 Hello all. Today I want to show you another Excel trick. I'm going to show you a privilege escalation from Excel without creating any processes. So let's log in on this Windows 7 machine as a normal user. So I'm not an administrator with this Lua account. Let's go to my documents. So I'm going to run process explorer as an administrator just so that you can follow along which processes are created. So you see I'm not an administrator. I need to type the password. Okay, and here we have process explorer running. So what I'm going to do now is start my Excel tools that contain a command line and reged it and that is something or something. I did a couple of years ago. This here launches a command line but all is done inside the Excel process itself. Okay, so you can see here I have a command line. But if you go have a look here to process explorer, you'll see Excel as no sub process. And this command line window is actually part of Excel. Let me show you like this. I select this window and you see that it belongs to the Excel process. So this is a command line that I took from ReactOS, changed it in a DLL and then I'm running this inside Excel by running a DLL from memory into memory. Okay, but that's all old stuff. What I want to show you now is a privilege escalation. So when my shows that I am the LUA account, I'm not privileged. So if I do, for example, a net local group administrators here, you can see that root is a member. And if I try to add myself, this fails because I'm not an administrator. But this is going to change because here in my directory, I have a DLL that allows me to do a privilege escalation. This comes from Metasploit. It's an exploit for CV 2014 4113, quite recent. And here in my command line, I've also added an extra command. That's a DLL command. The DLL command allows me to load the DLL into the Excel process. And I can do this into memory without load library with option m. So let me do that. DLL slash m. And that's the CVE DLL. Okay. And as you can see here, it successfully executed and I have executed a privilege escalation. If I do a OMI, now you can see that I am NT authority system. Well, if you go to process explorer, it still lists LUA as the owner, but I performed a privilege escalation. If I do, for example, now a CMD, you can see that the sub process is created, CMD here and that it runs as NT authority system. So let's go out of this. And now as a last thing, I'm going to do a net local group administrators LUA add. And this was successful. I can now net add myself to the group of administrators. Now I did this with metastalploid exploit for CV 2014 for one on three. I just made some small changes to the Searscore source code and then recompiled it. First of all, here in the beginning, I removed the reflective DLL injection stuff from metastalploid because I don't need that anymore. I have my own method to do this. So I removed that reflective DLL injection. I enabled debugging. And here at the end, you can see that I just disabled the execution of the payload because I don't need any payload. I just want to elevate Excel and then I can work with my own tools.