Privilege Escalation

Internal recon is crucial for understanding potential paths to escalate privileges in offensive security strategies. Various scripts like LinEnum and Linprivchecker aid in uncovering vulnerabilities, while exploiting system weaknesses such as Dirtycow can provide valuable insights. Leveraging services running elevated and uncovering stored credentials further enhance the offensive security approach. Utilizing Sudo for executing commands at higher levels and exploiting unquoted service paths on Windows showcase advanced offensive security techniques for privilege escalation.

• Privilege Escalation
• Offensive Security
• Internal Recon
• Scripts
• Exploits

breinde Follow

Uploaded on Mar 05, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Privilege Escalation Offensive Security

2. Internal Recon Learning as much as possible about the tagert Hopefully find a path to escalate privileges Many different ways to escalate Sometimes you need to get creative Offensive Security 2

3. Scripts LinEnum https://github.com/rebootuser/LinEnum Unix privesc http://pentestmonkey.net/tools/audit/unix-privesc-check Linprivchecker https://github.com/reider- roque/linpostexp/blob/master/linprivchecker.py Windows Exploits Suggester Offensive Security PowerUp post/windows/gather/enum_patches 3

4. Exploits Exploiting the system itself Dirtycow Figure out what s running uname -a cat /proc/version cat /etc/issue Windows find patches wmic qfe get Caption,Description,HotFixID,InstalledOn Offensive Security 4

5. Services Running Elevated Some services may have access to run commands Database software (Multiple) Can execute shell commands What if this is running as root? We find creds via some other method Offensive Security 5

6. Stored Credentials Finding creds somewhere on disk Config file Password manager database Saved in a browser C:\unattend.xml C:\sysprep.inf C:\sysprep\sysprep.xml Weak credentials Offensive Security findstr /si password *.txt | *.xml | *.ini 6

7. Sudo Lower level user execute as higher level Check which commands you are allowed to run sudo -l Sudo su Other commands? Python Man Nmap Awk Offensive Security https://gtfobins.github.io/ 7

8. Unquoted Service Path Service is running on Windows Service account has higher permissions Binary is writable by other users Replace the binary with our own Msfvenom binary wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ Offensive Security 8

9. Insecure <> Permissions Registry Permissions (Windows) Install a program Likely creates registry entries ImagePath entry points to an executable Normal user has permissions to edit the registry key Service Permissions Edit the service directly Cron jobs / Scripts run as root (Linux) Offensive Security 9

10. Always Install Elevated Local Group Policy setting If enabled, essentially makes all users admins Msfvenom with msi format Offensive Security 10

11. Service only on localhost? Services don t have to be externally listening Netstat crucial during internal recon Netstat anlp Webservers, databases, etc Don t forget about exploits like Eternal blue Offensive Security 11

12. DLL Hijacking/Sideloading Application loads dynamic-link library without fully qualified path Windows searches defined directories https://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link- library-search-order The directory from which the application loaded. The system directory. The 16-bit system directory. The Windows directory. The current directory. The directories that are listed in the PATH environment variable. Offensive Security 12

13. DLL Hijacking Process Look at processes Use procmon to determine DLL s loaded Name not found error for .dll files Write our own DLL, name it, and place it in higher ranked directory Offensive Security 13

14. Restricted Shell Some shells have limited access We need a better shell Creating our own better shell python -c 'import pty; pty.spawn("/bin/bash")' Offensive Security 14

15. And more UAC Bypass Built into some common tools Variations of permissions issues Escaping restricted shell through other commands Finding things laying around on the file system SSH key for the root account in the user account? Offensive Security 15

16. References https://blog.g0tmi1k.com/2011/08/basic-linux-privilege- escalation/ https://rmusser.net/docs/Privilege%20Escalation%20&%20P ost-Exploitation.html#linpriv Offensive Security 16