Privilege Escalation Flashcards
Name three popular privilege escalation enumeration scripts for Linux
LinEnum
Linuxprivchecker
LinPEAS
Name two popular privilege escalation enumeration scripts for Windows
Seatbelt
JAWS
Older/unpatched systems can be vulnerable to exploits within the OS.
Kernel Exploits
In Linux how do we check all installed software on a system.
dpkg –l
In Windows where do we check all installed software on a system.
C:\Program Files
Name some common ways to exploit user privileges
Sudo
SUID
Windows Token Privileges
Command used to check sudo privileges
sudo –l
sudo –l output that says we can run all commands with sudo.
GhostfaceDinna@htb[/htb]$ sudo -l
[sudo] password for user1:
…SNIP…
User user1 may run the following commands on ExampleServer:
(ALL : ALL) ALL
How to escalate our privileges knowing we can run all commands with sudo?
sudo su -
[sudo] password for user1:
whoami
root
What does the NOPASSWD entry in the sudo –l output tells us?
That the /bin/echo command can be executed without a password
How to privilege escalate the NOPASSWD entry?
sudo -u user /bin/echo Hello World!
Hello World!
When we find a certain application that runs via sudo, we can use it to exploit and escalate our privileges. Name a couple of websites.
GTFOBins contains a list of commands and how they can be exploited through sudo.
LOLBAS contains a list of Windows applications that can leverage to perform certain functions.
How can we priv escalation, if we can write to a cron job directory.
We can write a bash script with a reverse shell command. Which will send us a reverse shell when executed.
In Linux what are some cron directions to check to determine if we have write permissions over them?
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root
Where are some common places to find files with exposed credentials?
Configuration files
Log files
User history files (bash_history in Linux PSReadLine in Windows).
Where are some locations of .ssh directories?
/home/user/.ssh/id_rsa or /root/.ssh/id_rsa
If we have read access over the .ssh directory, what can you do?
You may be able to read the private ssh keys found in the directory.
Syntax for using a private key
vim id_rsa
chmod 600 id_rsa – read/write current user
ssh root@10.10.10.10 -i id_rsa
If we have write access to a user’s /.ssh/ directory, what can we do?
We can place our public key in the user’s ssh directory at /home/user/.ssh/authorized_keys. This technique is used to ssh after we’ve already gained a shell.
Syntax for generating public key
ssh-keygen -f key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): ***
Enter same passphrase again: ***
Your identification has been saved in key
Your public key has been saved in key.pub
The key fingerprint is:
SHA256:…SNIP… user@parrot
The key’s randomart image is:
+—[RSA 3072]—-+
| ..o.++.+ |
…SNIP…
| . ..oo+. |
+—-[SHA256]—–+
ssh-keygen and the flag for specifying the output file.
-f <filename></filename>
What two files are outputted by ssh-keygen? (name of the file is key)
key - (which we’ll use with ssh -i)
key.pub - which we will copy to the remote machine
Copy the key.pub what directory on the remote machine?
/root/.ssh/authorized_keys
SSH flag for logging into remote machine with a private key.
-i <private></private>
