Editing Privilege Escalation

= Privilege Escalation =

Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established.  
It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.

Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).

== Vertical Privilege Escalation ==

Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).

=== Common Techniques ===
* Exploiting kernel or driver vulnerabilities
* Abusing misconfigured SUID/SGID binaries (Linux)
* Misusing weak or world-writable service files
* Leveraging unquoted service paths (Windows)
* DLL hijacking or service misconfiguration
* Stealing credentials from memory or config files
* Abusing scheduled tasks or cron jobs
* Exploiting insecure file permissions or ownership
* Leveraging token impersonation or privilege tokens (Windows)
* Dumping and cracking password hashes

=== Tools ===
* [[linPEAS]] (automated privilege escalation enumeration on Linux)
* [[winPEAS]] (automated privilege escalation enumeration on Windows)
* [[Seatbelt]] (Windows enumeration tool focused on privilege escalation)
* [[PowerUp]] (PowerShell tool for Windows privilege escalation)
* [[Watson]] (detects privilege escalation vectors on Windows)
* [[BeRoot]] (privilege escalation auditor for Linux, MacOS, and Windows)
* [[Linux Exploit Suggester]] (suggests kernel exploits)
* [[Windows Exploit Suggester]] (suggests local exploits for Windows)
* [[g0tmi1k's privesc checklist]] (manual enumeration and exploitation list)

== Horizontal Privilege Escalation ==

Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.

=== Common Techniques ===
* Reading other users’ sensitive files due to improper permissions
* Accessing SSH keys, config files, or tokens
* Hijacking user sessions (e.g., TTY snooping or credential reuse)
* Exploiting insecure file-sharing configurations (e.g., SMB shares)
* Abuse of API tokens or database credentials found in cleartext

=== Tools ===
* [[pspy]] (monitors Linux processes to detect privilege-related activity)
* [[ls -la /home/]] (manual check for exposed user data)
* [[ssh-agent hijacking scripts]]
* [[procmon]] (process monitor for live file and registry activity on Windows)
* [[mimikatz]] (extracts passwords, hashes, and tokens from memory)

== Enumeration Checklists ==

=== Linux ===
* SUID/SGID binaries: `find / -perm -4000 2>/dev/null`
* Kernel version: `uname -a`
* Environment variables: `env`
* Running processes: `ps aux`
* Installed packages: `dpkg -l` or `rpm -qa`
* Writable directories: `find / -writable 2>/dev/null`
* Cron jobs: `cat /etc/crontab`
* User and group info: `/etc/passwd` and `/etc/group`

=== Windows ===
* Whoami and privileges: `whoami /priv`
* Local groups: `net localgroup administrators`
* Services: `sc query` or `Get-Service`
* Startup folders and registry: `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* Scheduled tasks: `schtasks /query`
* Installed programs: `wmic product get name`
* Environment: `set`
* File permissions: `icacls`, `accesschk`

== Websites & References ==
* [https://gtfobins.github.io GTFOBins] (trusted repo of SUID/privilege escalation via Linux binaries)
* [https://lolbas-project.github.io LOLBAS] (Living Off The Land Binaries and Scripts for Windows privilege escalation)
* [https://book.hacktricks.xyz hacktricks.xyz] (comprehensive privilege escalation techniques for Linux and Windows)
* [https://github.com/carlospolop/PEASS-ng PEASS-ng GitHub] (official PEAS suite repository)
* [https://www.fuzzysecurity.com/tutorials/16.html FuzzySecurity Windows Privesc Guide]
* [https://www.rebootuser.com/?p=1623 rebootuser's Linux privesc cheat sheet]

== See Also ==
* [[Initial Access]]
* [[Linux Post-Exploitation]]
* [[Windows Post-Exploitation]]
* [[Persistence]]
* [[Credential Dumping]]
* [[Exploitation Tools]]