While the web vulnerabilities are typically always the same, when it comes to privilege escalation, it’s hard to make a complete list of all the possible ways in which one can elevate its privileges. It all depends on the specific configuration of the remote machine. Having said that, there are still common attacks that deserve to be studied. Some (not all) of these tehcniques are listed below:
PATH exploitation
()
()
wildcard expansion
As we have seen, there are tools that help us in this process:
Privesc vulnerabilities can be identified automatically using the tool.
The below labs will focus on manual Linux Privilege Escalation techniques, instead
Linux file Permissions are important
🔬 Check
The following command will look for files (and not symlinks etc) which is world writable.
if we don't find nothing of anomaly, we can try to find misconfigured sudo. Check the current sudo capabilities.
The man entry depicts that the man command can be run using sudo without providing any password. Run it and launch /bin/bash from it.
After this, escalated to root user is successful.
if file /etc/shadow is world writable, we can read its contents.
If root password isn't set. We can adding a known password in shadow file, one can escalate to root. Use openssl to generate a password entry.
It's another automatic tool to do identify vulnerabilities in Linux.
❗ Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.
Persistence Techniques - MITRE ATT&CK
Linux Server SSH service is typically enabled and an attacker can take advantage of it.
If password login is disabled and key-based authentication is enabled, the attacker can copy a user's SSH private key and use it for future access.
Linux Cron is a service that repeatedly runs Cron jobs that can be used for command execution at a fixed interval and ensure persistent access to the target system.
📝 Check the already covered Credential Dumping theory here:
After the dumping process, hashes can be cracked using:
The best thing to do in privilege escalation optical is migration of lsass process, because at difference between explorer.exe, it permits to upgrade sessions at 64 bit and access to lsass process cache.
After migration to lsass process, we can use utility as hashdump.
It will display a dump list of accounts and their hashes (usually NTLM hashes).
Of course, we can store it a file hashes.txt.
We can also load kiwi module, that's a module implementation of Mimikats for Meterpreter.
Now, using tools how John The Ripper, we can crack NTLM Hashes.
In alternative we can use hashcat.
When we gaining credentials, we can use psex python script, msf module or RDP (default port 3389) by xfreerdp.
It's a very good method to access and maintaining legitimate persistence.
🗒️ Pivoting is a post exploitation technique of using a compromised host, a foothold / plant, to attack other systems on its private internal network.
Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.
🗒️ Port Forwarding consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.
The service will be remotely available to the attacker system
According to the rules of engagement, the pentester may be required to clear any changes that have been made to the target systems as a result of the exploitation and post-exploitation stages.A good practice is to store all artifacts payloads, scripts and binaries in these folders:
Windows - C:\Temp
Linux - /tmp
Metasploit Framework generates and stores a lot of artifacts on the target. Some modules provides removal resource scripts.
Delete the Windows Event Log can be a good post-exploitation clearing technique.
❗ Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.
Metasploit e.g.cd C:\\mkdir Tempcd Temp# Upload exploit into this C:\Temp directory
Use the Cleanup RC File
# Cleanup Meterpreter RC File:cat /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.0454/ATTACKDEFENSE_20230429.0454.rcbackgroundsessions 1resource /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.1019/ATTACKDEFENSE_20230429.1019.rc# Clear Windows Event Log from the Meterpreter session# An attacker could potentially do thisclearev
cd /tmp# Upload exploit into this /tmp directory
bash history logs the activity and the used commands
To clear the bash history
history -c
~/.bash_history file content can be deleted too
cat /dev/null > ~/.bash_history
When using Metasploit Framework exploits, proceed manually to clear artifacts from the /tmp directory or other used directories.
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on
In addition to the last tool, help us to suggest potential exploits.
Of course we need to launch it on victim machine downloading it or transferring there (E.g. using a python )
🔬 Check the
-
-
🔬 Check the
🔬 Check the
