Your skills always impresses me ! In 30min you show us different methods to escalate and even with your video, I spend hours to do what you show... Thanks for your work

It's really fascinating how finicky and strange it is working through MSF versus the clarity and simplicity of doing it manually. Like, yeah it took a little longer doing it through Powershell, but it was 100% clear exactly what was happening the entire time. Once you shifted into MSF, there was this whole other layer of obfuscation and strangeness and particular parameters needing to be just so, plus the workflow got really messy and hard to follow. Neat to see that side by side. I've never seen a more convincing argument for not using Metaploit lol

I don't think it worked the first time without URL encoding, the only packets in the tcpdump output are http packets, no icmp. It worked the second time with ctrl+u, url encoded

5:18. I know this is late but am I right to point out that ippsec is not getting ICMP requests and rather is seeing http requests ? Or am I missing something?

hahaha I did too many steps to get this box without metasploit :D Thanks for sharing! IppSec you rocks!

Good evening guys. I am new to penetration testing and of course I have so many doubts and questions. All the powershell commands that he added to burp suite are commands that you find inside the payload or you need to know those? Thank you for your response

Is there an alternative to Sherlock, other than Watson, that is not deprecated? Watson repo doesn't seem to supply the exe in the tags and other than using visual studio, I'm not sure how else to build the exe (especially on a linux box). Any powershell scripts that have the same functionality as Sherlock and aren't deprecated?

Hi Ippsec, for the Access Denied error at 25:28 it has to do with write permissions of a temp powershell script. you can set W_PATH C:\\Windows\\Temp in the advanced options and it works. Congrats for your channel and thanks a lot for the knowledge sharing

me : do everything good but still needs to reset the box for some reason ippsec : do somethings wrong but still works ahah

Great walkthrough as usual ippsec. Never thought it could be exploited like that too. I used the rejetto module for user shell and then i created a msfvenom payload.I uploaded both the payload and the ms16032 script with metasploit and then invoked the script in Powershell. First i edited the script at the path part pointing to the payload.Thought it much simpler like that,of course lacking good knowledge of Powershell to do what you did in the video. Anyways keep up the good wordk ippsec you are a true guru!

Great video! Is it just me or did anyone else notice that the server did not indeed 'ping' him during the CSS portion of the testing. TCPDUMP simply showed the SYN/ACK packets between the webserver and his box. No ICMP packets... Just saying :)

Using the Empire one is a nice tip :) Good job on explaining the vulnerability

The video quality is too low. Letters ate too small and hazy, even when zooming in.

Do you have any tips on Linux Priv Esc, when shell is not really working for meterpreter?

Thanks a lot for you explanation!!!

Hey great walkthrough, the only thing I find confusing is how you'd know that there was an exploit on empire? Obviously you know in advance where everything is but would have been good if you sort of explained the steps of how you'd end up finding powershell empire's module. If I was just doing the box alone I'd have never thought to look at empire and would probably end up dismissing the PoC on github as something that wouldn't work on this box and so I guess i'm just wondering how you knew to pick that specific exploit and what amendments would have needed to be made to the PoC for the exploit to work?

I have been trying to use the same technique.. but I am not able to even ping or get reverse shell etc. However, msf exploit works. Is there any change in machine? Why could that be?

I wonder that is there any way easier to get a shell except via powershell?

Hey IppSec, coming back to this a couple of years too late - do you know if this box has since been modified? I can't get the PowerShell execution through HFS. So I jumped in with MSF, Listing the contents of C:\Windows, there isn't a SysNative folder? See Screenie: ibb.co/dmyJPrH Has 64-bit powershell since been removed from this machine?

Hi! I have a vbscript RCE on a box. When I use it with ping.exe and my IP Address I get requests from the box. So this is working: code exec and the back connection. When I try to start powershell.exe with the absolute path it responses without errors. But if I use ping in the PS it does not work. downloadString does not work either. I have no way to see error messages. In gerneral: Is there a way of getting a reverse_shell without PS or through vbscript? Is there a cmd.exe reverse shell? And what could I do for further testing? btw: Ippsec, your videos are awesome and I cannot tell how much I already learned! Thank soo much!

Hello Sir. Is there a tool similar to Sherlock.ps but can be executed on Windows 7/xp ? Plus, as a newbie, where can I learn those great tools? Let me know, thx

THANK YOU! THANK YOU! THANK YOU!

when send from repeater burpsuite, why nothing happen on my simpleHTTPServer even i was already encode before send it.

Hi, thanks for video and all the tips inside. I think that you're not getting ICMP packets when you do just the "%00{.exec|ping 10.10.14.17.}" what you see is your HTTP traffic (GET request and the response). In my case at least I didn't manage to make that work (i.e.: see the icmp traffic). While it works if I do a "powershell.exe ping 10.10.14.17" instead.

Followed step for step and was still not able to get privesc, went the metasploit route, great vid though!!

Can any one tell me how he knew to use the empire MS16032. or how I could come to the same conclusion? Thanks ladies and gents.

Your tcpdump trying to pick up PING is not actually working. (at about 5:00) I've made that same mistake and got prematurely excited that it worked. Note, your TCPdump is picking up all packets not just ICMP, and what you're seeing is the HTTP going across the same interface, not the PING.

how does this migrate command works?

Can someone please explain to me why it matters that the priv escalation has to be run in 64bit? I did this box by myself up until the priv escalation b/c it was failing. Couldn't figure out why and watched this and I am really glad I did b/c I learned a lot about manual tools and powershell and what not. Thanks for the video any further clarification would be great.

I'm late to this party, but the reason why the Priv Esc wasn't working initially is because the sscript is attempting to write the TXT file into System32 as kostas. Evidently, kostas is not an admin, and has no rights to sys32. That being said, attempting the exploit via migrate still yields no shell due to the whole 32 bit migrated to 64 bit issue.

Just want to drop another comment here, thanks ippsec, this particular walkthrough basically became my holy rules for privilege escalations.

You opened a Powershell shell on port 1337 first, then you opened another one on port 1338. That was only because you didn't want to rely on the web RCE and wanted a more stable shell I guess..anyway you could do also without a second shell right? You could have used MS16-032 and be root in the first shell on port 1337, right? Maybe I got a bit confused when you made a mistake in the video.

Hi Ippsec, hope you are well, on each video i see you use burp suit, can you do video about burp suit. thank you

What Firefox extension is that?

That tcpdump capture is not related to icmp packets, I don't think the ping even worked, those captured packets looked like tcp packets

For those of you who didn't do it via ms16-032, it does not work due to the fact that there is 1 core (race conditioning requires 2). use ms16-098

Thanks a TON !!!!

Should I be using a virtual machine and a VPN while using this?

6:17 it is not pinging. there are no icmp packets only http packets. i tried with {.exec|C:\System32\cmd.exe ping ip.} still not working. I believe it only works with powershell

Quite possibly a stupid question: Why is he using a VPN? Is it just to mask his IP for the video or is there any other reason?

Great video!!! Thks!!

As alwasy amazing..

This may not have existed at the time of recording, but there is an exploit on exploit-db which makes the process of getting a rev-shell a lot simpler: www.exploit-db.com/exploits/39161

Nice! :D

0:11 now I know where you did this box originally in 2014

Great video, thanks! However these days the metasploit module of ms16-032 doesn't seem to work. 64 bit payload on 64 bit meterpreter session give me an error: "[-] Exploit failed: Errno::EPROTO Protocol error @ rb_sysopen - $ZsYFMDYTBateYDl = @" [DllImport("kernel32.dll")] ..." along with a dump of CreateThread function. I changed ports, recreated sessions, etc

well my question is: if there will be another video in between the next box or no this time :p

Hello IppSec, First thank you for teaching us every video new trick. I had a problem with the SYSTEM reverse shell i couldnt get it at all and after i got frustrated i coped the root.txt to kostas desktop and it ran. idk why running IEX... and getting shell.ps1 didnt run. and i tried shell.ps1 alone and made sure its correct but in Invoke script it dosent run. if anyone know why plz tell me coz my brain is almost exploded :)

Тhank you ;)

Am I the only one who thinks this looks like Optimus?