Privilege Escalation
boot -> root
Windows
The use of SysInternals is recommended but not necessary. It can be very useful when doing pentests but not so very for very obvious reasons. A simple signature check on the file and any AV/IDS will start flip floppin. https://docs.microsoft.com/en-us/sysinternals/ https://github.com/Sysinternals/sysinternals
PowerShell
Download file
AutoRun
Search for autoruns and check if you have WRITE permissions on it. If you do have WRITE, simply replace it with your payload. Of course, if the software is somewhat "important", the user could then notice that something is not quite right.
AlwaysInstallElevated
Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users
Check if AlwaysInstallElevated registry key value 1. If so, simply craft a malicious .MSI package containing your payload and literally install it on the machine
You can now copy the payload onto the victim's pc and run it.
Registry
With PowerShell check for registry services
The following is a simple C service for windows. You can tweak it a bit to get desired results. Then you can compile it with x86_64-w64-mingw32-gcc or any appropriate compiler for the current situation.
You can now add the new service path to the registry
Executable files
Check if executable has weak or misconfigured permissions. If you have FILE ALL ACCESS, you can copy your payload over the service/executable and execute it.
Startup
In a command prompt, check for startup applications. Check if BUILTIN/Users or any compromised user with (F) which means FULL permissions. If such thing occur, you can, again, overwrite said startup executable for your own payload and wait for admin (or any other user) to login.
DLL Hijack
If SafeDllSearchMode is enabled, the search order is as follows:
The directory from which the application loaded.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The current directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
If SafeDllSearchMode is disabled, the search order is as follows:
The directory from which the application loaded.
The current directory.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
DLL replacement: replace a legitimate DLL with an evil DLL.
DLL PROXYING: Keep original DLL functionalities. https://kevinalmansa.github.io/application%20security/DLL-Proxying/
DLL search order hijacking: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL.
Phantom DLL hijacking: drop an evil DLL in place of a missing/non-existing DLL
DLL redirection: change the location in which the DLL is searched for, e.g. by editing the
%PATH%
environment variable, or.exe.manifest
/.exe.local
files to include the folder containing the evil DLL.WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL side-loading.
Relative path DLL Hijacking: copy (and optionally rename) the legitimate application to a user-writeable folder, alongside the evil DLL. In the way this is used, it has similarities with (Signed) Binary Proxy Execution. A variation of this is ‘bring your own LOLBIN in which the legitimate application is brought with the evil DLL (rather than copied from the legitimate location on the victim’s machine).
Find missing DLLs
Custom Dlls
BinPath
If you see SERVICE_CHANGE_CONFIG, you can exploit this like so
Unquoted Path
A classic if you ask me. If the path to an executable is not inside quotes, Windows will try to execute every ending before a space. E.g: C:\Program Files\Some Folder\Service.exe Windows will try:
Craft a payload with msfvenom for POC
Now copy this payload into the unquoted path, E.G:
Imagine the vulnerable service path as follow:
C:\Program Files\Some Folder\Service.exe You could copy your malicious payload here: C:\Program Files\Service.exe
Password Mining
C:\Windows\Panther\Unattend.xml
HTTP_BASIC Memory
On victim's machine browse to http://your_ip]/x and dump iexplore.exe memory using taskmgr or any appropriate tool. Copy said dump to your box and run strings against the memory dump. You should be able to grep/find the Authorization: Basic header holding the base64 encoded password.
Potatoes
Hot potato
KERNEL
One quick and dirty way to find common vulnerabilities in the kernel is obtain a meterpreter shell and call the post exploitation module local_exploit_suggester.
Linux
Gimme the root !
Sudo group - PKEXEC
If the user you are impersonating is a member of the Sudo group, pkexec allows an authorized user to execute commands as another user. Therefore, we could usepkexec /bin/bash
to spawn a shell as root. However, there is known issue that “pkexec fails in a non-graphical environment. To solve this, we needed to create two SSH connections as the user you have access to
The process:
Opened two SSH connections as user Alice
On the first SSH session:
On the second session (replace {pid} with output of earlier command)
On the first session:
On the second session, entered the password for Alice
Any sudo?
check if you're allowed to execute some stuff as sudo
Find user's files
CVE-2021-3156 - Sudo HEAP Overflow
Check if the box is vulnerable by running:
If vulnerable, console will show:
https://github.com/TurboWindX/CVE-2021-3156
https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156
SUID
If a script on the machine has the SUID bit set, it might be possible to exploit it.
Crontab
Check for any misconfigured scripts
Environment variables
If a script is using another binaries (like cp in example below) and it doesn't specify the FULL path, you might be able to hijack this by creating your own binary and exporting the PATH yourself.
Let say you find this script which creates a backup of certain files on the system.
You could exploit it by creating your own version of cp. Which of course will be a shell running as root.
Linux Capabilities
CAP_CHOWN
Lets suppose the python
binary has this capability, you can change the owner of the shadow file, change root password, and escalate privileges:
Or with the ruby
binary having this capability:
Last updated