If this were a true red team, Pinterest engagement, and now we can actually log in as administrator. 252 00:17:50,940 --> 00:17:52,860 So I'm going to say that I just. 253 00:17:52,860 --> 00:17:53,010 Right. 254 00:17:53,010 --> 00:17:57,840 Click it to see what a clipboard exit here out of this. 255 00:17:59,840 --> 00:18:00,200 Matt. 256 00:18:01,670 --> 00:18:03,710 And we'll just put an administrator, we should be able to get in 257 00:18:07,490 --> 00:18:13,030 right click control Shalvey up there is something wrong. 258 00:18:13,040 --> 00:18:16,820 Administrator control of the. 259 00:18:19,070 --> 00:18:24,960 Not sure what's going on here I go, what's on a clipboard that's on a clipboard. 260 00:18:25,650 --> 00:18:27,170 I think that space might be getting in the way. 261 00:18:27,470 --> 00:18:28,400 Let's try it this way. 262 00:18:30,470 --> 00:18:31,160 Joseph C.. 263 00:18:34,480 --> 00:18:44,350 Administrator control should be there we go, control you to close it out, exit, and now we are the 264 00:18:44,350 --> 00:18:44,960 administrator. 265 00:18:45,790 --> 00:18:46,470 Who am I? 266 00:18:48,140 --> 00:18:50,730 We've officially escalated our privileges on Xbox. 267 00:18:51,190 --> 00:18:55,060 So in the next lecture, I will show you the alternative method of escalating your privileges using 268 00:18:55,060 --> 00:18:56,200 run ins and outs of our show. 269 00:18:56,620 --> 00:18:59,320 And then we will dive right into that. 270 00:18:59,320 --> 00:18:59,530 Right. 271 00:18:59,530 --> 00:19:01,720 So I will see you guys in the next lecture.