Advanced Windows Privilege Escalation with Hack The Box

We will begin our EoP journey compromising a Windows server and will then elevate access in the following lecture.

In this lecture you will enter into my thought process for escalating privileges without Metasploit.  You will essentially sit beside me as you hear an expert thinking out loud through the realistic messy process of abusing vulnerabilities to escalate privileges on a Windows server.

We finally move into escalating our privileges.  As a bonus, after we pwn the box, we will enable RDP on the system and explore a few misconfigurations.  We'll close the lecture with an overview of the MITRE ATT&CK techniques we executed to dominate the system.

In this lecture we will manually compromise a public facing webserver using SQLi and chain a LFI to exfiltrate data.    You're also going to learn awesome little tips like how to determine the OS of a target just by pinging it (no nmap required), how to manually craft a custom SQLi attack (and actually understand wtf you're doing in the process) and more.  I've had so much fun making this series,  It is truly the training material I wish I had when I was learning this stuff.  It's going to be nuts! Let's go!

Now it's time to have some fun.  Sometimes it isn't possible to escalate directly from a standard user account to SYSTEM or Admin.  In this lecture you'll carefully walk through my thought process as I take you on a journey through horizontal escalation.  You'll get a lot of experience with Powershell 7 in this lecture but don't worry, if you're not familiar with Powershell 7, because I break everything down step by step so it's super easy to follow!  Let's do this!

Yes! Okay, so we've achieved lateral escalation to another user but how can we elevate our position to SYSTEM?  In this lecture you will learn how to do this without using Metasploit or pre-built binaries.  You will see how to manually escalate your privileges by abusing weak registry permissions.  You'll see the process isn't always so straight forward but by the end of the lecture you'll really understand how this stuff works.  And by finally understanding it you will feel confident, happy and ultimately able to explain the entire process to other people who have less technical knowledge than you!  It's going to be so much fun, let's go!

Oh yeah! Now we will do incident response and triage the attack.  We're going to drop the firewall, enable RDP, remote into the box and explore the registry and IIS 10 server configuration.  Then we will analyze the web server logs to see if we can find an Indicators of Compromise (IOC's) of the attack.  We'll even use Burp's Intruder module to fuzz a SQLi seclist to see if we can light up the logs with our attack!  It's going to be awesome!

Now that the breach is behind us let's map the tools, tactics and procedures (TTPs) used in our incident against the MITRE ATT&CK Framework so we can see how we gained initial access, elevated our permissions, exfiltrated the network and impacted the fictitious target organization in our HackTheBox VIP lab!

It's time to pop another Windows box!  This time we've got our work cut out for us.  This was not an easy box but you're going to learn a ton of advanced techniques and tools during the pentest.  You're going to learn how to install TMUX plugins, how to use Burp to passively spider a host, the magic of Wappalyzer, using Google Image search for recon, a little known alternative to ExploitDB, grep powertricks, using Hashcat to crack hashes and so much more!  This one lesson is probably worth the entire price of the course.  Let's go!

For the longest time, token manipulation confused the heck out of me.  We are going to abuse the Potato, Juicy Potato, Rotten Potato, Rotten Potato NG, Lonely Potato, Sweet Potato, Rogue Potato local privilege escalation vector.  In this lecture, we focus in on the Juicy variant.  This is an advanced privilege escalation technique that many Pentesters feel like they should know but can't explain.  After executing this attack vector I believe you'll finally understand how this works.

Let's dive into the logs and see what we did!  In this lecture I'll show you how to triage an incident where Juicy Potato was executed.  You'll take a journey into my thought process as we study the Windows Security logs for evidence of attack.

So hear is a hard truth: we can no longer reasonably call ourselves competent Bug Bounty hunters, Pentester's or Red Teamer's if we don't know how to map attacks to MITRE.  Let's change that today!

Yes! In this lecture you'll learn how to use awk, cut and a bunch of other bash-fu tricks to master the command line.  You'll also learn how to compromise a workstation via credentialed access.  We're going to intelligently build a custom wordlist based on information disclosed on the target website.  It's going to be awesome! 

We're going to use a little known impersonation privilege to elevate to SYSTEM.  There are a lot of moving parts to this one so we'll need to make sure we get this one perfect!  Let's do this!

There is a dangerous alternate method to achieving SYSTEM if the target machine isn't properly patched.  In this quick lecture I will walk you through the process from A to Z! 

In this lecture we will jump on the box, attempt to enable the GUI and jump through the local configuration to see what the application owner's could have done to fortify this box against the tools, tactics and procedures we used to exploit it.

Alright  now we're going to establish an initial foothold on the target web app hosting a legacy version of the Windows Server OS.  No exploits will be used, Metasploit will not be used either.  Let's fire up nmap and get started!

Yes! ok now it's time to move up.  Instead of using automated Windows Privilege escalation scripts such as SharpUp, PowerUp, winPEAS, JAWS, Seatbelt, Watson or Sherlock we are going to manually explore a relatively advanced privilege escalation vector by abusing DPAPI with Mimikatz.  But we're going to run Mimikatz offline to practice good OpSec... every good pentester doesn't want the defenders to know they're there right?  Let's go!

We can't finish a box without a true reverse shell.  In this lecture we're going to abuse the runas.exe cached flag to spawn a reverse shell back to our attacker box as the compromised Administrator!

In this lecture you will learn how how to use nmap, dig, nslookup, rpcclient, smbclient, smbmap, ldapsearch, crackmapexec, hashcat, evil-winrm and GetNPUsers.py from Impacket.  You'll also learn about Windows Password Policies (and how to understand them), what AS-REP Roasting is (and how it's different than Kerberoasting) and what Password Spraying is (and how it's different than Brute Force attacks).  I've packed a lot of goodness in this lecture! So let's stop wasting time and just jump in!

awww mann! haha check it out! This lecture is going to be bonkers.  You're going to learn winPEAS and Bloodhound.  But the way I teach Bloodhound in this lecture might be unlike anything you've ever seen.  I'm going to break down exactly how to setup the Bloodhound collector, how to troubleshoot when things break and how to interpret the Bloodhound output in a sensible way to management.  Yup.  Then I'm going to show you how to pivot from Bloodhound to actual exploitation!  We're going to have a ton of fun in the process using Evil-WinRM, native Powershell cmdlets, PowerView, PSExec, WMIExec, CrackMapExec, All the EXECS! So you can tell your EXECutives the risk they have and how to mitigate them.  I love it!  Let's just jump in - I had way too much fun making this one for you guys lol.

SICK! Now as an added bonus I'm going to show you one of the deadliest persistence mechanisms I know inside an AD environment: the Golden Ticket.  You're going to learn EXACTLY what it is, why it's so dangerous and how to execute it using ticketer.py from Impacket.  Then we're going to obtain a SYSTEM shell with a Golden Ticket using PSExec.py.  It's going to be a ton of fun - let's go!

Aw yeah! Haha, so check it out: in this lecture we're going into incident response mode on the target victim machine and will be using DeepBlueCLI to extract malicious indicators from the Windows Event Logs.  You'll see why DeepBlueCLI is awesome because I'll compare it to manually hunting the logs using the native Windows PowerShell cmdlet Get-EventLog.  The cool thing is you'll see the DeepBlueCLI detects our Pass-The-Hash (PtH) event with PSExec and even the Golden Ticket event we generated with Ticketer.py!  That's pretty cool right? Oh yeah, and the target system was hardened as it is only running Windows Server 2016 Core yet we were still able to cause chaos.  Let's jump in!