Privilege Escalation

Question 1

Wildcard Injection

Answer 1

• Aside from exploiting binaries, it is important not to overlook the possibilities available to us in misconfigured systems. Wildcard injection takes advantage of the way the Linux terminal supplies parameters to the commands it runs.

Question 2

SUID Files

Answer 2

• Other than running services, there may be binaries with SUID or SGID permissions set that are owned by the root user. Not all of them will be exploitable, but some of them may be vulnerable to buffer overflows or other kinds of exploits.
• You can look for files with SUID permissions using the ‘find’ command:
  ‘find / -perm -4000 -user root -type f -print 2>/dev/null’

or SGUID if you change -4000 to -2000

Question 3

Windows Permissions

Answer 3

• On Windows there are two high sets of high privileges. The first is ‘Administrator’. An ‘Administrator’ is allowed to do nearly anything on the system, but there are still some things that this user is not allowed to do.
• The next level up from ‘Administrator’ is ‘SYSTEM’. The SYSTEM or Local System user is not bound by any restrictions, but normally a user cannot run as the ‘SYSTEM’ user. The ‘SYSTEM’ user is reserved for system services which are necessary for the operating system to function.

Question 4

Stored Credentials

Answer 4

• In some situations, you may find passwords lying around on the file system.
• This is usually the case where the system has been built in an enterprise environment as an unattended install.
• An automated script sets up the system, and in the process some configuration files for the script are used to determine the account username and password.
• The script should delete those files after the setup completes, but sometimes the script has been misconfigured and files get left behind.

Question 5

Weak Registry Permissions

Answer 5

• Every service on Windows has a matching registry key, which holds all the information about the path to the service executable, and the other settings associated with that service.
• If the permissions on the registry entry are weak, any user could change the path to point to an executable in a different location.

Question 6

Weak Folder Permissions

Answer 6

• The idea here is to find a service which has an executable in a folder that you are allowed to modify.
• By replacing the executable with malware, and then causing the service to restart we can cause the malware to run as SYSTEM.

Process:
1. List the permissions using ‘icacl’s.

2. Generate a malicious program using ‘msfvenom’ called program.exe.
3. In a new terminal window, start an instance of ‘exploit/multi/handler’ to listen for the connection when the malware runs.
4. Upload your malicious ‘program.exe’ into the ‘C:\Program Files\Vuln Service\Application Files', overwriting the existing ‘program.exe`’
5. Restart the service (if you have permission), or wait for the computer to reboot, or send the shutdown /r /t 0 command to forcefully reboot the computer. When the service runs, the connection will come into your exploit/multi/handler listener.

Question 7

AlwaysInstallElevated

Answer 7

• The ‘AlwaysInstallElevated’ setting can be enabled on Windows through Group Policy.
• Some administrators will configure this so that users can install software on their computers without administrator approval.
• Aside from being a bad idea, because who knows what kind of dodgy software users will install if left to their own devices, it effectively gives an unprivileged user administrative access.