Hey guys. So so far we have seen how we can do privilege escalation using kernel exploit. But in this video, I'm going to show you guys how you can do the same thing. But with PowerShell Empire and set toolkit set toolkit. It's also called a social engineering toolkit. And it is pretty much installed in almost every college Unix version.

So you don't have to really worry about getting it out from anywhere. But do make sure that it's updated. So let's actually check that set, too. So are you just going to type s et, or l k it and that'll pop up your search. Okay. Awesome.

So let's look at the version. It's 8.0 point one, which is pretty awesome. And now we're trying to get a social engineering attack. So let's type one. And I'll show you more. a menu of other options.

And I'm gonna go for, I want to I want to create a payload in the listener. Because eventually I want to generate a malicious Pado, which will, which will again send it to the target. But some means you could you could do it either way, you could go by social engineering, or you could go by opening up a server, or you could just directly email, stuff like that. So I'm going to go for that. And I want I want to matter for the show. Because that's, that's one of the best ones.

So I'm going to or actually, and what this one's better at this is a reverse TCP. So I would, I want to reverse TCP. So let's click two. Because that's going to create a like if you expand, you'll see spawn a meterpreter shell and victim and send back to them because it's better to have a Metacritic social, versus any shell because this is very advanced version of PowerShell. You can do a lot of things with it. So we need to set our l host here, which is our local host.

That's our local machine called Phoenix. So let's actually Check for IP real quick. Coffee. That's 190. Okay, so 19216 There's your 90 answer. And then the port would be just put whatever ones aside, or 49 answer.

So it will automatically generate filler for you. You don't have to do anything, just wait on it. And my target machine for this video I picked up windows seven. So from VirtualBox right here, I just pulled it up Windows XP or Windows seven, but this one I'm going to be using Windows seven, as you can see. So let's go back to our system and see if it's generated perfect. So the payload has been generated in root set payload xe, let's actually check that.

Awesome. So it's right here. You just got a home set. And that's where you'll find it. So let's go Open this up in Terminal, because we want to send this particular payload to our target machine. Before that, let's start the listener right here.

Yes, this will start Microsoft framework for you automatically. That's, that's awesome. You don't have to do anything. And I'll also connect you with the machine will give you a TCP connection. If everything is gone, right. Awesome.

So started reverse TCP. Now, now go back to your machine right here. And we want to send this exploit to our target machine. Type. I'm going to start a Python HTTP simple server. So just type Python dash m, simple HTTP server answer.

So that'll start it up on port 8000. So go back to you machine like the Windows machine in here, open up, open up a browser of a browser and type in the target machine in the target machine which is this type in the attacker machine Kali Linux IP and the port. So 1921681888 enter and you should be seeing a directory of the set folder. Actually it was one, sorry, the IP address of Kali enter. There you go. So there it is.

So we need to download this in our in our vulnerable machine. Enter. Right now if it gets if it is vulnerable, we should be getting an executable meterpreter session. Perfect. There we go. Now, we need to Get out the sessions that I won, we're setting it to medical recession.

Suede on it till we get it and opposite sessions are awesome. So we got our meterpreter session, you can check it by typing, get your ID, stuff like that enter. So that's a PC name that's the windows seven PC name. You can also type this info and see if you can get it for you go into seven now Now we'll be checking for our next step is to see processes in we can check the process because we want to view all the running processes and know down the P ID value of explorer EFC That's what we're going to be exploiting. Type is, and see there is explorer explorer right here, which is 13. Wait, is this pod?

Yes, this is PP it so we are looking for pod. So explorer 1360 that's up. So here we'll migrate meta printer to the Explorer dot exe process so that we don't have to worry about next quarter process getting reset and closing our session. So for that you just got to type migrate, and then the ID, which was 13681368. And there we go are migrating now. Next, just try to type get a UID now and see display the user it's still the same perfect.

Also, let's try to type show and see type some shell commands right here. So we're in there. As you can see, we're on the Windows machine right now. So whatever you type is actually you're basically talking in the Windows machine. So that's type net. Let's try to know more details about this particular user, which is username is hacker.

So capital is actually your enter. So that's why you got everything about it. Now the next step is to check for you want to see all information of the current user, right? So you can do something like net user. So just type net user and the user name which is well, cuz you already did let us or we don't have to like To add the next commands, because we already got all the stuff that is required, so let's just go with something like. Like you can't you the main reason why I did this was to check whether to check the administrator stuff.

So right here as you can see local group membership, it's administrators. So now I'm going to go back because frequently especially with clients that explodes, you will find that your session only has like limited user rights. This can severely limit actions when you try to perform on remote systems, such as like if you want to dump passwords, manipulating like the registry, or installing backdoors anything you would want to get like, full privileges and stuff like that. So try to get like administrator privileges. One good thing about Metasploit is that it has a meta part of script get called get system that will use a number of different techniques to attempt to gain system level privileges. On the remote system, you don't even have to do anything you just got to try get system on Bumble give it to you.

So get low before doing that type use prep and then type it I've used for and perfect Oh, we got to go to our meta printer. So right here so we're back at meta printer from the shell and now I'm going to do the same command again use press the forward and get system and then do get system. So as well together get system and this will give this will give me useful metaphor and as a matter of script gets us from right so this will give me different techniques to attend to gain system level privilege. So it's pretty cool. Looks like it didn't really work so well. We'll still let it Try.

And the script below them every method of stopping when it's succeed, so we're just gonna let it be. And now let's go back, let's go and get into Empire. So, Empire if you so basically, if you haven't installed it yet, if you don't have it installed, it's really easy. So it's a GitHub repo. All you got to do is just go here let me actually pull up the path for you guys. So go to start get HTTPS github.com and then Empire project Empire jacket For that, I've already downloaded it.

So I'm, I just have it downloaded right here. And once you download it, just go to the folder and then and then install it. So go to setup. And as you can see, you have to install it. So just Type dot slash install.sh. And once you do that you have to give it executable permission so that you can run it.

So for that you can just type ch Ma. And then plus install.sh. That's because and once you do this, you should be set you should be getting a file like this empire. So let's go back to that LS and py c t CGT n LS. So that's Empire. So just run it And I will pull up the Empire framework for you guys.

So once that's up so Empire, it's just, it'll give you a lot of scope to your exploitation for you. So when it's most your empire we want to we want to do something like in this case, for example, you want to get it attached over current process. So for that, I'm just going to do listeners and then enter, it'll show me everything that's listening. Right? And this is the poor that's listening right now as the only one. And if you want to, if you want to check because that was the one okay.

So if you want to check that about, you don't have to do anything because it's already done. But if you want to, if there if it says no listeners active, you can just type us listener HTTP answer. So that'll set it up to nourish GP, and then you got to execute it. Once you execute it, you will see if there is a listener there or not. If it's there, then it ought to but if it is not there, then we'll do it. We'll successfully get started.

Now just lost the PowerPoint script. You got that and then enter. Sorry, I'm in the comment section, but we need to go back to our Kali or register right here, honestly. So let's see. Excuse me, just clear it out. Okay, let me just have listeners.

Again, we certainly have that. So I'm just gonna continue with it. And I'm gonna launch partial issues up. So basically, what I'm trying to do is first we'll try to see if there are any actual listeners, and we do have them. Next we're trying to generate a PowerShell script with the help of launcher. So let's tap enter.

You There you go. Perfect. So we got that. So the above command, this one right here will generate a partial script, which you need to execute on your remote target system with the help of meterpreter that we have it running right here. So for that, we're going to go back to it and then just executed right there. That's it.

I hope you enjoyed this video. Thank you