Hi 0x00ers!
I have noticed that a lot of us have begun participating more regularly in HackTheBox challenges, and so, a lot of us are rooting boxes more frequently.
In the midst of this learning frenzy, I only thought it was right to make a Wiki for Privilege Escalation, for Linux, Windows and any other operating systems you can think of.
This should mimic something like Enumeration for Linux Privilege Escalation, and should not contain every single escalation exploit known to man, but more a list of methods and ways to enumerate for privesc. I am going to start down below with some basic things, and if you’re a member, you can edit this page and add your own methods!
Remember as a community we’re stronger than ever, and many hands make light work! So if you have something that you use frequently, throw it in! We are going to pin this topic so that everybody can keep an eye on it and work on this.
If this turns out to be a success, we will make other Wiki’s for things like reverse shells or command injection evasion techniques.
Wiki
Linux
(Sourced from Enumeration for Linux Privilege Escalation for initial information, thank you @g0jirasan!)
Get Your Bearings
First things first. Always get a good feel for the machine. Its always a good idea to figure out what version you’re looking at:
cat /etc/issue
or
cat /etc/*-release
What is the kernel version? Are there known exploits for that version?
cat /proc/version
uname -a
rpm -q kernel
Where are you on the network? What connections are established?
ifconfig -a
netstat -antup
iptables -L
arp -e
Check for accidental passwords typed after unsuccessful sudo
cat ~/.bash_history | grep -A5 sudo
Check for open tmux
sessions (possibly logged into root shells)
tmux ls
Find writable files / dirs outside of your home directory
find / -writable -type f -o -writable -type d 2>/dev/null | grep -Ev "^(/proc|/home/user|/tmp)"
Check home directories of other users for readable files:
find /home | grep -Ev "^/home/user"
Find files that were modified in the last 10min (useful to spot funky stuff going on)
find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
- Check mounts
- Grab banners for local ports (using
nc
or other methods) - Read
crontab
job files and look for crappy backup scripts - Read service configuration (Especially httpd)
- Scroll over
ps -ef
output and check for passwords passed as command-line arguments
What is running?
There are numerous local privilege escalation exploits out there in the void. Are there any vulnerable applications or services running that have known exploits?
Which services are being run with root privileges?
ps -ef | grep root
or
ps aux | grep root
cat /etc/services
Any vulnerable applications?
ls -alh /usr/bin/
ls -alh /sbin/
Any files with SUID/SGID permissions?
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
or, for a faster search in “bin” directories
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
Uploading and running exploit code
If there is a local privilege escalation exploit available, how will you upload and execute the exploit code on your target?
What languages are supported on the machine?
find / -name 'language'
ex: find / -name python*
Is GCC present?
find / -name gcc
How can you upload the exploit code? Use find
to look for things like:
wget, nc, netcat, tftp, ftp, fetch etc.
If you’re over ssh, you can use scp
.
Find out what programs are installed with:
for item in $(echo "nmap nc perl python ruby gcc wget sudo curl"); do which $item; done
Where can you write and execute files?
You will need to find a place to compile and execute your exploit code
This will locate world writeable and world executable folders
find /\(-perm -o w -perm -o x\) -type d 2>/dev/null
Cracking password hashes
Can you view /etc/passwd and /etc/shadow ?
cat /etc/passwd
cat /etc/shadow
If you can, try to crack the hashes you find. You never know!
Limited Shell?
Give these a shot.
python -c 'import pty;pty.spawn("/bin/bash")
echo os.system('/bin/bash')
/usr/bin/script -qc /bin/bash /dev/null
The simplest things are often overlooked
If I am ever stuck getting root privileges, its 9 times out of 10 because I am overthinking it. Sometimes the answer is so simple that its easy to overlook it. If you’re getting stuck, think back to square one and move forward slowly and pay attention to the details. Here are some of simple things that can be overlooked:
Is the account you are using a sudoer? If you have the password for the account, you may be able to use sudo. I have seen many people look over this. Are there other users that are sudoers?
cat /etc/sudoers
sudo -l
Linux Enumeration Scripts
- Unix-Privesc-Check - Main Page - Direct Download
- LinEnum.sh - Main Page - Direct Download
- linux-exploit-suggester-2.pl - https://github.com/jondonas/linux-exploit-suggester-2
- linux-soft-exploit-suggester.py - https://github.com/belane/linux-soft-exploit-suggester
Windows Enumeration Scripts
- windows-exploit-suggester.py - https://github.com/GDSSecurity/Windows-Exploit-Suggester
- PowerUp - http://www.powershellempire.com/?page_id=378
Windows
Unquoted Service Paths:
Look for services that are being run as administrator by typing sc query in the command line. From there, you can look at their individual properties by typing sc qc SERVICENAME. Check out their properties, they should have something called a service path. If that path is inside quotes you’re out of luck (this the vulnerability is /unquoted/ service paths). For example, If VulnService has C:/Program Files/Vuln/bin/Vuln.exe, you can create your own Vuln.exe and but it between C:/ and C:/Program Files/Vuln/ it’ll get executed with the privileges of that service instead of the intended Vuln.exe. This is because if there are quotation marks then the service will only use the exact path specified, but otherwise it will search each directory for the executable as it works its way down.
// To be added - could somebody transfer some information from https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ ?
//This is also a great resource to add information from! https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
Windows Releases - Security Bulletin
-
WinServer 2016
- Description: Windows Kernel Mode Drivers
- MS16-135
-
WinServer 2008, 2012, 7, 8, 10
- Description: Secondary Logon Handle
- MS16-032
-
WinServer 2008, 7, Vista
- Description: WebDAV
- MS16-016
-
WinServer 2003, 2008, 2012, 7, 8
- Description: Windows Kernel Mode Drivers
- MS15-051
-
WinServer 2003, 2008, 2012, 7, 8
- Description: Win32k.sys
- MS14-058
-
WinServer 2003, 2008, 2012, 7, 8
- Description: AFD Driver
- MS14-040
-
WinServer 2003, XP
- Description: Windows Kernel
- MS14-002
-
WinServer 2003, 2008, 2012, 7, 8
- Description: Kernel Mode Driver
- MS13-005
-
WinServer 2008, 7
- Description: Task Scheduler
- MS10-092
-
WinServer 2003, 2008, 7, XP
- Description: KiTrap0D
- MS10-015
-
WinServer 2003, XP
- Description: NDProxy
- MS14-002
-
WinServer 2003, 2008, 2012, 7, 8
- Description: Kernel Driver
- MS15-061
-
WinServer 2003, XP
- Description: AFD.sys
- MS11-080
-
WinServer 2003, XP
- Description: NDISTAPI
- MS11-062
-
WinServer 2003, 2008, 2012, 7, 8
- Description: RPC
- MS15-076
-
WinServer 2003, 2008, 2012, 7, 8
- Description: Hot Potato
- MS16-075
-
WinServer 2003, 2008, 7, XP
- Description: Kernel Driver
- MS15-010
-
WinServer 2003, 2008, 7, XP
- Description: AFD.sys
- MS11-046
Windows - Unquoted Services
Find the paths:
C:\> wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Identify “Write”-Access:
C:\> icacls "C:\Program Files\Some Folder\"
Restart the service:
C:\> sc stop [service name]
C:\> sc start [service name]
Unattended Installs
A Unattend.xml file is left on Windows machines after Unattended installs if the system isn’t cleaned properly after the procedure, the file contains all the configuration settings set in the installation process, including local account credentials such as the Administrator’s. Credentials can also be stored in two other files: sysprep.xml and sysprep.inf and will be either in plain text or encoded in Base64:
<UserAccounts>
<LocalAccounts>
<LocalAccount>
<Password>
<Value>dGhpc1Bhc3N3b3JkQWludFNhZmVQYXNzd29yZA==</Value>
<PlainText>false</PlainText>
</Password>
<Description>Local Administrator</Description>
<DisplayName>Administrator</DisplayName>
<Group>Administrators</Group>
<Name>Administrator</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
Before the password is encoded in Base64 the string “Password” is appended to it, so be sure to remove it after decoding the string. Where to find these files:
C:\Windows\Panther\
C:\Windows\Panther\Unattend\
C:\Windows\System32\
C:\Windows\System32\sysprep\
Group Policy Preferences (GPP) Files:
The SYSVOL folder in a Domain Controller contains a Groups.xml file with stored configuration policies for account management, some of these may contain passwords for Administrator accounts in encrypted form. GPP uses a static public key for encryption so decrypting these credentials is trivial. Example path as seen from a remote SMB share:
\my_host\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\preferences\groups\groups.xml
And its content:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Administrator" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="Administrator"/>
</User>
</Groups>
Now it’s time to decrypt the password found in the cpassword field:
gpp-decrypt <encrypted_string>
If you have a meterpreter session running on the machine you can automatize the process with this module:
use post/windows/gather/credentials/gpp
Or use the Get-GPPPassword script from PowerSploit.