The Ultimate Privilege Escalation Reference - [Wiki]

Hi 0x00ers!

I have noticed that a lot of us have begun participating more regularly in HackTheBox challenges, and so, a lot of us are rooting boxes more frequently.

In the midst of this learning frenzy, I only thought it was right to make a Wiki for Privilege Escalation, for Linux, Windows and any other operating systems you can think of.

This should mimic something like Enumeration for Linux Privilege Escalation, and should not contain every single escalation exploit known to man, but more a list of methods and ways to enumerate for privesc. I am going to start down below with some basic things, and if you’re a member, you can edit this page and add your own methods!

Remember as a community we’re stronger than ever, and many hands make light work! So if you have something that you use frequently, throw it in! We are going to pin this topic so that everybody can keep an eye on it and work on this.

If this turns out to be a success, we will make other Wiki’s for things like reverse shells or command injection evasion techniques.

Wiki


Linux

(Sourced from Enumeration for Linux Privilege Escalation for initial information, thank you @g0jirasan!)

Get Your Bearings

First things first. Always get a good feel for the machine. Its always a good idea to figure out what version you’re looking at:

cat /etc/issue

or

cat /etc/*-release

What is the kernel version? Are there known exploits for that version?

cat /proc/version
uname -a
rpm -q kernel

Where are you on the network? What connections are established?

ifconfig -a
netstat -antup
iptables -L
arp -e

Check for accidental passwords typed after unsuccessful sudo

cat ~/.bash_history | grep -A5 sudo

Check for open tmux sessions (possibly logged into root shells)

tmux ls

Find writable files / dirs outside of your home directory

find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"

Check home directories of other users for readable files:

find /home | grep -Ev "^/home/user"

Find files that were modified in the last 10min (useful to spot funky stuff going on)

find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
  • Check mounts
  • Grab banners for local ports (using nc or other methods)
  • Read crontab job files and look for crappy backup scripts
  • Read service configuration (Especially httpd)
  • Scroll over ps -ef output and check for passwords passed as command-line arguments

What is running?

There are numerous local privilege escalation exploits out there in the void. Are there any vulnerable applications or services running that have known exploits?

Which services are being run with root privileges?

ps -ef | grep root

or

ps aux | grep root
cat /etc/services

Any vulnerable applications?

ls -alh /usr/bin/
ls -alh /sbin/

Any files with SUID/SGID permissions?

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

or, for a faster search in “bin” directories

for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done

Uploading and running exploit code

If there is a local privilege escalation exploit available, how will you upload and execute the exploit code on your target?

What languages are supported on the machine?

find / -name 'language'

ex: find / -name python*

Is GCC present?

find / -name gcc

How can you upload the exploit code? Use find to look for things like:

wget, nc, netcat, tftp, ftp, fetch etc.

If you’re over ssh, you can use scp.

Find out what programs are installed with:

for item in $(echo "nmap nc perl python ruby gcc wget sudo curl"); do which $item; done

Where can you write and execute files?

You will need to find a place to compile and execute your exploit code

This will locate world writeable and world executable folders

find /\(-perm -o w -perm -o x\) -type d 2>/dev/null

Cracking password hashes

Can you view /etc/passwd and /etc/shadow ?

cat /etc/passwd
cat /etc/shadow

If you can, try to crack the hashes you find. You never know!

Limited Shell?

Give these a shot.

python -c 'import pty;pty.spawn("/bin/bash")
echo os.system('/bin/bash')
/usr/bin/script -qc /bin/bash /dev/null

The simplest things are often overlooked

If I am ever stuck getting root privileges, its 9 times out of 10 because I am overthinking it. Sometimes the answer is so simple that its easy to overlook it. If you’re getting stuck, think back to square one and move forward slowly and pay attention to the details. Here are some of simple things that can be overlooked:

Is the account you are using a sudoer? If you have the password for the account, you may be able to use sudo. I have seen many people look over this. Are there other users that are sudoers?

cat /etc/sudoers
sudo -l

Linux Enumeration Scripts

Windows Enumeration Scripts

Windows

Unquoted Service Paths:

Look for services that are being run as administrator by typing sc query in the command line. From there, you can look at their individual properties by typing sc qc SERVICENAME. Check out their properties, they should have something called a service path. If that path is inside quotes you’re out of luck (this the vulnerability is /unquoted/ service paths). For example, If VulnService has C:/Program Files/Vuln/bin/Vuln.exe, you can create your own Vuln.exe and but it between C:/ and C:/Program Files/Vuln/ it’ll get executed with the privileges of that service instead of the intended Vuln.exe. This is because if there are quotation marks then the service will only use the exact path specified, but otherwise it will search each directory for the executable as it works its way down.

// To be added - could somebody transfer some information from https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ ?
//This is also a great resource to add information from! https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

Windows Releases - Security Bulletin

  • WinServer 2016

    • Description: Windows Kernel Mode Drivers
    • MS16-135
  • WinServer 2008, 2012, 7, 8, 10

    • Description: Secondary Logon Handle
    • MS16-032
  • WinServer 2008, 7, Vista

    • Description: WebDAV
    • MS16-016
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: Windows Kernel Mode Drivers
    • MS15-051
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: Win32k.sys
    • MS14-058
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: AFD Driver
    • MS14-040
  • WinServer 2003, XP

    • Description: Windows Kernel
    • MS14-002
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: Kernel Mode Driver
    • MS13-005
  • WinServer 2008, 7

    • Description: Task Scheduler
    • MS10-092
  • WinServer 2003, 2008, 7, XP

    • Description: KiTrap0D
    • MS10-015
  • WinServer 2003, XP

    • Description: NDProxy
    • MS14-002
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: Kernel Driver
    • MS15-061
  • WinServer 2003, XP

    • Description: AFD.sys
    • MS11-080
  • WinServer 2003, XP

    • Description: NDISTAPI
    • MS11-062
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: RPC
    • MS15-076
  • WinServer 2003, 2008, 2012, 7, 8

    • Description: Hot Potato
    • MS16-075
  • WinServer 2003, 2008, 7, XP

    • Description: Kernel Driver
    • MS15-010
  • WinServer 2003, 2008, 7, XP

    • Description: AFD.sys
    • MS11-046

Windows - Unquoted Services

Find the paths:

C:\> wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Identify “Write”-Access:

C:\> icacls "C:\Program Files\Some Folder\"

Restart the service:

C:\> sc stop [service name]
C:\> sc start [service name]

Unattended Installs

A Unattend.xml file is left on Windows machines after Unattended installs if the system isn’t cleaned properly after the procedure, the file contains all the configuration settings set in the installation process, including local account credentials such as the Administrator’s. Credentials can also be stored in two other files: sysprep.xml and sysprep.inf and will be either in plain text or encoded in Base64:

<UserAccounts>
    <LocalAccounts>
        <LocalAccount>
            <Password>
                <Value>dGhpc1Bhc3N3b3JkQWludFNhZmVQYXNzd29yZA==</Value>
                <PlainText>false</PlainText>
            </Password>
            <Description>Local Administrator</Description>
            <DisplayName>Administrator</DisplayName>
            <Group>Administrators</Group>
            <Name>Administrator</Name>
        </LocalAccount>
    </LocalAccounts>
</UserAccounts>

Before the password is encoded in Base64 the string “Password” is appended to it, so be sure to remove it after decoding the string. Where to find these files:

C:\Windows\Panther\
C:\Windows\Panther\Unattend\
C:\Windows\System32\
C:\Windows\System32\sysprep\

Group Policy Preferences (GPP) Files:

The SYSVOL folder in a Domain Controller contains a Groups.xml file with stored configuration policies for account management, some of these may contain passwords for Administrator accounts in encrypted form. GPP uses a static public key for encryption so decrypting these credentials is trivial. Example path as seen from a remote SMB share:

\my_host\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\preferences\groups\groups.xml

And its content:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
     <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
          <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="Administrator"/>
     </User>
</Groups>

Now it’s time to decrypt the password found in the cpassword field:

gpp-decrypt <encrypted_string>

If you have a meterpreter session running on the machine you can automatize the process with this module:

use post/windows/gather/credentials/gpp

Or use the Get-GPPPassword script from PowerSploit.

28 Likes

Thank you very much, this is extremely comprehensive.

Checking the version of the running processes are very useful as well.

rpm -q <package>

apt-cache policy <package>

accesschk.exe for windows is great:

accesschk.exe /accepteula -uwcqv "Authenticated Users" *
3 Likes

Sometimes you might have a system where wmic is not available for you.
In this case you can still lookup services manually:

List all services:

sc query

Lookup a specific service:

sc qc SERVICE_NAME

This will show you the details of a service and also the binary path where you can check if it is unquoted or not.

6 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.