Your skills always impresses me ! In 30min you show us different methods to escalate and even with your video, I spend hours to do what you show... Thanks for your work
It's really fascinating how finicky and strange it is working through MSF versus the clarity and simplicity of doing it manually. Like, yeah it took a little longer doing it through Powershell, but it was 100% clear exactly what was happening the entire time. Once you shifted into MSF, there was this whole other layer of obfuscation and strangeness and particular parameters needing to be just so, plus the workflow got really messy and hard to follow. Neat to see that side by side. I've never seen a more convincing argument for not using Metaploit lol
I don't think it worked the first time without URL encoding, the only packets in the tcpdump output are http packets, no icmp. It worked the second time with ctrl+u, url encoded
@@shankaranarayana6568 works with a +, or %20 (the browser automatically subs that encoding for me) but for some reason it needs the ".exe" extension in the command. I don't know enough about this to know why. GET /?search=%00{.exec|ping.exe 192.168.119.206.}
Hi Ippsec, for the Access Denied error at 25:28 it has to do with write permissions of a temp powershell script. you can set W_PATH C:\\Windows\\Temp in the advanced options and it works. Congrats for your channel and thanks a lot for the knowledge sharing
5:18. I know this is late but am I right to point out that ippsec is not getting ICMP requests and rather is seeing http requests ? Or am I missing something?
@ippsec Hey i was wondering about the same thing, I tried simulating some ICMP traffic and it said ICMP in the tcp dump but when we do th {exec ping ...} no ICMP packets comes up. So are we missing something?
Well I'm too late, but.. Initially he forgot the icmp filter on the tcpdump command and thought the packets were icmp packets (while they were packets related to the http requests/reponses). It's hard to stay focused while explaining at the same time.
Great walkthrough as usual ippsec. Never thought it could be exploited like that too. I used the rejetto module for user shell and then i created a msfvenom payload.I uploaded both the payload and the ms16032 script with metasploit and then invoked the script in Powershell. First i edited the script at the path part pointing to the payload.Thought it much simpler like that,of course lacking good knowledge of Powershell to do what you did in the video. Anyways keep up the good wordk ippsec you are a true guru!
@@kab3800 Yes sir, you need to make sure the Powershell/Meterpreter session is 64-bit based, otherwise it will have problem. I did it manually with powershell 64-bit.
Did you go through the powershell way? This isn't working for me and I literally have the correct code (for the part in burp before getting the user shell 12:00) and if just isn't working. Do you know if this method is broken?
@@SWonYT Hello Sammy. There could be several reason why it does not work. Have you tried ping yourself to make sure the exploit works? Is your exploit IP address correct? Have you try different port? Have you tried delete the content in burp and start from all over again? This method is working as I tested a week ago, all you need to do is being patient and try troubleshoot. It will work if you do it right. Good luck!
Great video! Is it just me or did anyone else notice that the server did not indeed 'ping' him during the CSS portion of the testing. TCPDUMP simply showed the SYN/ACK packets between the webserver and his box. No ICMP packets... Just saying :)
Is there an alternative to Sherlock, other than Watson, that is not deprecated? Watson repo doesn't seem to supply the exe in the tags and other than using visual studio, I'm not sure how else to build the exe (especially on a linux box). Any powershell scripts that have the same functionality as Sherlock and aren't deprecated?
Your tcpdump trying to pick up PING is not actually working. (at about 5:00) I've made that same mistake and got prematurely excited that it worked. Note, your TCPdump is picking up all packets not just ICMP, and what you're seeing is the HTTP going across the same interface, not the PING.
Good evening guys. I am new to penetration testing and of course I have so many doubts and questions. All the powershell commands that he added to burp suite are commands that you find inside the payload or you need to know those? Thank you for your response
Hi, thanks for video and all the tips inside. I think that you're not getting ICMP packets when you do just the "%00{.exec|ping 10.10.14.17.}" what you see is your HTTP traffic (GET request and the response). In my case at least I didn't manage to make that work (i.e.: see the icmp traffic). While it works if I do a "powershell.exe ping 10.10.14.17" instead.
Well thank you! I had the same problem making it work manually, and adding powershell.exe did the job. I don't know why it doesn't work right away though.
The only thing that can help you become good in making conclusion is that you need to keep track of every news related to hacking, vulnerabilities and patches
this is correct. The tcpdump shows the traffic (http requests) that were sent via Burp repeater :-) I make this mistake often. This is why it would be better to only filter icmp traffic in the tcpdump ("tcpdump -ni tun0 icmp")
This threw me for some time as I couldn't get the ping to work as described even when the search parameter was encoded and terminated with '.}'. In the end I got it working by explicitly adding the .exe extension. The encoded search param that worked for me is as follows (ensure you change the IP address for your own): %00{.exec|ping.exe+10.10.14.17.}
Hey great walkthrough, the only thing I find confusing is how you'd know that there was an exploit on empire? Obviously you know in advance where everything is but would have been good if you sort of explained the steps of how you'd end up finding powershell empire's module. If I was just doing the box alone I'd have never thought to look at empire and would probably end up dismissing the PoC on github as something that wouldn't work on this box and so I guess i'm just wondering how you knew to pick that specific exploit and what amendments would have needed to be made to the PoC for the exploit to work?
he just searched for it on google or empire itself. and u should never dismiss anything u find as there is always a chance it would work , u just have to try it , there is no one way or an optimal way in these kind of things it's always a hit and miss, so u should never dismiss anything ur not sure that wouldn't work
I'm late to this party, but the reason why the Priv Esc wasn't working initially is because the sscript is attempting to write the TXT file into System32 as kostas. Evidently, kostas is not an admin, and has no rights to sys32. That being said, attempting the exploit via migrate still yields no shell due to the whole 32 bit migrated to 64 bit issue.
6:17 it is not pinging. there are no icmp packets only http packets. i tried with {.exec|C:\System32\cmd.exe ping ip.} still not working. I believe it only works with powershell
Hi! I have a vbscript RCE on a box. When I use it with ping.exe and my IP Address I get requests from the box. So this is working: code exec and the back connection. When I try to start powershell.exe with the absolute path it responses without errors. But if I use ping in the PS it does not work. downloadString does not work either. I have no way to see error messages. In gerneral: Is there a way of getting a reverse_shell without PS or through vbscript? Is there a cmd.exe reverse shell? And what could I do for further testing? btw: Ippsec, your videos are awesome and I cannot tell how much I already learned! Thank soo much!
Hey IppSec, coming back to this a couple of years too late - do you know if this box has since been modified? I can't get the PowerShell execution through HFS. So I jumped in with MSF, Listing the contents of C:\Windows, there isn't a SysNative folder? See Screenie: ibb.co/dmyJPrH Has 64-bit powershell since been removed from this machine?
@@ippsec Hey Ipp, figured it out - I was sure I was running in 32-bit process, turns out I was, SysNative just won't appear when you a run a dir command for some reason even if you are in a 32-bit process., but you can still interact with it just fine. ¯\_(ツ)_/¯
Hello Sir. Is there a tool similar to Sherlock.ps but can be executed on Windows 7/xp ? Plus, as a newbie, where can I learn those great tools? Let me know, thx
I have been trying to use the same technique.. but I am not able to even ping or get reverse shell etc. However, msf exploit works. Is there any change in machine? Why could that be?
Can someone please explain to me why it matters that the priv escalation has to be run in 64bit? I did this box by myself up until the priv escalation b/c it was failing. Couldn't figure out why and watched this and I am really glad I did b/c I learned a lot about manual tools and powershell and what not. Thanks for the video any further clarification would be great.
no apparent reason , in theory it should work when he migrated to a 64bit session but it didn't , so he tried to upload a 64bit meterpreter and it worked, u have to realise a lot of the software is buggy and it becomes even worse when it works with other software so as a hacker u just have to find ur way around it
This may not have existed at the time of recording, but there is an exploit on exploit-db which makes the process of getting a rev-shell a lot simpler: www.exploit-db.com/exploits/39161
Great video, thanks! However these days the metasploit module of ms16-032 doesn't seem to work. 64 bit payload on 64 bit meterpreter session give me an error: "[-] Exploit failed: Errno::EPROTO Protocol error @ rb_sysopen - $ZsYFMDYTBateYDl = @" [DllImport("kernel32.dll")] ..." along with a dump of CreateThread function. I changed ports, recreated sessions, etc
To anyone who is trying out ms16_032_secondary_logon_handle_privesc on Metasploit as the method to priv esc (as what IppSec and some walkthroughs did), if you are attempting this machine as a Retired machine, you will not be able to use this method anymore, for the fact that retired HTB boxes do not necessarily have the same system specifications of Active machines. The retired Optimum machine only has 1 core (as seen from systeminfo), while the exploit requires at least 2 cores.
Hello IppSec, First thank you for teaching us every video new trick. I had a problem with the SYSTEM reverse shell i couldnt get it at all and after i got frustrated i coped the root.txt to kostas desktop and it ran. idk why running IEX... and getting shell.ps1 didnt run. and i tried shell.ps1 alone and made sure its correct but in Invoke script it dosent run. if anyone know why plz tell me coz my brain is almost exploded :)
You opened a Powershell shell on port 1337 first, then you opened another one on port 1338. That was only because you didn't want to rely on the web RCE and wanted a more stable shell I guess..anyway you could do also without a second shell right? You could have used MS16-032 and be root in the first shell on port 1337, right? Maybe I got a bit confused when you made a mistake in the video.
I got the initial shell on port 1337. For privilege escalation, I have it send a shell to port 1338. I mistakenly execute shell.ps1 first which sends a user shell to 1338. I close out of that, then execute the privesc powershell script to escalate to admin then execute shell.ps1 to send me an administrative shell on port 1338.
Thank you. So if you don't open a new shell after the MS16-032 exploit runs, you can't use the first shell as NT/AUTHORITY-SYSTEM even if the exploit is successful? It's compulsory to get a new privileged shell for privesc? Sorry for the dumb question.
Correct. The exploit is not just giving your shell elevated rights, it's just executing a separate command as SYSTEM. It's just easier to run entirely new processes than to send stuff back to your current session and deal with nested terminals.
yeah, before your answer I just recalled that it executes a new instance of cmd.exe, so I understand. It makes sense to open a new shell. Thanks again for the video and for your answer. p.s. another interesting thing is that we could modify the exploit and instead of executing cmd.exe we could execute a msfvenom payload for executing a meterpreter reverse_tcp shell as shown here: zero-day.io/modifyexploits/
Your skills always impresses me ! In 30min you show us different methods to escalate and even with your video, I spend hours to do what you show... Thanks for your work
It's really fascinating how finicky and strange it is working through MSF versus the clarity and simplicity of doing it manually. Like, yeah it took a little longer doing it through Powershell, but it was 100% clear exactly what was happening the entire time. Once you shifted into MSF, there was this whole other layer of obfuscation and strangeness and particular parameters needing to be just so, plus the workflow got really messy and hard to follow. Neat to see that side by side. I've never seen a more convincing argument for not using Metaploit lol
I don't think it worked the first time without URL encoding, the only packets in the tcpdump output are http packets, no icmp. It worked the second time with ctrl+u, url encoded
GET /?search=%00{.exec|C:\Windows\System32\PING.EXE+192.168.119.206.} works
@@shankaranarayana6568 works with a +, or %20 (the browser automatically subs that encoding for me) but for some reason it needs the ".exe" extension in the command. I don't know enough about this to know why.
GET /?search=%00{.exec|ping.exe 192.168.119.206.}
me : do everything good but still needs to reset the box for some reason
ippsec : do somethings wrong but still works ahah
Hi Ippsec, for the Access Denied error at 25:28 it has to do with write permissions of a temp powershell script. you can set W_PATH C:\\Windows\\Temp in the advanced options and it works. Congrats for your channel and thanks a lot for the knowledge sharing
5:18. I know this is late but am I right to point out that ippsec is not getting ICMP requests and rather is seeing http requests ? Or am I missing something?
Exactly, he is getting http replies, but NOT icmp echo replies.
@ippsec Hey i was wondering about the same thing, I tried simulating some ICMP traffic and it said ICMP in the tcp dump but when we do th {exec ping ...} no ICMP packets comes up. So are we missing something?
Later at 10:47 he encodes the requests and ICMP pings are visible. I guess that was missing initially. That's all.
Well I'm too late, but..
Initially he forgot the icmp filter on the tcpdump command and thought the packets were icmp packets (while they were packets related to the http requests/reponses). It's hard to stay focused while explaining at the same time.
Great walkthrough as usual ippsec. Never thought it could be exploited like that too.
I used the rejetto module for user shell and then i created a msfvenom payload.I uploaded both the payload and the ms16032 script with metasploit and then invoked the script in Powershell. First i edited the script at the path part pointing to the payload.Thought it much simpler like that,of course lacking good knowledge of Powershell to do what you did in the video.
Anyways keep up the good wordk ippsec you are a true guru!
hahaha I did too many steps to get this box without metasploit :D Thanks for sharing! IppSec you rocks!
Using the Empire one is a nice tip :) Good job on explaining the vulnerability
Just want to drop another comment here, thanks ippsec, this particular walkthrough basically became my holy rules for privilege escalations.
hi.. were you able to PrivEsc using meterpreter as shown? were you able to get the escalated shell using ms16_032 exploit?
@@kab3800 Yes sir, you need to make sure the Powershell/Meterpreter session is 64-bit based, otherwise it will have problem. I did it manually with powershell 64-bit.
@@wutangdaug thanks for the quick reply! I'll try it out and get back.
Did you go through the powershell way? This isn't working for me and I literally have the correct code (for the part in burp before getting the user shell 12:00) and if just isn't working. Do you know if this method is broken?
@@SWonYT Hello Sammy. There could be several reason why it does not work. Have you tried ping yourself to make sure the exploit works? Is your exploit IP address correct? Have you try different port? Have you tried delete the content in burp and start from all over again?
This method is working as I tested a week ago, all you need to do is being patient and try troubleshoot. It will work if you do it right. Good luck!
Thanks a lot for you explanation!!!
Great video! Is it just me or did anyone else notice that the server did not indeed 'ping' him during the CSS portion of the testing. TCPDUMP simply showed the SYN/ACK packets between the webserver and his box. No ICMP packets... Just saying :)
THANK YOU! THANK YOU! THANK YOU!
Is there an alternative to Sherlock, other than Watson, that is not deprecated? Watson repo doesn't seem to supply the exe in the tags and other than using visual studio, I'm not sure how else to build the exe (especially on a linux box). Any powershell scripts that have the same functionality as Sherlock and aren't deprecated?
Your tcpdump trying to pick up PING is not actually working. (at about 5:00) I've made that same mistake and got prematurely excited that it worked. Note, your TCPdump is picking up all packets not just ICMP, and what you're seeing is the HTTP going across the same interface, not the PING.
and ping requires ".exe" no idea why.
Good evening guys.
I am new to penetration testing and of course I have so many doubts and questions.
All the powershell commands that he added to burp suite are commands that you find inside the payload or you need to know those?
Thank you for your response
The video quality is too low. Letters ate too small and hazy, even when zooming in.
Hi, thanks for video and all the tips inside. I think that you're not getting ICMP packets when you do just the "%00{.exec|ping 10.10.14.17.}" what you see is your HTTP traffic (GET request and the response). In my case at least I didn't manage to make that work (i.e.: see the icmp traffic). While it works if I do a "powershell.exe ping 10.10.14.17" instead.
Well thank you! I had the same problem making it work manually, and adding powershell.exe did the job. I don't know why it doesn't work right away though.
@@ephirr9176 Hey guys. I have the same findings. |%00{.exec|powershell.exe+ping+10.10.14.7.}" Do you know why i need the period after the ip address?
Followed step for step and was still not able to get privesc, went the metasploit route, great vid though!!
Hi Ippsec, hope you are well, on each video i see you use burp suit, can you do video about burp suit. thank you
I wonder that is there any way easier to get a shell except via powershell?
Can any one tell me how he knew to use the empire MS16032. or how I could come to the same conclusion? Thanks ladies and gents.
experience
It depends on how much research you have done about the computers and software
Did I miss some peice of information. Or is there an article I can read that might help ?
The only thing that can help you become good in making conclusion is that you need to keep track of every news related to hacking, vulnerabilities and patches
That tcpdump capture is not related to icmp packets, I don't think the ping even worked, those captured packets looked like tcp packets
this is correct. The tcpdump shows the traffic (http requests) that were sent via Burp repeater :-) I make this mistake often. This is why it would be better to only filter icmp traffic in the tcpdump ("tcpdump -ni tun0 icmp")
+1
This threw me for some time as I couldn't get the ping to work as described even when the search parameter was encoded and terminated with '.}'. In the end I got it working by explicitly adding the .exe extension. The encoded search param that worked for me is as follows (ensure you change the IP address for your own):
%00{.exec|ping.exe+10.10.14.17.}
when send from repeater burpsuite, why nothing happen on my simpleHTTPServer even i was already encode before send it.
Hey great walkthrough, the only thing I find confusing is how you'd know that there was an exploit on empire? Obviously you know in advance where everything is but would have been good if you sort of explained the steps of how you'd end up finding powershell empire's module. If I was just doing the box alone I'd have never thought to look at empire and would probably end up dismissing the PoC on github as something that wouldn't work on this box and so I guess i'm just wondering how you knew to pick that specific exploit and what amendments would have needed to be made to the PoC for the exploit to work?
he just searched for it on google or empire itself. and u should never dismiss anything u find as there is always a chance it would work , u just have to try it , there is no one way or an optimal way in these kind of things it's always a hit and miss, so u should never dismiss anything ur not sure that wouldn't work
I'm late to this party, but the reason why the Priv Esc wasn't working initially is because the sscript is attempting to write the TXT file into System32 as kostas. Evidently, kostas is not an admin, and has no rights to sys32.
That being said, attempting the exploit via migrate still yields no shell due to the whole 32 bit migrated to 64 bit issue.
6:17 it is not pinging. there are no icmp packets only http packets.
i tried with {.exec|C:\System32\cmd.exe ping ip.} still not working. I believe it only works with powershell
Try to url encode it {.exec | ping ip .}
I didn't use ps btw
how does this migrate command works?
Do you have any tips on Linux Priv Esc, when shell is not really working for meterpreter?
Try Harder 💪😁
Hi! I have a vbscript RCE on a box. When I use it with ping.exe and my IP Address I get requests from the box. So this is working: code exec and the back connection. When I try to start powershell.exe with the absolute path it responses without errors. But if I use ping in the PS it does not work. downloadString does not work either. I have no way to see error messages.
In gerneral: Is there a way of getting a reverse_shell without PS or through vbscript? Is there a cmd.exe reverse shell?
And what could I do for further testing?
btw: Ippsec, your videos are awesome and I cannot tell how much I already learned! Thank soo much!
Hey IppSec, coming back to this a couple of years too late - do you know if this box has since been modified? I can't get the PowerShell execution through HFS. So I jumped in with MSF, Listing the contents of C:\Windows, there isn't a SysNative folder? See Screenie: ibb.co/dmyJPrH Has 64-bit powershell since been removed from this machine?
Maybe you’re already 64 bit? I believe that dir may only exist when you’re in a 32 bit process.
@@ippsec Hey Ipp, figured it out - I was sure I was running in 32-bit process, turns out I was, SysNative just won't appear when you a run a dir command for some reason even if you are in a 32-bit process., but you can still interact with it just fine. ¯\_(ツ)_/¯
Hello Sir. Is there a tool similar to Sherlock.ps but can be executed on Windows 7/xp ?
Plus, as a newbie, where can I learn those great tools? Let me know, thx
by executed on Windows 7/xp, I mean does not require powershell to run. Or maybe powershell is always a good start?
What Firefox extension is that?
+1, can someone tell us the name of it?
foxyproxy????
For those of you who didn't do it via ms16-032, it does not work due to the fact that there is 1 core (race conditioning requires 2). use ms16-098
I have been trying to use the same technique.. but I am not able to even ping or get reverse shell etc. However, msf exploit works. Is there any change in machine? Why could that be?
I have popped the box with the method in this video today.
@@demiscuzz6427 Thanks. I was also able to use the technique after I did reset the machine.
Can someone please explain to me why it matters that the priv escalation has to be run in 64bit? I did this box by myself up until the priv escalation b/c it was failing. Couldn't figure out why and watched this and I am really glad I did b/c I learned a lot about manual tools and powershell and what not. Thanks for the video any further clarification would be great.
no apparent reason , in theory it should work when he migrated to a 64bit session but it didn't , so he tried to upload a 64bit meterpreter and it worked, u have to realise a lot of the software is buggy and it becomes even worse when it works with other software so as a hacker u just have to find ur way around it
late to respond, but 0xdf explains why.
This may not have existed at the time of recording, but there is an exploit on exploit-db which makes the process of getting a rev-shell a lot simpler: www.exploit-db.com/exploits/39161
Great video!!! Thks!!
0:11 now I know where you did this box originally in 2014
where?
Thanks a TON !!!!
Should I be using a virtual machine and a VPN while using this?
Virtual Machine yes. VPN is not needed.
Nice! :D
Great video, thanks! However these days the metasploit module of ms16-032 doesn't seem to work. 64 bit payload on 64 bit meterpreter session give me an error: "[-] Exploit failed: Errno::EPROTO Protocol error @ rb_sysopen - $ZsYFMDYTBateYDl = @" [DllImport("kernel32.dll")] ..." along with a dump of CreateThread function. I changed ports, recreated sessions, etc
Even i tried a lot ..making sure its x64 ..but not working :(
yeah it failed for me as well
To anyone who is trying out ms16_032_secondary_logon_handle_privesc on Metasploit as the method to priv esc (as what IppSec and some walkthroughs did), if you are attempting this machine as a Retired machine, you will not be able to use this method anymore, for the fact that retired HTB boxes do not necessarily have the same system specifications of Active machines.
The retired Optimum machine only has 1 core (as seen from systeminfo), while the exploit requires at least 2 cores.
As alwasy amazing..
Quite possibly a stupid question: Why is he using a VPN?
Is it just to mask his IP for the video or is there any other reason?
The HTB machines are accessed via VPN
@@ippsec Oh, that makes sense. Thanks for the quick reply.
well my question is: if there will be another video in between the next box or no this time :p
No idea. I'd say its unlikely, doesn't look like I'll have much free time this upcoming week.
Hello IppSec,
First thank you for teaching us every video new trick.
I had a problem with the SYSTEM reverse shell i couldnt get it at all and after i got frustrated i coped the root.txt to kostas desktop and it ran. idk why running IEX... and getting shell.ps1 didnt run. and i tried shell.ps1 alone and made sure its correct but in Invoke script it dosent run.
if anyone know why plz tell me coz my brain is almost exploded :)
I'm having the same problem, this boxy is supposed to be easy, but nothing is working properly.
same here
You opened a Powershell shell on port 1337 first, then you opened another one on port 1338. That was only because you didn't want to rely on the web RCE and wanted a more stable shell I guess..anyway you could do also without a second shell right? You could have used MS16-032 and be root in the first shell on port 1337, right? Maybe I got a bit confused when you made a mistake in the video.
I got the initial shell on port 1337. For privilege escalation, I have it send a shell to port 1338. I mistakenly execute shell.ps1 first which sends a user shell to 1338. I close out of that, then execute the privesc powershell script to escalate to admin then execute shell.ps1 to send me an administrative shell on port 1338.
Thank you. So if you don't open a new shell after the MS16-032 exploit runs, you can't use the first shell as NT/AUTHORITY-SYSTEM even if the exploit is successful? It's compulsory to get a new privileged shell for privesc? Sorry for the dumb question.
Correct. The exploit is not just giving your shell elevated rights, it's just executing a separate command as SYSTEM. It's just easier to run entirely new processes than to send stuff back to your current session and deal with nested terminals.
yeah, before your answer I just recalled that it executes a new instance of cmd.exe, so I understand. It makes sense to open a new shell. Thanks again for the video and for your answer. p.s. another interesting thing is that we could modify the exploit and instead of executing cmd.exe we could execute a msfvenom payload for executing a meterpreter reverse_tcp shell as shown here: zero-day.io/modifyexploits/
Am I the only one who thinks this looks like Optimus?
Тhank you ;)