Try Hack Me : Windows Privilege Escalation Part 1.

00:01

[Music]

00:08

[Applause]

00:14

yo what's going on guys welcome back

00:15

today we are doing Windows privilege

00:17

escalation this is um a continu

00:19

continuation excuse me of the junior pen

00:21

testing path and we're going to keep

00:23

finishing it up I know it's been a while

00:25

since I posted on this but there's just

00:26

so much content out there that I'm

00:28

trying to get to you guys as fast as I

00:29

can but we're going to go ahead and dive

00:31

into it so this is just Windows

00:33

privilege escalation so once we take

00:34

over Windows machine so you can see we

00:36

have this Windows machine here it's very

00:37

slow and that's fine so it might take us

00:39

a little bit and we're probably not

00:41

going to get through all of it today

00:42

because I want to make sure you guys

00:43

understand so we'll probably get to task

00:45

five or six and then we'll stop there so

00:48

first things first during a pen test you

00:50

will often have access to Windows host

00:52

with an unprivileged user this is true

00:54

so it's almost always going to be when

00:56

you um are on Enterprise environment

00:58

during pen testing you're probably going

00:59

to a regular user account first that's

01:02

just the way it is because I mean if you

01:04

think about statistically speaking the

01:07

majority of users on a network are

01:09

regular unprivileged users so

01:12

statistically you're most likely to get

01:13

them so just think of it that way yes by

01:15

all means if you can get an admin

01:17

account right off the bat go for it

01:19

don't waste your time with all this but

01:22

that's not realistic to do in every s

01:23

situation you need to know how to do

01:25

this so unprivileged users hold limited

01:28

access including files folders and no

01:30

means perform admin tasks true but we

01:33

can take advantage of what they do have

01:35

access to to get that admin permissions

01:38

so let's go a and dive into it if you

01:39

guys like this content if you guys are

01:41

enjoying the video hit that like button

01:42

hit the sub button helps me tremendously

01:45

grow and I appreciate everything you

01:46

guys do for me so here we go so simply

01:49

put privilege escalation I'm not going

01:51

to read the definition but consists of

01:52

using given access to a host with user a

01:55

so basically what they're saying is I

01:56

have access to user a and now I can gain

01:59

access ACC to user B which has higher

02:01

permissions right um so that would be an

02:04

admin in this case or that's what we're

02:06

the goal is right the all long-term goal

02:09

or the overall goal is a domain admin um

02:12

but we don't need to dive too deep into

02:14

that here this is just privilege

02:16

escalation so gaining access to differ

02:19

account different accounts can be as

02:21

simple as finding credentials and text

02:22

files spreadsheets this is true the one

02:24

thing I don't think um they cover very

02:27

much they don't cover uh service

02:30

accounts and service accounts usually

02:32

have elevated privileges at least for

02:34

certain functions and so I wish they

02:37

covered it more but those are something

02:38

you should look for when you're doing a

02:39

pen test always always always is service

02:41

accounts because they are very hard to

02:44

rotate passwords for one for two they

02:47

also um typically have like I said have

02:51

elevated privileges at least for that

02:52

function that's it's doing and then for

02:54

three it's less likely that people are

02:57

going to be watch like weirded out by

02:59

that ser service account logging into

03:00

other machines because it is a service

03:02

account if you're not familiar with what

03:03

a service account is um basically it's

03:06

an account that you use to run a service

03:09

on a machine so if I needed to connect

03:11

this machine over to this machine and I

03:13

need to do it regularly using an

03:14

application or something I will use a

03:16

service account so that way it's not

03:18

logging in using my account it's not

03:19

logging in using your account it's using

03:21

an account specific to that service so

03:25

gaining access to different accounts can

03:26

be as simple as finding them in a text

03:27

file which is true it's actually not

03:29

uncom common um misconfigurations on

03:31

services or scheduled tasks that's how

03:33

these are the ones we're going to um

03:35

abuse excessive privileges assigned to

03:37

the account vulnerable software which is

03:39

always known missing Windows security

03:41

patches also so before jumping into the

03:44

techniques let's look at the different

03:45

types of accounts so you have your

03:46

admins this is your regular admin right

03:48

like this has elevated privileges they

03:50

can change system configuration

03:52

parameters and access files so yeah we

03:53

know what an admin is I don't need to

03:55

explain to you your standard users these

03:56

are people that can log into the machine

03:58

and do standard activity they can look

04:00

at things they can do stuff but they

04:02

can't do any admin tasks okay any user

04:06

with the administrator privileges will

04:07

be part of the admin group on the other

04:08

hand s users are part of the user group

04:11

keep in mind what they're talking about

04:12

here is not is not domain joined meaning

04:17

these are accounts that are just default

04:19

on Windows when you get into an

04:22

Enterprise level pent testing situation

04:25

what you're looking at is there will be

04:26

multiple groups it won't just be

04:28

standard users admins there be

04:29

everything in between there'll be people

04:31

with a lot of permissions but they don't

04:34

have admin right those are still people

04:37

that you want to get those are still

04:38

targets because they might have access

04:40

to a lot more stuff but they're just not

04:43

considered a full admin so those are

04:45

keep that in mind that when you need to

04:47

learn active directory and users of

04:49

groups um organizational units and

04:51

everything like that because that's

04:53

where you start to see the elevated

04:54

privileges where you may not get a full

04:57

domain admin but you're still getting

04:58

elevated privileges

05:00

now any user with administrative

05:02

privileges will be the administrator

05:03

group right so these are local users

05:05

that's what we're talking about here

05:06

local we're not talking about on a

05:07

domain in addition to that you will

05:10

usually hear about some special built-in

05:11

accounts used by the operating system

05:13

okay so they are talking about excuse me

05:14

here they are talking about domain

05:16

joined they just are only breaking them

05:18

down as two types which isn't the case

05:21

um yeah it's not the case because there

05:23

will be everything in between that there

05:25

will be standard users that are maybe

05:27

help desk that have elevated privileg

05:29

they can change things in active

05:31

directory that doesn't mean they're a

05:32

full domain admin right so just keep

05:35

that in mind um the system the local

05:37

system accounts these are accounts that

05:39

are just local to the machine meaning it

05:41

can only log into that machine it can't

05:42

log into all the machines on the domain

05:45

but it has full access um so the system

05:48

itself will you'll see it all the time

05:50

in the logs the system itself will run

05:53

when it's doing Windows tasks right when

05:55

when your system comes by default it's

05:58

going to have these the system account

06:00

and it's running all the time right

06:01

that's that's just normal activity that

06:04

is it's going to be using the system

06:06

itself to run tasks and that's the

06:08

account it's using the local service

06:10

default account to run Windows services

06:12

with minimum privileges so this is if

06:14

you need to run it without admin

06:15

privileges if you have a task that

06:17

Windows needs to run but not run as

06:19

admin if you've ever ran something and

06:20

it says like uh don't doesn't have

06:24

permissions or something and then you

06:25

run it as admin and it works that's the

06:27

difference um network service default

06:30

account used for um to Windows services

06:32

with minimum privileges it will use

06:33

computer credentials there you go so it

06:36

will use the basically the account will

06:38

use the computer's credentials to

06:40

authenticate through a network so pretty

06:43

self-explanatory now users that can

06:44

change system configurations that's

06:46

admin the system account oh sorry the

06:49

system account has more privileges than

06:51

administrator user a or nay I don't

06:54

think a is maybe that's just a UK thing

06:57

because I think tryck is from UK but

07:00

um I or nay or but anyway um so a so yes

07:05

they it does and the reason is it's the

07:07

system it can do whatever it wants right

07:10

it is the system so that's why when you

07:12

try to take over a machine typically

07:15

with like a interpreter shell or

07:16

something you want to get system access

07:18

even if you have an admin account system

07:20

access is always has more okay so now

07:23

harvesting passwords from usual spots so

07:25

this is where you're going to whoops

07:26

excuse me this is where you're going to

07:28

look for and this is the the machine

07:30

that started right here so okay

07:32

unattended Windows installation when

07:34

installing and this is this actually is

07:36

very common but you guys have to if you

07:38

work never worked in um an Enterprise

07:39

environment or any um Network

07:42

environment like this then this might be

07:44

foreign to you when installing Windows

07:46

on a large number of hosts admins use

07:48

Windows deployment Services okay so they

07:50

put an image out there right and that

07:52

image sits out there and when it does

07:55

they basically say hey image this

07:58

machine or image all these machines with

08:00

a new image or whatever and it has that

08:02

image sitting out there where it can

08:03

grab it right that's the whole point so

08:06

which allows for single operating system

08:08

image to be deployed through S host so

08:10

you can store this image it knows where

08:12

to reach them everybody can grab them

08:14

and it will start installing the image

08:16

if you don't know when I say image

08:17

because I know that some of you may it

08:19

may be new to you that means the

08:21

security posture the way Windows is set

08:23

up if you set up windows in a specific

08:26

way meaning you download it you have all

08:29

your applications for your company you

08:30

have all of your um different local

08:33

admin accounts that you need you have

08:35

your break glass accounts those types of

08:37

things you have everything set up the

08:38

way you want you then take a snapshot an

08:41

image of that and you say this is how I

08:43

want every machine set up and then you

08:45

can push that to everybody that's what

08:46

they're doing here now these kinds of

08:48

installations are referring to un

08:49

unattended installations meaning

08:51

nobody's sitting there doing anything

08:52

the user doesn't have to log in you can

08:54

just push this to people right or you

08:57

can have it set up and then when you

08:58

plug a new computer in and and join in

08:59

the domain it will pull that image okay

09:03

such installations require the use of an

09:05

admin account which is true which might

09:07

end up being stored in the machine in

09:08

the following locations so you can see

09:10

unattended XML Panther unattended system

09:13

32 CIS prep D the reason these are

09:15

stored there is because it has to use

09:17

admin credentials and this is unattended

09:19

meaning I don't want to have to type in

09:20

my credentials every time for every

09:23

person so I store them so it can go grab

09:26

them later right so as part of these

09:29

files you might encounter these so you

09:31

can actually go look for these if you

09:33

have access to that machine pretty

09:35

interesting it's a pretty good way to

09:36

look for it especially if you know the

09:38

machine has been CIS prepped that's what

09:39

it's called CIS prep is when you're

09:41

Imaging the

09:43

machine when I say that it means you're

09:45

grabbing that snapshot okay whenever a

09:47

user runs a command using Powershell it

09:50

gets stored into a file that keeps

09:51

memory this is a history file right bash

09:53

has the same thing you can type history

09:55

on bash and you can see they're going to

09:57

go ahead and do this the reason they do

09:59

this that you look for the history is

10:00

because there's a lot of times when

10:01

running commands that you have to put

10:03

your credentials in to run that command

10:05

on another machine or something and if

10:07

you don't hide it meaning you don't have

10:09

it as a secure credential or something

10:11

like that it will just show it it'll

10:14

display

10:15

it um okay saved window Windows

10:18

credentials Keys Windows allows users to

10:21

use other users credentials which we

10:23

know this functional also gives option

10:24

to save these credentials on the system

10:26

so command key list will actually do

10:28

that so what that means is you can save

10:30

credentials so that you can run like

10:33

let's say you had a service account and

10:34

you need to run a task as that service

10:36

you can save those credentials well here

10:38

you can list them while you can't

10:39

actually see the passwords if you notice

10:41

the credentials worth trying if you

10:42

notice any credentials worth trying

10:44

excuse me um you can use them with run

10:47

as command and save credit options so

10:49

what that means is here you won't see

10:52

the credential like you you'll see the

10:53

username but you won't see the password

10:56

but if you know Windows you can run as

11:00

what that means is I can run the command

11:02

as the user that they said I have in

11:05

question so I'll show you what I

11:10

mean so I don't I haven't um done this

11:13

box in a long time so I don't remember

11:15

but if they actually have one here but

11:17

we'll

11:19

try we'll try and make this a little bit

11:21

bigger for you

11:25

guys that way you can see it we'll make

11:28

it 36 see how if that's too big okay so

11:33

what we're going to do is we're going to

11:34

type

11:36

CMD key list and see if there is a list

11:40

of keys currently stored

11:42

credentials it looks like we have user W

11:45

privilege escalation mic. cats so what

11:48

we could do is we could say run

11:51

as save

11:53

cred right and then we could say

11:57

user and that user would be this W priv

12:02

escalation

12:04

one and we'd say and you may not have to

12:07

put the domain there so mike. cats and

12:10

it should CM so we're going to run

12:13

cmd.exe

12:16

and look at that so we actually ran a

12:21

new command shell and you can see up

12:24

here running as Mike cats so I'm

12:26

actually able to run now shell as this

12:30

new user because they saved the

12:32

credential there so that's actually

12:34

pretty interesting so that's one way to

12:37

look for for credentials as well IAS

12:39

configurations if you don't know what

12:40

IAS is if you've heard of Apache

12:42

anything like that IAS is the um way

12:45

that Microsoft runs their web servers so

12:46

it's a web server is all it is but you

12:48

can see internet Information Services is

12:50

the default web server the configuration

12:53

of the is is stored on a file called

12:55

web.config so if you can find that

12:57

web.config it can store passwords for

13:00

that database and configured

13:02

authentication mechanisms meaning there

13:04

might be service accounts in there so

13:06

you can see here here's a a quick way to

13:09

find database connection strings on um

13:12

the file so one thing to keep in mind

13:14

that I see all the time with people that

13:15

do ctfs is they run into this situation

13:18

where they they think that I have to go

13:20

straight here to admin here to admin

13:23

what you can do and what you should be

13:25

doing is looking at doing things like

13:27

running this command for instance

13:29

starting up a command. exe right using

13:31

mik cats well mik cats might have more

13:34

permissions than we do we might not have

13:36

had permissions to access the IAS file

13:38

but now we might have permissions to

13:40

access that IAS file so now we can do

13:42

this and I don't know if this is

13:44

actually if they have it on this m

13:46

machine or not

13:49

but why is this not

13:53

uh okay so it didn't copy and paste but

13:56

so then you would run the type Command

13:58

right and we'd say type

14:01

c

14:03

Windows

14:05

microsoft.net

14:12

framework 64 let's see yep it does

14:15

actually have it so version

14:18

4.

14:20

3319

14:22

config web and if a little trick if you

14:26

don't know if something exists just try

14:27

and tab it and if it finishes it you

14:29

know you're good and then you just say

14:31

find string and connection

14:34

string and we hit enter do the same

14:38

thing and I think you have to capitalize

14:40

the S and see if it finds

14:43

it okay and there it found it right so

14:46

you can see here's the user ID and

14:47

here's the password so we actually were

14:49

able to pull the is configuration but

14:52

the key here is you may have to Pivot

14:55

through a lot of accounts to get

14:57

different permissions right to gather

14:58

different things so if there's an is

15:00

server maybe I can't grab the is logs

15:03

maybe I don't have permission to access

15:05

those but we then use the save

15:07

credentials M cats we then can access

15:09

the I credentials and things like that

15:11

so make sure you're pivoting around and

15:13

messing with it don't just think you

15:15

have to go from here to here right it's

15:16

not a straight jump all the time okay so

15:20

now you can retrieve credentials from

15:21

software from putty so putty is an SSH

15:24

client and you can see here what they're

15:26

doing is they're um quering the registry

15:28

and they're asking in for the software

15:30

putty and they're looking at the

15:32

sessions so what they're doing is and

15:35

we'll just do it again with Mike Catz

15:37

actually we'll do it with the regular so

15:38

you can see it because I made it

15:39

bigger they're just saying okay registry

15:42

we want to query the registry and we

15:43

want to say h key if you didn't know the

15:46

registry is is

15:48

basically every file in the in the M um

15:51

system it's kind of like how L Linux

15:54

excuse me um how Linux everything's a

15:57

file when Windows is the same way just

16:00

it's a registry key and it's got a

16:03

whoops it's got a binary one or zero

16:05

true or

16:09

false okay putty

16:12

sessions F and we'll say proxy so we're

16:16

looking for the proxy s all right we hit

16:19

enter and you can see we're getting the

16:21

S the um putty sessions and look one of

16:24

them's called my SSH server when we do

16:27

that look at the name Tom Smith Cool

16:30

Pass 2021 so right away we've gotten

16:34

Mike cat's account we've got this one

16:37

here we ended up getting the um the one

16:40

for IIs as well so we've gotten a bunch

16:42

of usernames just from kind of changing

16:45

our tactics around right now a password

16:48

for the julia. Jones user has been left

16:51

on the Powershell history what is the

16:52

password so let's go back and let's look

16:54

at what the here we go console history

16:56

so we need to go and get the history

16:59

so we say Okay type and type just opens

17:02

a file so if you're wondering we say

17:04

type and we say user

17:09

profile and we're going to say app

17:13

data app

17:16

data

17:18

roaming

17:24

Microsoft uh let's see did I mess

17:26

something up because it's not tabing but

17:28

that's all right user profile no should

17:29

be good Microsoft

17:33

Windows

17:35

Powershell PS

17:38

readline console host history. txt

17:44

change that see even though actually

17:47

Windows is not case sensitive and you

17:49

can see here's the last things ran on

17:52

Powershell who but we ran LS Who Am I

17:55

who Am I priv who am I groups and you

17:58

can see they added a user on the domain

18:01

controller named Julia Jones password

18:04

zuper cret pass okay so we say Z CR pass

18:09

boom we got passed it okay so now we say

18:13

a web server is running on the remote

18:15

host find any interesting passwords on

18:17

the web config file well we already did

18:19

that we did that in Mike cat's

18:21

um one so that's why I'm not going to do

18:24

it again but we did that on Mike cats

18:26

already so we got that password and then

18:30

there is a saved password on your

18:31

windows credential on your windows

18:34

credentials excuse me using command key

18:36

and run as spawn a shell for my cats and

18:38

retrieve okay so we already did

18:41

that so now we just got to retrieve the

18:44

flag from his desktop because we're not

18:46

able to access that without it so now we

18:48

say

18:50

CD and we'll go

18:55

C

18:57

users might

19:00

cats

19:02

desktop and then we say dur because

19:04

there's no LS which is kind of funny

19:07

that there was no LS it says it's not um

19:10

recognized but then the history shows

19:13

that there was LS ran that's kind of

19:15

actually funny I just thought about that

19:17

and then we say type flag.txt

19:21

then THM what is my password there it is

19:25

you can see the first one is Powershell

19:27

is LS on the history which is kind of

19:29

funny like I said because LS is not part

19:32

of it supposedly

19:35

um but that's because this version just

19:38

doesn't have it okay um but I guess okay

19:40

I never mind I correct myself because

19:43

this is the Powershell history I'm using

19:45

command prompt that's on me I wasn't

19:47

paying attention all right so now let's

19:50

retrieve the password stored in the

19:52

saved putty session well we just did

19:53

that too and that's right here Cool Pass

19:57

2021 all all right so let's keep going

20:01

so now we've got other quick wins so now

20:04

schedule tasks so this is actually

20:05

something that you should be doing on

20:07

Windows Linux everything looking at

20:08

scheduled tasks so we're going to say

20:10

scheduled tasks query and what these are

20:13

is they are just tasks that they someone

20:15

scheduled and said hey I want these to

20:19

basically um run at whatever time I tell

20:23

it or however often I tell it or

20:24

whatever right so we want to say okay we

20:28

need to

20:29

get a list of the scheduled tasks right

20:31

but we don't want to search through all

20:32

of them so we're looking and it looks

20:35

like it's at system startup for one but

20:38

you can see we already knew the name the

20:39

name of it was vul task so that's why we

20:41

put Vol task in there we searched for

20:43

vul task so it's kind of cheating

20:45

because we knew the name of it and you

20:46

would have to look normally but we're

20:48

looking and we're trying to see what

20:50

kind of users can we get right scheduled

20:52

task can be listed from the command line

20:54

da da da da okay you'll get lots of

20:56

information about the task for us the

20:58

Tas task to run parameters which

20:59

indicates what gets executed by the

21:01

scheduled task so this is what's

21:02

important you see how it says C task

21:05

schedu task. bat it's a batch file if we

21:08

can manipulate that file if we can edit

21:10

it then when the schedule task runs it

21:13

runs our file whatever we want right so

21:15

that's one way to elevate privileges

21:17

right there and you can see it starts at

21:19

at system startup so if we could if we

21:22

could get this to run right we could or

21:24

if we could edit that we could edit it

21:26

and you notice it runs as admin we can

21:28

edit that to instead of do whatever it

21:30

does now do a reverse shell to us

21:32

restart the system and it would

21:34

automatically connect to us every time

21:36

it restarted and nobody would know right

21:39

now there might be some detection that

21:41

pops up but still okay so now you can

21:44

see if our current user can modify or

21:46

overwrite the task yep and you can see

21:48

here we have to check permissions so we

21:50

use and you can see we used um IAL ials

21:55

which is I believe part of this is

21:57

internal Street I could be wrong on that

21:59

it might just be default um so now you

22:02

say tasks and we already know the the

22:04

path right because it just gave it to us

22:06

so it's scheduled task.

22:09

bat okay and you can see n Authority

22:14

system okay so right here built-in users

22:18

has I and F and you can see here F has

22:22

full access so that means we have full

22:24

access to it so this means we can modify

22:26

it so we could easily say we want it to

22:29

be a net cat shell and then we want it

22:31

to and then we could just start the

22:33

system and then boom because if you

22:36

notice it runs as as a administrator we

22:39

now have ad administrator access so

22:41

that's how you do

22:42

that and you can see here all you have

22:45

to do is say Echo C tools because

22:47

they've already added netcat on here and

22:49

command. exe and they're saying run the

22:53

scheduled task for us um or they're

22:55

saying I'm sorry no they're not they're

22:57

saying Echo this as the actual script

23:00

and then let's see what the task says

23:03

does it need to do it uh yeah I think we

23:05

do need to actually do it so let's go

23:07

ahead and do this one so we're just

23:09

going to say same exact thing Echo

23:11

because that's just GNA we're going to

23:13

edit it right we're going to say C tools

23:16

and if you don't know um Windows is not

23:18

case sensitive so don't stress about the

23:20

case sensitivity exe Tech cmd.exe so all

23:24

we're doing is saying netcat run and

23:26

execute command. exe and then our IP

23:28

address is Right

23:35

Here let open this up get the IP 1010

23:38

4584 1010

23:41

4584 1010

23:44

4584 10 10

23:48

4584 and then we'll

23:51

say where was it there we go we're going

23:53

to use same port 4444 just cuz we know

23:55

it's not in use but normally I wouldn't

23:57

use that cuz that's the default

23:58

interpreter port and that will be

24:00

blocked by most

24:02

companies uh tasks scheduled task

24:09

dobat task dobat okay so we should be

24:13

able to here we're actually completely

24:15

overwriting

24:16

it okay so now we have to go back here

24:19

we have to start up a netcat listener

24:22

so we'll say

24:24

netcat lvmp 4444

24:28

okay so now that's listening now we just

24:30

go back here and we have to run the new

24:33

scheduled task that we just created or

24:35

it's we didn't create a new one excuse

24:36

me the one we edited so schedule tasks

24:40

run and then it's called vom task so we

24:44

run it attempted to run says successful

24:47

but it says

24:49

attempted okay and look at that we have

24:52

a shell and we have a full elevated

24:55

permission so who am I

24:59

why does that look

25:02

weird that looks weird I don't know why

25:04

it looked weird the first time so you

25:05

can see here we're task user one okay

25:09

interesting the reason that's

25:11

interesting is because I actually

25:13

thought we would get

25:16

um full admin permissions but maybe I

25:19

looked at it wrong um okay so task user

25:23

one was expected I wonder if I looked at

25:25

it

25:26

wrong maybe I didn't even notice that

25:28

task user one was in the one running it

25:31

oh that's the author I was looking at

25:33

wrong yep that's the author task user

25:36

one is who's running it okay so that's

25:38

on me I looked at it wrong um but that's

25:41

good good to know so now we have this

25:42

full shell right so now we can stay here

25:45

and now we have whatever we need which

25:48

is what is Task user one flag so we can

25:51

say CD whoops CD

25:54

c

25:57

users and then CD task user

26:02

one and then CD

26:06

desktop CD desktop and then we can say

26:11

cat flag.txt

26:13

and okay type flag.txt

26:19

and THM task completed there we go so we

26:22

actually did that test no problem now

26:25

here you can say see how we're going to

26:27

always stay elevated so what they're

26:28

doing is they're actually editing the um

26:33

registry excuse me so you can see this

26:35

method requires two registry values to

26:36

be set so we need to set these first

26:38

we're querying them right and then we're

26:40

actually creating a malicious. MSI here

26:44

we're creating that msf Venom reverse

26:47

shell and then here we're actually

26:49

putting it right in the temporary

26:52

directory um you should also run the

26:53

medit Handler module configured

26:55

accordingly once you have transferred

26:56

the file you've created you can run the

26:57

installer with the command below and

26:59

receive the reverse shell so you can see

27:01

this will actually go ahead um and make

27:04

sure that these are set now does this

27:08

work currently I will tell you it

27:10

probably won't um because it'll probably

27:12

be busted but there's ways around that

27:14

I'm just saying this is a good example

27:16

of how to stay always elevated you can

27:18

change a registry um edit you can make

27:20

another scheduled task you could do all

27:22

kinds of things to stay elevated as that

27:24

user once you have that user's

27:26

configuration all right I was going to

27:28

try to get to task five but I think

27:30

we're going to stop there um let's see

27:32

how long yeah it'll take us a little bit

27:35

to get to task five let's see yeah this

27:38

is a long one so I'm going to stop there

27:40

that's a 30 minutes that's good we'll

27:42

finish task five six seven and then

27:45

eight next time because then that's it

27:48

so tools of the trade there's no actual

27:50

questions so that'll be it so hopefully

27:53

this helps you guys hopefully you guys

27:55

are following along in this path the

27:57

junior pen testing path and learning

27:58

something because a lot of these are

28:00

very rudimentary and you might say they

28:02

don't work anymore they do it's just you

28:06

have to manipulate them in a way you

28:08

have to understand the technical aspects

28:10

and understand that yeah it might not

28:12

work where I run just that msf Venom

28:15

payload that they laid out for me but if

28:17

I can change things I can make it work

28:19

for me so hopefully this helps you guys

28:21

and hopefully you guys like this path

28:23

let me know if you do and thank you have

28:25

a good day