Privilege Escalation Flashcards

1
Q

Wildcard Injection

A
  • Aside from exploiting binaries, it is important not to overlook the possibilities available to us in misconfigured systems. Wildcard injection takes advantage of the way the Linux terminal supplies parameters to the commands it runs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SUID Files

A
  • Other than running services, there may be binaries with SUID or SGID permissions set that are owned by the root user. Not all of them will be exploitable, but some of them may be vulnerable to buffer overflows or other kinds of exploits.
  • You can look for files with SUID permissions using the ‘find’ command:
    ‘find / -perm -4000 -user root -type f -print 2>/dev/null’

or SGUID if you change -4000 to -2000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Windows Permissions

A
  • On Windows there are two high sets of high privileges. The first is ‘Administrator’. An ‘Administrator’ is allowed to do nearly anything on the system, but there are still some things that this user is not allowed to do.
  • The next level up from ‘Administrator’ is ‘SYSTEM’. The SYSTEM or Local System user is not bound by any restrictions, but normally a user cannot run as the ‘SYSTEM’ user. The ‘SYSTEM’ user is reserved for system services which are necessary for the operating system to function.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Stored Credentials

A
  • In some situations, you may find passwords lying around on the file system.
  • This is usually the case where the system has been built in an enterprise environment as an unattended install.
  • An automated script sets up the system, and in the process some configuration files for the script are used to determine the account username and password.
  • The script should delete those files after the setup completes, but sometimes the script has been misconfigured and files get left behind.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Weak Registry Permissions

A
  • Every service on Windows has a matching registry key, which holds all the information about the path to the service executable, and the other settings associated with that service.
  • If the permissions on the registry entry are weak, any user could change the path to point to an executable in a different location.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Weak Folder Permissions

A
  • The idea here is to find a service which has an executable in a folder that you are allowed to modify.
  • By replacing the executable with malware, and then causing the service to restart we can cause the malware to run as SYSTEM.

Process:
1. List the permissions using ‘icacl’s.

  1. Generate a malicious program using ‘msfvenom’ called program.exe.
  2. In a new terminal window, start an instance of ‘exploit/multi/handler’ to listen for the connection when the malware runs.
  3. Upload your malicious ‘program.exe’ into the ‘C:\Program Files\Vuln Service\Application Files', overwriting the existing ‘program.exe`’
  4. Restart the service (if you have permission), or wait for the computer to reboot, or send the shutdown /r /t 0 command to forcefully reboot the computer. When the service runs, the connection will come into your exploit/multi/handler listener.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AlwaysInstallElevated

A
  • The ‘AlwaysInstallElevated’ setting can be enabled on Windows through Group Policy.
  • Some administrators will configure this so that users can install software on their computers without administrator approval.
  • Aside from being a bad idea, because who knows what kind of dodgy software users will install if left to their own devices, it effectively gives an unprivileged user administrative access.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly