HackTricks. If I had to take one link with me into a pentest, this would be it. Written by the creator of WinPEAS and LinPEAS, it is THE guide for PrivEsc, and one of the best for everything else.
Create checklist of the things tyou need to make an exploit work
Order of Techniques
Registry and service exploits first
Kernel exploits last
WinPEAS (The Go-To) - These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
SeatBelt - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Windows Exploit Suggester Next Gen - WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.
Accesschk.exe with the accept EULA flag - a Microsoft Sysinternals tool that is great for auditing privileges on your systems, and for auditing privileges on others’ systems. This version is a standalone utiltility with the older code that allows you to auto accept the EULA flag.
PrintSpoofer - From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.
Rattler - Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.
SharpImpersonation - A User Impersonation tool - via Token or Shellcode injection
Rotten Potato - New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools. Leverages the privilege escalation chain based on BITSservice having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges.
Juicy Potato - Upgraded and Weaponized verison of RottenPotatoNG
Sweet Potato - A collection of various native Windows privilege escalation techniques from service accounts to SYSTEM
Rogue Potato - Just another Windows Local Privilege Escalation from Service Account to System.
MSI files are used to install apps. They run with the permissions of the user trying to install. You can run these with admin (elevated) privs. We can use this by creating a malicious MSI file containing a reverse shell
Check 2 registry settings. These must be present and enabled
LinPEAS - These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks
LSE - Linux Smart enumeration, Linux enumeration tools for pentesting and CTFs
Unix Privesc Check - Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).
SUDO Killer - Linux Privilege Escalation through SUDO abuse.
Check user
Run enum scripts at increasing levels
Run manual commands
Check user home dir
/var/backup, /var/log, history files
Try quickest methods first
Check internal ports
Use Kernel exploits as a last resort
Enumerate Permissions
Users
Accounts in /etc/passwd
password hashes in /etc/shadow
identified by a UID
root = UID 0
3 types
Real - defined in /etc/passwd. who they actually are
Effective - when executing a process as another user, thier effective ID is set to that user's real ID.
Most Access Control decisions
whoami
Saved - used to ensure SUID processes can temporarily switch a user's effective ID back to thier Rreal ID and back again without losing track of the original effective ID
Groups
/etc/group
Primary and multiple secondary groups
Default primary group is same name as user account
Files/Dir
Have a single owner and a group
Permissions:read write execute
3 permission sets: owner, group, and all others
Special permissions
setuid (SUID) bit - When set, files will get executed with privileges of the file owner
setgid (SGID) bit - When set on a file , files will get executed with the permissions of the file group
When set on a directory, files created in that directory will inherit the group of the directory itself
Viewing permission
#ls -l /file/path
First 10 characters are the permissions on the file
First character is the type: “-” for file, “d” for directory
SUID/SGID permissions are represented by an “s” in the execute position
Techniques
Service PWs may be stored in plain text in config files
History files may contain a password used as part of a command
#ls -a -> look for _history files
Config files
opnevpn files -> auth-user-pass option
SSH Keys - can be used in leu of passwords
/etc/shadow
Readable - copy and crack the Root user hash
writeable - copy and edit the shadow file with new root password
/etc/passwd
For backwards compatibility, if the second field of a user row is a passwrod hash, it takes precedent over /etc/shadow
Either replace the password for root, or append a new user with root permissions.
Delete the x in the second field reads as if there is no password for user
search for the commands/binaries you can run as sudo, then pass arguements that force a new root shell
Abusing intended functionality
Read/write to files owned by root
EX apache2 - it will try to read the first line of any file passed as an arguement.
#sudo apache2 -f /etc/shadow
Environment variables
Programs run through sudo can inherit the environment variables from the user's environment
In the /etc/sudoers file, The options env_reset and env_keep options are available. These are displayed wiht #sudo -l
LD_PRELOAD variable that can be set to the path of a shared object file (.so)
By creating a custom shared object and an init() funciton, we can execute code as soon as the object is loaded
Will not work if real userID is different from effectiveID. ALso, sudo must have env_keep option
#sudo LD_PRELOAD=<path to created shared object> <command you can run as sudo>
LD_LIBRARY_PATH
set of directories where shared libraries are searched for first
Print shared libraries uxsed by a program
#ldd /usr/sbin/apache2
By creating a shared library wiht the same name as one used by a program, and setting the LD_LIBRARY_PATH to its parent dir, the program will load our shared library instead.
Sudo Caching
PTFM: Sudo Caching - pg. 93
Run at the security level of the user that owns them
Default run with /bin/sh with limited envi variables
Cron table files (crontabs) store config for cron jobs
Cronjobs are located in /var/spool/cron/ or /var/spool/cron/crontabs/
System wide crontab is located in /etc/crontab
If we can write to a program or script that gets run with a cronjob, we can replate it with our own code
PATH envi variable
default set to /usr/bin
Can be overwritten in the crontab file
If a cronjob script/program does nto use absolute path and one of the path dir is user writeable, you can create a program or script with the same name as the cronjob
Wildcard
When a wildcard char (*) is provided to a command as par tof an arguement, the shell will first perform filename expansion (globbing) on the wildcard
this process replaces the wildcard with a speace-separated list of the file and directory names in the current directory
Can create filenames that match cmd line options like “--help”
#ps aux | grep “^root” Show all processes runnign as root
#netstat -nl Show all actice connections (look for services)
Try to ID verison number and research for exploits
#<program> -v or --version show version number
#dpkg -l | grep <program>
#rpm -qa | grep <program>
Some processes running as root may be bound to an internal port through which it communicates
If it cannot be run locally on the target machine, the port can be forwarded using ssh to your local machine