permissions uh oh I guess this is a bad example but
uh oh I guess this is a bad example but
uh oh I guess this is a bad example but sometimes they'll say you can enroll as
sometimes they'll say you can enroll as
sometimes they'll say you can enroll as domain admin and the PE the people who
domain admin and the PE the people who
domain admin and the PE the people who can enroll is
can enroll is
can enroll is anyone and that is easy it's true
anyone and that is easy it's true
anyone and that is easy it's true Microsoft made it so easy for their
Microsoft made it so easy for their
Microsoft made it so easy for their clients but they also made their clients
clients but they also made their clients
clients but they also made their clients very very vulnerable and this was a
very very vulnerable and this was a
very very vulnerable and this was a huge
huge
huge uh thing for pent testers for many years
uh thing for pent testers for many years
uh thing for pent testers for many years and it still is kind of a problem uh
and it still is kind of a problem uh
and it still is kind of a problem uh we're now up to ESC
we're now up to ESC
we're now up to ESC someone just results uh released an
someone just results uh released an
someone just results uh released an exploit called
exploit called
exploit called EKU uh which is
EKU uh which is
EKU uh which is esc5 and it's just another version of
esc5 and it's just another version of
esc5 and it's just another version of adcs being exploitable not because of
adcs being exploitable not because of
adcs being exploitable not because of like vulnerabilities but just
like vulnerabilities but just
like vulnerabilities but just misconfigurations
misconfigurations
misconfigurations questions yeah Miss Kong like config why
questions yeah Miss Kong like config why
questions yeah Miss Kong like config why is it like Windows just uniquely
is it like Windows just uniquely
is it like Windows just uniquely vulnerable just the way that it's
vulnerable just the way that it's
vulnerable just the way that it's Windows is just very
Windows is just very
Windows is just very complex very complex it can also Al do a
complex very complex it can also Al do a
complex very complex it can also Al do a lot of stuff whatever you want it can
lot of stuff whatever you want it can
lot of stuff whatever you want it can happen CU Microsoft really wants to
happen CU Microsoft really wants to
happen CU Microsoft really wants to please its consumers and its uh
please its consumers and its uh
please its consumers and its uh customers uh but it's not uniquely
customers uh but it's not uniquely
customers uh but it's not uniquely vulnerable it's just so easy to mess up
vulnerable it's just so easy to mess up
vulnerable it's just so easy to mess up and there's so many complexities because
and there's so many complexities because
and there's so many complexities because of how old it is right it's 20 30 years
of how old it is right it's 20 30 years
of how old it is right it's 20 30 years old uh and you know it's just a a result
old uh and you know it's just a a result
old uh and you know it's just a a result of convenience here's the thing about
of convenience here's the thing about
of convenience here's the thing about security is convenience and security are
security is convenience and security are
security is convenience and security are inversely perform proportional right you
inversely perform proportional right you
inversely perform proportional right you can have someone have 10 Factor
can have someone have 10 Factor
can have someone have 10 Factor authentication that's really secure but
authentication that's really secure but
authentication that's really secure but really annoying and nobody wants it or
really annoying and nobody wants it or
really annoying and nobody wants it or you could have it so there's zero
you could have it so there's zero
you could have it so there's zero password at all that's really convenient
password at all that's really convenient
password at all that's really convenient but it's really vulnerable right
but it's really vulnerable right
but it's really vulnerable right Microsoft likes to be real nice to its
Microsoft likes to be real nice to its
Microsoft likes to be real nice to its real nice to everyone and it's so
real nice to everyone and it's so
real nice to everyone and it's so convenient but as a result it's
convenient but as a result it's
convenient but as a result it's vulnerable they're getting better
vulnerable they're getting better
vulnerable they're getting better they're adding more secure defaults and
they're adding more secure defaults and
they're adding more secure defaults and they're trying hard to make it so that
they're trying hard to make it so that
they're trying hard to make it so that it's both secure and convenient but you
it's both secure and convenient but you
it's both secure and convenient but you know it's
know it's
know it's hard other
hard other
hard other questions okay I'm so I'm I'm so glad
questions okay I'm so I'm I'm so glad
questions okay I'm so I'm I'm so glad people are asking questions this is
people are asking questions this is
people are asking questions this is great all right oh we're we're so close
great all right oh we're we're so close
great all right oh we're we're so close to finishing
to finishing
to finishing okay have
okay have
okay have I I think it's true now I we're so close
I I think it's true now I we're so close
I I think it's true now I we're so close to finishing this section of the of the
to finishing this section of the of the
to finishing this section of the of the presentation all right so I'm not going
presentation all right so I'm not going
presentation all right so I'm not going to cover exactly how this works but
to cover exactly how this works but
to cover exactly how this works but there's this thing called secm this is
there's this thing called secm this is
there's this thing called secm this is like the new hot thing for pent testers
like the new hot thing for pent testers
like the new hot thing for pent testers it's the system Center configuration
it's the system Center configuration
it's the system Center configuration manager this is something that it admins
manager this is something that it admins
manager this is something that it admins can use to configure machines on a
can use to configure machines on a
can use to configure machines on a network hey there's a new machine I want
network hey there's a new machine I want
network hey there's a new machine I want to install all this stuff on it put it
to install all this stuff on it put it
to install all this stuff on it put it through secm I want to update all the
through secm I want to update all the
through secm I want to update all the software and all my machines send it
software and all my machines send it
software and all my machines send it through secm and there's a lot of
through secm and there's a lot of
through secm and there's a lot of vulnerabilities in this but I'll tell
vulnerabilities in this but I'll tell
vulnerabilities in this but I'll tell you the easiest
you the easiest
you the easiest vulnerability is Windows had this thing
vulnerability is Windows had this thing
vulnerability is Windows had this thing where they would set up a machine they'
where they would set up a machine they'
where they would set up a machine they' set up a computer account for you and
set up a computer account for you and
set up a computer account for you and they do it with a domain admin account
they do it with a domain admin account
they do it with a domain admin account you know you give it a laptop and it'll
you know you give it a laptop and it'll
you know you give it a laptop and it'll log in with domain admin it'll do all
log in with domain admin it'll do all
log in with domain admin it'll do all the stuff uh there was a way for you to
the stuff uh there was a way for you to
the stuff uh there was a way for you to just grab the credentials as it logged
just grab the credentials as it logged
just grab the credentials as it logged in that it was using to log in and those
in that it was using to log in and those
in that it was using to log in and those credentials were domain
credentials were domain
credentials were domain administrators so you could just hey hey
administrators so you could just hey hey
administrators so you could just hey hey please update me and then you you get
please update me and then you you get
please update me and then you you get domain admin you know uh there's so many
domain admin you know uh there's so many
domain admin you know uh there's so many other things wrong with secm and it's so
other things wrong with secm and it's so
other things wrong with secm and it's so complicated and to be honest I've
complicated and to be honest I've
complicated and to be honest I've forgotten a lot of the complexities
forgotten a lot of the complexities
forgotten a lot of the complexities because I haven't done it since last
because I haven't done it since last
because I haven't done it since last year at
year at
year at cbtc but uh if you want to learn more
cbtc but uh if you want to learn more
cbtc but uh if you want to learn more about more about it there's a website
about more about it there's a website
about more about it there's a website that I love love love that was made by a
that I love love love that was made by a
that I love love love that was made by a lot of really fantastic people who do
lot of really fantastic people who do
lot of really fantastic people who do windows ad pen testing called the
windows ad pen testing called the
windows ad pen testing called the hacker. recipes this is a great place to
hacker. recipes this is a great place to
hacker. recipes this is a great place to look uh and this is a tool that will
look uh and this is a tool that will
look uh and this is a tool that will allow you to do secm exploitation and I
allow you to do secm exploitation and I
allow you to do secm exploitation and I have a sticker on my water bottle of the
have a sticker on my water bottle of the
have a sticker on my water bottle of the tool okay uh let's talk about web right
tool okay uh let's talk about web right
tool okay uh let's talk about web right so we've been through SMB we've been
so we've been through SMB we've been
so we've been through SMB we've been through elap we've been through Cerros
through elap we've been through Cerros
through elap we've been through Cerros adcs secm nothing worked what do we do
adcs secm nothing worked what do we do
adcs secm nothing worked what do we do you go on a website usually you're going
you go on a website usually you're going
you go on a website usually you're going to have some web server right especially
to have some web server right especially
to have some web server right especially if it's a huge system a lot of windows
if it's a huge system a lot of windows
if it's a huge system a lot of windows by default is going to call is going to
by default is going to call is going to
by default is going to call is going to be running IIs uh now this is very rare
be running IIs uh now this is very rare
be running IIs uh now this is very rare but IAS can be very old and there might
but IAS can be very old and there might
but IAS can be very old and there might be remote code execution just as a
be remote code execution just as a
be remote code execution just as a result of the software being old you can
result of the software being old you can
result of the software being old you can also sometimes write code to it so
also sometimes write code to it so
also sometimes write code to it so sometimes there's misconfigurations
sometimes there's misconfigurations
sometimes there's misconfigurations where there's an FTP server or an SMB
where there's an FTP server or an SMB
where there's an FTP server or an SMB share that's writable by everyone and it
share that's writable by everyone and it
share that's writable by everyone and it just so happens that a web server route
just so happens that a web server route
just so happens that a web server route is in that file uh directory well you
is in that file uh directory well you
is in that file uh directory well you can just write websites like web pages
can just write websites like web pages
can just write websites like web pages onto there and if the web page is using
onto there and if the web page is using
onto there and if the web page is using an executable language like PHP ASP or
an executable language like PHP ASP or
an executable language like PHP ASP or aspx you can just write
aspx you can just write
aspx you can just write code and then put it in the root of the
code and then put it in the root of the
code and then put it in the root of the website browse to it and it'll be
website browse to it and it'll be
website browse to it and it'll be executed you can execute whatever you
executed you can execute whatever you
executed you can execute whatever you want that Mak
want that Mak
want that Mak sense uh so this is a thing that you can
sense uh so this is a thing that you can
sense uh so this is a thing that you can do sometimes uh otherwise you just have
do sometimes uh otherwise you just have
do sometimes uh otherwise you just have to try common exploits you know SQL
to try common exploits you know SQL
to try common exploits you know SQL injection template injection code
injection template injection code
injection template injection code injection whatever it is sometimes you
injection whatever it is sometimes you
injection whatever it is sometimes you have to do SQL injection right you can
have to do SQL injection right you can
have to do SQL injection right you can uh use SQL injection to do things that
uh use SQL injection to do things that
uh use SQL injection to do things that I'm going to talk about later sometimes
I'm going to talk about later sometimes
I'm going to talk about later sometimes you can course authentication if there's
you can course authentication if there's
you can course authentication if there's local file inclusion you can make it
local file inclusion you can make it
local file inclusion you can make it include a web page and in this case
include a web page and in this case
include a web page and in this case instead of including a file locally you
instead of including a file locally you
instead of including a file locally you make it include your malicious SMB
make it include your malicious SMB
make it include your malicious SMB server so that you can uh grab a hash um
server so that you can uh grab a hash um
server so that you can uh grab a hash um sometimes you can just inject commands I
sometimes you can just inject commands I
sometimes you can just inject commands I don't know uh something I've seen in
don't know uh something I've seen in
don't know uh something I've seen in some Labs is like a website will have a
some Labs is like a website will have a
some Labs is like a website will have a ton of names of people and the person
ton of names of people and the person
ton of names of people and the person will be like I love puppies and my
will be like I love puppies and my
will be like I love puppies and my puppy's name is Ron and my birth year is
puppy's name is Ron and my birth year is
puppy's name is Ron and my birth year is 1992 and then you try the password Ron
1992 and then you try the password Ron
1992 and then you try the password Ron 1992 for that username and it works you
1992 for that username and it works you
1992 for that username and it works you know uh if you have a user called Adam
know uh if you have a user called Adam
know uh if you have a user called Adam Hassan you can try the users the
Hassan you can try the users the
Hassan you can try the users the usernames Adam Hassan a Hassan ad Hassan
usernames Adam Hassan a Hassan ad Hassan
usernames Adam Hassan a Hassan ad Hassan Etc right because most do companies UF
Etc right because most do companies UF
Etc right because most do companies UF UF is not like this but most places will
UF is not like this but most places will
UF is not like this but most places will have a
have a
have a designated format for usernames you can
designated format for usernames you can
designated format for usernames you can try that
questions we're not goingon to go that
questions we're not goingon to go that over over
over over
over over time oh thank
time oh thank
time oh thank you uh now let's say you have SQL right
you uh now let's say you have SQL right
you uh now let's say you have SQL right now I mentioned sometimes you can course
now I mentioned sometimes you can course
now I mentioned sometimes you can course authentication Ms SQL has this really
authentication Ms SQL has this really
authentication Ms SQL has this really interesting thing where you can read
interesting thing where you can read
interesting thing where you can read files from the file system and read
files from the file system and read
files from the file system and read files from remote locations like your
files from remote locations like your
files from remote locations like your malicious SMB server uh sometimes you
malicious SMB server uh sometimes you
malicious SMB server uh sometimes you can also
can also
can also execute commands if you are privileged
execute commands if you are privileged
execute commands if you are privileged enough using something called XP command
enough using something called XP command
enough using something called XP command shell which by the way is automated by
shell which by the way is automated by
shell which by the way is automated by the mssql client from impacket uh
the mssql client from impacket uh
the mssql client from impacket uh sometimes there's also confidential info
sometimes there's also confidential info
sometimes there's also confidential info in the database sometimes you can find
in the database sometimes you can find
in the database sometimes you can find usernames password hashes you can crack
usernames password hashes you can crack
usernames password hashes you can crack the hashes that kind of thing questions
the hashes that kind of thing questions
the hashes that kind of thing questions about
about
about that okay uh here's me using n exec with
that okay uh here's me using n exec with
that okay uh here's me using n exec with the mssql protocol I'm logging in it
the mssql protocol I'm logging in it
the mssql protocol I'm logging in it tells me hey uh Samwell tarly can access
tells me hey uh Samwell tarly can access
tells me hey uh Samwell tarly can access Castle back so I use MS SQL client with
Castle back so I use MS SQL client with
Castle back so I use MS SQL client with the domain name the user the password
the domain name the user the password
the domain name the user the password and I use Windows off um and it gives me
and I use Windows off um and it gives me
and I use Windows off um and it gives me access it gives me a little thing where
access it gives me a little thing where
access it gives me a little thing where I can like run whatever I want I can
I can like run whatever I want I can
I can like run whatever I want I can query the database I can try to execute
query the database I can try to execute
query the database I can try to execute commands it probably won't work unless
commands it probably won't work unless
commands it probably won't work unless you're an admin um I can try to course
you're an admin um I can try to course
you're an admin um I can try to course authentication I forgot oh no here's a
authentication I forgot oh no here's a
authentication I forgot oh no here's a here's a module that I created for
here's a module that I created for
here's a module that I created for automatically coursing authentication
automatically coursing authentication
automatically coursing authentication using n exec it'll go through every
using n exec it'll go through every
using n exec it'll go through every single type of uh SQL command that can
single type of uh SQL command that can
single type of uh SQL command that can course off and it'll try to do it so you
course off and it'll try to do it so you
course off and it'll try to do it so you can use that
can use that
can use that questions okay uh this is going to be
questions okay uh this is going to be
questions okay uh this is going to be the shortest the shortest section RDP uh
the shortest the shortest section RDP uh
the shortest the shortest section RDP uh you can also use net exec to figure out
you can also use net exec to figure out
you can also use net exec to figure out if you have access to RDP remember
if you have access to RDP remember
if you have access to RDP remember that's remote desktop protocol you get
that's remote desktop protocol you get
that's remote desktop protocol you get the keyboard and The Mouse and the
the keyboard and The Mouse and the
the keyboard and The Mouse and the screen uh you can use these tools x free
screen uh you can use these tools x free
screen uh you can use these tools x free RTP or R desktop or rinaa all of them
RTP or R desktop or rinaa all of them
RTP or R desktop or rinaa all of them are good all of them have their own
are good all of them have their own
are good all of them have their own benefits um I like our desktop if our
benefits um I like our desktop if our
benefits um I like our desktop if our desktop doesn't work I use X3 RDP
desktop doesn't work I use X3 RDP
desktop doesn't work I use X3 RDP because it has better
because it has better
because it has better authentication
authentication
authentication negotiation um who knows what I mean
negotiation um who knows what I mean
negotiation um who knows what I mean when I say negotiation authentic or
when I say negotiation authentic or
when I say negotiation authentic or authentication
negotiation that makes sense because I
negotiation that makes sense because I didn't explain it uh windows by default
didn't explain it uh windows by default
didn't explain it uh windows by default will try to use the best type of
will try to use the best type of
will try to use the best type of authentication so they'll typically
authentication so they'll typically
authentication so they'll typically start with
start with
start with Kerberos and if I say I don't like
Kerberos and if I say I don't like
Kerberos and if I say I don't like Kerberos it'll say okay can we do net
Kerberos it'll say okay can we do net
Kerberos it'll say okay can we do net ntlmv2 and if I say I don't like that
ntlmv2 and if I say I don't like that
ntlmv2 and if I say I don't like that it'll say okay can we use net ntlmv1 now
it'll say okay can we use net ntlmv1 now
it'll say okay can we use net ntlmv1 now typically it will only allow kerros and
typically it will only allow kerros and
typically it will only allow kerros and net ntlmv2 but on more P permissive
net ntlmv2 but on more P permissive
net ntlmv2 but on more P permissive domains it will allow you to get even
domains it will allow you to get even
domains it will allow you to get even worse and worse and that's something
worse and worse and that's something
worse and worse and that's something that we call a negotiation I'm
that we call a negotiation I'm
that we call a negotiation I'm negotiating what protocol I'm allowed to
negotiating what protocol I'm allowed to
negotiating what protocol I'm allowed to use for authentication and XF free RDP
use for authentication and XF free RDP
use for authentication and XF free RDP is good at doing that
is good at doing that
is good at doing that negotiation
negotiation
negotiation questions okay
questions okay
questions okay winrm uh winrm is allows you to get P
winrm uh winrm is allows you to get P
winrm uh winrm is allows you to get P Powershell remotely you can use net exec
Powershell remotely you can use net exec
Powershell remotely you can use net exec to see if you can win RM in and if you
to see if you can win RM in and if you
to see if you can win RM in and if you can it'll say pwned uh and if it does
can it'll say pwned uh and if it does
can it'll say pwned uh and if it does you can use this tool called evil winrm
you can use this tool called evil winrm
you can use this tool called evil winrm you pass it an IP address a username a
you pass it an IP address a username a
you pass it an IP address a username a password and it gives you access to
password and it gives you access to
password and it gives you access to Powershell winrm is also nice because
Powershell winrm is also nice because
Powershell winrm is also nice because you can download and upload files and
you can download and upload files and
you can download and upload files and you can log in with pass the hash just
you can log in with pass the hash just
you can log in with pass the hash just like an impacket and just like in that
like an impacket and just like in that
like an impacket and just like in that EXC questions about that okay all right
EXC questions about that okay all right
EXC questions about that okay all right now it's the last section the last
now it's the last section the last
now it's the last section the last section or the second last I don't
remember uh I'll tell you post
remember uh I'll tell you post exploitation right when you get onto
exploitation right when you get onto
exploitation right when you get onto machine hopefully by now you've gotten
machine hopefully by now you've gotten
machine hopefully by now you've gotten access to the machine hopefully if you
access to the machine hopefully if you
access to the machine hopefully if you haven't I really recommend just going
haven't I really recommend just going
haven't I really recommend just going back and trying it all again and just
back and trying it all again and just
back and trying it all again and just making sure you're doing absolutely
making sure you're doing absolutely
making sure you're doing absolutely everything uh you can do password
everything uh you can do password
everything uh you can do password dumping there's a fantastic tool called
dumping there's a fantastic tool called
dumping there's a fantastic tool called mimik cats uh you can also use there's
mimik cats uh you can also use there's
mimik cats uh you can also use there's supposed to be a space here uh but you
supposed to be a space here uh but you
supposed to be a space here uh but you can use impacket secret stump. py uh
can use impacket secret stump. py uh
can use impacket secret stump. py uh which will do things remotely you can
which will do things remotely you can
which will do things remotely you can use net exec to dump LSA Secrets which
use net exec to dump LSA Secrets which
use net exec to dump LSA Secrets which is uh like domain Secrets Sam which is
is uh like domain Secrets Sam which is
is uh like domain Secrets Sam which is local Secrets ntds which is the domain
local Secrets ntds which is the domain
local Secrets ntds which is the domain controller secrets and Laps which is
controller secrets and Laps which is
controller secrets and Laps which is like Cloud secrets you can do a lot of
like Cloud secrets you can do a lot of
like Cloud secrets you can do a lot of stuff with n exec it's great but you can
stuff with n exec it's great but you can
stuff with n exec it's great but you can also use mimik cats to get
also use mimik cats to get
also use mimik cats to get credentials um you just look up how to
credentials um you just look up how to
credentials um you just look up how to do that right uh questions about
do that right uh questions about
do that right uh questions about that okay uh here's a great trackme I
that okay uh here's a great trackme I
that okay uh here's a great trackme I really really recommend this for post
really really recommend this for post
really really recommend this for post exploitation sometimes when you get on a
exploitation sometimes when you get on a
exploitation sometimes when you get on a machine and you have low level access
machine and you have low level access
machine and you have low level access you want to do stuff to get more
you want to do stuff to get more
you want to do stuff to get more credentials get higher privileges that
credentials get higher privileges that
credentials get higher privileges that kind of thing now I've already talked
kind of thing now I've already talked
kind of thing now I've already talked about domain privilege escalation how do
about domain privilege escalation how do
about domain privilege escalation how do you get to domain admin are you tired
you get to domain admin are you tired
you get to domain admin are you tired Andre you said that was the last section
Andre you said that was the last section
Andre you said that was the last section I think this is the last section all
I think this is the last section all
I think this is the last section all right now if you want to locally
right now if you want to locally
right now if you want to locally escalate privileges let's say you have
escalate privileges let's say you have
escalate privileges let's say you have access to a service
access to a service
access to a service account uh I want to get access to the
account uh I want to get access to the
account uh I want to get access to the admin account the local admin account
admin account the local admin account
admin account the local admin account you can do something on Windows which is
you can do something on Windows which is
you can do something on Windows which is Mii SL priv it'll show you all the
Mii SL priv it'll show you all the
Mii SL priv it'll show you all the Privileges now in this case I'm domain
Privileges now in this case I'm domain
Privileges now in this case I'm domain admin which means I have all the
admin which means I have all the
admin which means I have all the Privileges right there's a lot of them
Privileges right there's a lot of them
Privileges right there's a lot of them but there are some Dangerous Ones yes
but there are some Dangerous Ones yes
but there are some Dangerous Ones yes does evm automatically like enable those
does evm automatically like enable those
does evm automatically like enable those privileges for you usually okay this is
privileges for you usually okay this is
privileges for you usually okay this is I logged in as the domain admin oh yeah
I logged in as the domain admin oh yeah
I logged in as the domain admin oh yeah Andre display privileges by not enabled
Andre display privileges by not enabled
Andre display privileges by not enabled uh like is it dis in all the possible
uh like is it dis in all the possible
uh like is it dis in all the possible prives no it's only showing the enabled
prives no it's only showing the enabled
prives no it's only showing the enabled ones now here's I want to so here's
ones now here's I want to so here's
ones now here's I want to so here's something that confused me yeah enabled
something that confused me yeah enabled
something that confused me yeah enabled does not mean you have the privilege
does not mean you have the privilege
does not mean you have the privilege you all these privileges are ones that
you all these privileges are ones that
you all these privileges are ones that you have it does not show you privileges
you have it does not show you privileges
you have it does not show you privileges that you do not have now sometimes it'll
that you do not have now sometimes it'll
that you do not have now sometimes it'll say disabled even though you have the
say disabled even though you have the
say disabled even though you have the privilege and what this means is you
privilege and what this means is you
privilege and what this means is you have enabled means you have the
have enabled means you have the
have enabled means you have the privilege for that particular
privilege for that particular
privilege for that particular process and disabled means you can get
process and disabled means you can get
process and disabled means you can get it but it's not there for that
it but it's not there for that
it but it's not there for that particular process you mean the process
particular process you mean the process
particular process you mean the process that you R the command
that you R the command
that you R the command yes uh now the reason for that is
yes uh now the reason for that is
yes uh now the reason for that is there's different Integrity levels in
there's different Integrity levels in
there's different Integrity levels in Windows you have a higher Integrity if
Windows you have a higher Integrity if
Windows you have a higher Integrity if you log in through R desk or through RDP
you log in through R desk or through RDP
you log in through R desk or through RDP because you're interactive but if you go
because you're interactive but if you go
because you're interactive but if you go a reverse shell you're low
a reverse shell you're low
a reverse shell you're low Integrity don't worry about that too
Integrity don't worry about that too
Integrity don't worry about that too much but you're not going to have many
much but you're not going to have many
much but you're not going to have many privileges enabled yes Colin I was on a
privileges enabled yes Colin I was on a
privileges enabled yes Colin I was on a physical I
physical I
physical I did and I still got you that sometimes
did and I still got you that sometimes
did and I still got you that sometimes will be the case but if it says disabled
will be the case but if it says disabled
will be the case but if it says disabled don't worry about it you still have it
don't worry about it you still have it
don't worry about it you still have it what you still have the privilege it's
what you still have the privilege it's
what you still have the privilege it's just not currently in
use there like power tra scripts you can
use there like power tra scripts you can run to enable disable privileges right I
run to enable disable privileges right I
run to enable disable privileges right I don't know I've never need to do any I
don't know I've never need to do any I
don't know I've never need to do any I just just ignore this just ignore the
just just ignore this just ignore the
just just ignore this just ignore the state don't worry about it all you have
state don't worry about it all you have
state don't worry about it all you have to worry about is a privilege name and
to worry about is a privilege name and
to worry about is a privilege name and you can look it up right now there's a
you can look it up right now there's a
you can look it up right now there's a few dangerous privileges there's one
few dangerous privileges there's one
few dangerous privileges there's one called SE install always elevated and a
called SE install always elevated and a
called SE install always elevated and a lot of admins will enable because they
lot of admins will enable because they
lot of admins will enable because they hate people asking hey can can you
hate people asking hey can can you
hate people asking hey can can you install this for me um and this is
install this for me um and this is
install this for me um and this is something we'll always install things as
something we'll always install things as
something we'll always install things as an administrator which if you boil that
an administrator which if you boil that
an administrator which if you boil that down what it means is you can always run
down what it means is you can always run
down what it means is you can always run any code you want as administrator so
any code you want as administrator so
any code you want as administrator so you can escalate privileges there's one
you can escalate privileges there's one
you can escalate privileges there's one called sbug privileges which is used
called sbug privileges which is used
called sbug privileges which is used that a lot of developers have this
that a lot of developers have this
that a lot of developers have this allows you to read and write process
allows you to read and write process
allows you to read and write process memory so if there are secrets in memory
memory so if there are secrets in memory
memory so if there are secrets in memory like hashes you can dump the hashes uh
like hashes you can dump the hashes uh
like hashes you can dump the hashes uh you can dump memory uh you can even
you can dump memory uh you can even
you can dump memory uh you can even write to memory technically and
write to memory technically and
write to memory technically and I guess I've never done this before but
I guess I've never done this before but
I guess I've never done this before but I bet you could you could uh replace
I bet you could you could uh replace
I bet you could you could uh replace your security token to make it look like
your security token to make it look like
your security token to make it look like you're an administrator I I might be
you're an administrator I I might be
you're an administrator I I might be wrong about that I'm just speculating um
wrong about that I'm just speculating um
wrong about that I'm just speculating um there's one called SE impersonate
there's one called SE impersonate
there's one called SE impersonate privilege this is something that
privilege this is something that
privilege this is something that typically service accounts have because
typically service accounts have because
typically service accounts have because service accounts need to be able to
service accounts need to be able to
service accounts need to be able to impersonate other
impersonate other
impersonate other users um and this is one that'll give
users um and this is one that'll give
users um and this is one that'll give you like automatic admin and you can
you like automatic admin and you can
you like automatic admin and you can often exploit this with something called
often exploit this with something called
often exploit this with something called a potato attack which I'll talk about
a potato attack which I'll talk about
a potato attack which I'll talk about later and there's also SE backup
later and there's also SE backup
later and there's also SE backup privilege and restore privilege which
privilege and restore privilege which
privilege and restore privilege which allows you to read and write any file
allows you to read and write any file
allows you to read and write any file you want if you're on domain controller
you want if you're on domain controller
you want if you're on domain controller and you have SE backup privilege you can
and you have SE backup privilege you can
and you have SE backup privilege you can just read the ntds.dit file and you can
just read the ntds.dit file and you can
just read the ntds.dit file and you can dump all the hashes Andre so it says
dump all the hashes Andre so it says
dump all the hashes Andre so it says Cent is about same as us uh
Cent is about same as us uh
Cent is about same as us uh yes other
yes other
yes other questions okay uh this is a great blog
questions okay uh this is a great blog
questions okay uh this is a great blog post
post
post uh yeah it's a good blog post to look at
uh yeah it's a good blog post to look at
uh yeah it's a good blog post to look at it has some of the dangerous
it has some of the dangerous
it has some of the dangerous privileges let's talk about potato
privileges let's talk about potato
privileges let's talk about potato attacks I'm not going to fully explain
attacks I'm not going to fully explain
attacks I'm not going to fully explain it I only only learned today why it's
it I only only learned today why it's
it I only only learned today why it's called a potato attack um but a potato
called a potato attack um but a potato
called a potato attack um but a potato attack is just any attack where you can
attack is just any attack where you can
attack is just any attack where you can basically trick a process to run as an
basically trick a process to run as an
basically trick a process to run as an administrator and give you access to it
administrator and give you access to it
administrator and give you access to it so some processes on windows are always
so some processes on windows are always
so some processes on windows are always running as admin sometimes you can trick
running as admin sometimes you can trick
running as admin sometimes you can trick them into doing things for you and uh
them into doing things for you and uh
them into doing things for you and uh the reason it's called a potato attack
the reason it's called a potato attack
the reason it's called a potato attack is because the first one was called
is because the first one was called
is because the first one was called rotten potato cuz the Creator said this
rotten potato cuz the Creator said this
rotten potato cuz the Creator said this is such a dirty expit it's such a rotten
is such a dirty expit it's such a rotten
is such a dirty expit it's such a rotten EXP so he called it rotten potato and
EXP so he called it rotten potato and
EXP so he called it rotten potato and then everyone after that called it a
then everyone after that called it a
then everyone after that called it a potato attack so there's Hot Potato
potato attack so there's Hot Potato
potato attack so there's Hot Potato rotten potato Lonely Potato juicy potato
rotten potato Lonely Potato juicy potato
rotten potato Lonely Potato juicy potato I really like juicy potato and God
I really like juicy potato and God
I really like juicy potato and God potato those are the best
ones potato
ones potato what I don't know you can make
what I don't know you can make
what I don't know you can make one all right so yeah the reason that
one all right so yeah the reason that
one all right so yeah the reason that servers accounts of SE impersonate
servers accounts of SE impersonate
servers accounts of SE impersonate privilege is cuz let's say you're a file
privilege is cuz let's say you're a file
privilege is cuz let's say you're a file system and a user logs into the file
system and a user logs into the file
system and a user logs into the file system you expect it to show you your
system you expect it to show you your
system you expect it to show you your files right the only way it can do that
files right the only way it can do that
files right the only way it can do that is by essentially impersonating you and
is by essentially impersonating you and
is by essentially impersonating you and logging in as you so service accounts
logging in as you so service accounts
logging in as you so service accounts are very often very highly privileged
are very often very highly privileged
are very often very highly privileged and they can impersonate any user they
and they can impersonate any user they
and they can impersonate any user they want so if you log in and you see see
want so if you log in and you see see
want so if you log in and you see see impersonate privilege you can run God
impersonate privilege you can run God
impersonate privilege you can run God potato and it'll give you
potato and it'll give you
potato and it'll give you administrator questions about that Andre
administrator questions about that Andre
administrator questions about that Andre so what's the commonality between all
so what's the commonality between all
so what's the commonality between all the potatoes is it person no uh well all
the potatoes is it person no uh well all
the potatoes is it person no uh well all service account accounts will typically
service account accounts will typically
service account accounts will typically have SE impersonate privilege although
have SE impersonate privilege although
have SE impersonate privilege although that's becoming less and less true over
that's becoming less and less true over
that's becoming less and less true over time as things are being hardened and
time as things are being hardened and
time as things are being hardened and secured uh but typically if you see SE
secured uh but typically if you see SE
secured uh but typically if you see SE impersonate privilege then you can use a
impersonate privilege then you can use a
impersonate privilege then you can use a potato
potato
potato attack um but all of them are just
attack um but all of them are just
attack um but all of them are just things that allow you to impersonate a
things that allow you to impersonate a
things that allow you to impersonate a user and do something with it right so
user and do something with it right so
user and do something with it right so you can impersonate the administrator
you can impersonate the administrator
you can impersonate the administrator process and get that process to run
process and get that process to run
process and get that process to run whatever you want and that's a drastic
whatever you want and that's a drastic
whatever you want and that's a drastic oversimplification and it's barely
oversimplification and it's barely
oversimplification and it's barely accurate but you can read more into it
accurate but you can read more into it
accurate but you can read more into it right here if you want okay other
right here if you want okay other
right here if you want okay other questions all right uh there's another
questions all right uh there's another
questions all right uh there's another vulnerability that allows for privilege
vulnerability that allows for privilege
vulnerability that allows for privilege escalation on Windows called unquoted
escalation on Windows called unquoted
escalation on Windows called unquoted service path windows will do this thing
service path windows will do this thing
service path windows will do this thing where if you don't have quotes around a
where if you don't have quotes around a
where if you don't have quotes around a space it'll try to guess where the where
space it'll try to guess where the where
space it'll try to guess where the where the path is supposed to be so in this
the path is supposed to be so in this
the path is supposed to be so in this case you can see that my path is program
case you can see that my path is program
case you can see that my path is program files a subfolder b subfolder c
files a subfolder b subfolder c
files a subfolder b subfolder c subfolder Windows has what they call a
subfolder Windows has what they call a
subfolder Windows has what they call a search path where if there's no quotes
search path where if there's no quotes
search path where if there's no quotes they don't know what the real path is so
they don't know what the real path is so
they don't know what the real path is so they first try C program.exe and if it
they first try C program.exe and if it
they first try C program.exe and if it exists they execute it if it doesn't
exists they execute it if it doesn't
exists they execute it if it doesn't exist they try program files a.exe right
exist they try program files a.exe right
exist they try program files a.exe right before the space if it exists they
before the space if it exists they
before the space if it exists they execute it so if you have an unquoted
execute it so if you have an unquoted
execute it so if you have an unquoted service path where you can write to
service path where you can write to
service path where you can write to program
program
program files make a.exe
files make a.exe
files make a.exe and when the service runs it's going to
and when the service runs it's going to
and when the service runs it's going to find a.exe before it finds this whole
find a.exe before it finds this whole
find a.exe before it finds this whole thing and it's going to run that as
thing and it's going to run that as
thing and it's going to run that as whatever privilege in this case it's
whatever privilege in this case it's
whatever privilege in this case it's running as local system and it's set to
running as local system and it's set to
running as local system and it's set to auto start which means I I think if I
auto start which means I I think if I
auto start which means I I think if I remember correctly it'll start on
remember correctly it'll start on
remember correctly it'll start on boot so you just put your malicious
boot so you just put your malicious
boot so you just put your malicious program there you put your payload your
program there you put your payload your
program there you put your payload your sliver payload or whatever and it'll
sliver payload or whatever and it'll
sliver payload or whatever and it'll execute as admin
execute as admin
execute as admin questions uh yes Andre is it hand that
questions uh yes Andre is it hand that
questions uh yes Andre is it hand that way because there's way
to
to uh's yeah so Linux just refuses you have
uh's yeah so Linux just refuses you have
uh's yeah so Linux just refuses you have to have quotes if there's spaces or you
to have quotes if there's spaces or you
to have quotes if there's spaces or you have to escape the spaces but Windows
have to escape the spaces but Windows
have to escape the spaces but Windows tries to be nice it says you forgot the
tries to be nice it says you forgot the
tries to be nice it says you forgot the quotes that's okay I'll figure it out
quotes that's okay I'll figure it out
quotes that's okay I'll figure it out for you goddamn sense though no in what
for you goddamn sense though no in what
for you goddamn sense though no in what world would I want to stop at the
world would I want to stop at the
world would I want to stop at the space it's like you run a command and
space it's like you run a command and
space it's like you run a command and then you have the like afterwards H that
then you have the like afterwards H that
then you have the like afterwards H that might be it that is probably what's your
might be it that is probably what's your
might be it that is probably what's your name again B what is it bu buay yeah
name again B what is it bu buay yeah
name again B what is it bu buay yeah what's your question I was just going to
what's your question I was just going to
what's your question I was just going to ask as a user could I just go on my file
ask as a user could I just go on my file
ask as a user could I just go on my file exp and find these files if they did
exp and find these files if they did
exp and find these files if they did exist on my computer or would it be like
exist on my computer or would it be like
exist on my computer or would it be like tyal so this is a service that runs a
tyal so this is a service that runs a
tyal so this is a service that runs a program and this output I'm just I'm
program and this output I'm just I'm
program and this output I'm just I'm using sqc to query the service but
using sqc to query the service but
using sqc to query the service but there's a tool called power up the new
there's a tool called power up the new
there's a tool called power up the new version is called sharp up uh and sharp
version is called sharp up uh and sharp
version is called sharp up uh and sharp up will automatically look for unquoted
up will automatically look for unquoted
up will automatically look for unquoted service paths there's also a tool called
service paths there's also a tool called
service paths there's also a tool called win peas and one called seat belt that
win peas and one called seat belt that
win peas and one called seat belt that will do the same thing and more they'll
will do the same thing and more they'll
will do the same thing and more they'll look for even more preg escalation
look for even more preg escalation
look for even more preg escalation vulnerabilities other
vulnerabilities other
vulnerabilities other questions okay oh my God I'm done we're
questions okay oh my God I'm done we're
questions okay oh my God I'm done we're done uh I know uh other questions that
done uh I know uh other questions that
done uh I know uh other questions that people have yes Andre uh I guess for the
people have yes Andre uh I guess for the
people have yes Andre uh I guess for the previous thing is it possible for some
previous thing is it possible for some
previous thing is it possible for some services like based on
services like based on
services like based on privileges
the we go back to the SL EAS show which
the we go back to the SL EAS show which slide the one we just talked about this
slide the one we just talked about this
slide the one we just talked about this one yeah like can you have so that some
one yeah like can you have so that some
one yeah like can you have so that some services are able to
services are able to
services are able to accesse but permissions prevent like
accesse but permissions prevent like
accesse but permissions prevent like generally you can't see it like I don't
generally you can't see it like I don't
generally you can't see it like I don't know what you're asking for General user
know what you're asking for General user
know what you're asking for General user usually they wouldn't be able to see
usually they wouldn't be able to see
usually they wouldn't be able to see because of permission restrictions but
because of permission restrictions but
because of permission restrictions but if you run as an elevated user then it
if you run as an elevated user then it
if you run as an elevated user then it does see that like program.exe and ex
does see that like program.exe and ex
does see that like program.exe and ex and effort to like try and
and effort to like try and
and effort to like try and hide I'm not following okay let's talk
hide I'm not following okay let's talk
hide I'm not following okay let's talk about it later okay other
about it later okay other
about it later okay other questions all right well I hope all of
questions all right well I hope all of
questions all right well I hope all of you become Windows experts I'm
you become Windows experts I'm
you become Windows experts I'm graduating soon and ufit needs one and I
graduating soon and ufit needs one and I
graduating soon and ufit needs one and I promise if you are the only person that
promise if you are the only person that
promise if you are the only person that knows Windows you will get into every
knows Windows you will get into every
knows Windows you will get into every competition uh this knowledge was very
competition uh this knowledge was very
competition uh this knowledge was very useful for me during cptc and during
useful for me during cptc and during
useful for me during cptc and during cyber force and it will be for all of
cyber force and it will be for all of
cyber force and it will be for all of you as well so learn Windows ask
you as well so learn Windows ask
you as well so learn Windows ask questions uh I will say here's some
questions uh I will say here's some
questions uh I will say here's some fantastic resources
fantastic resources
fantastic resources this is like from top to bottom the
this is like from top to bottom the
this is like from top to bottom the order in which I would do them I have a
order in which I would do them I have a
order in which I would do them I have a TCM security course that's entirely free
TCM security course that's entirely free
TCM security course that's entirely free I have the N exec Wiki I have a try
I have the N exec Wiki I have a try
I have the N exec Wiki I have a try hackme room which I really recommend all
hackme room which I really recommend all
hackme room which I really recommend all of you try because I promise that if you
of you try because I promise that if you
of you try because I promise that if you use these slides as a reference you can
use these slides as a reference you can
use these slides as a reference you can do it in like an hour or two game of
do it in like an hour or two game of
do it in like an hour or two game of active directory is a vulnerable Network
active directory is a vulnerable Network
active directory is a vulnerable Network that you can deploy on your own it has
that you can deploy on your own it has
that you can deploy on your own it has like 15 machines or something and you
like 15 machines or something and you
like 15 machines or something and you can put it on AWS and it costs like 3
can put it on AWS and it costs like 3
can put it on AWS and it costs like 3 cents per hour uh the hacker recipe is a
cents per hour uh the hacker recipe is a
cents per hour uh the hacker recipe is a great website with a ton of resources
great website with a ton of resources
great website with a ton of resources and vul lab is a version of hack the box
and vul lab is a version of hack the box
and vul lab is a version of hack the box that is harder and has a lot of really
that is harder and has a lot of really
that is harder and has a lot of really cool active directory stuff on it all
cool active directory stuff on it all
cool active directory stuff on it all right you can talk to me after if you
right you can talk to me after if you
right you can talk to me after if you have other questions
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
Chrome Extension