We all know that after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to the higher-privileged shell. But apart from it, there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.

Table of Content

• Introduction
• Vectors of Privilege Escalation
• LinuEnum
• Linuxprivchecker
• Linux Exploit Suggester 2
• Bashark
• BeRoot

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he tries to gather critical information related to systems such as hidden password and weak configured services or applications and etc. All this information help the attacker to make the post exploit against the machine for getting the higher-privileged shell.

Vectors of Privilege Escalation

• OS Detail & Kernel Version
• Any Vulnerable package installed or running
• Files and Folders with Full Control or Modify Access
• File with SUID Permissions
• Mapped Drives (NFS)
• Potentially Interesting Files
• Environment Variable Path
• Network Information (interfaces, arp, netstat)
• Running Processes
• Cronjobs
• User’s Sudo Right
• Wildcard Injection

There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.

LinuEnum

Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory is accessible.

System Information: Hostname, Networking details, Current IP and etc.

User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd.

Kernel and distribution release details.

You can download it through GitHub with help of the following command:

Once you download this script, you can simply run it by tying ./LinEnum.sh on the terminal. Hence it will dump all fetched data and system details.

Let’s Analysis Its result what it brings to us:

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Moreover…..

Super User Accounts: root, demo, hack, raaz

Sudo Rights User: Ignite, raj

Home Directories File Permission

Environment Information

And many more such things which come under the Post Exploitation.

Linuxprivchecker

Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. Use wget to download the script from its source URL.

Now to use this script just type python linuxprivchecker.py on the terminal and this will enumerate file and directory permissions/contents. This script works the same as LinEnum and hunts details related to system network and user.

Let’s Analysis Its result what it brings to us.

OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1

Hostname: Ubuntu

Network Info: Interface, Netstat

Writable Directory and Files for Users other than Root: /home/raj/script/shell.py

Checks if Root’s home folder is accessible

The file having SUID/SGID Permission

For example: /bin/raj/asroot.sh which is a bash script with SUID Permission

Linux Exploit Suggester 2

Next-generation exploits suggester based on Linux_Exploit_Suggester. This program performs a ‘uname -r‘ to grab the Linux operating system release version and returns a list of possible exploits.

This script is extremely useful for quickly finding privilege escalation vulnerabilities both in on-site and exam environments.

Key Improvements Include:

• More exploits
• Accurate wildcard matching. This expands the scope of searchable exploits.
• Output colorization for easy viewing.
• And more to come

You can use the ‘-k’ flag to manually enter a wildcard for the kernel/operating system release version.

Bashark

Bashark aids pentesters and security researchers during the post-exploitation phase of security audits.

It’s Features

• Single Bash script
• Lightweight and fast
• Multi-platform: Unix, OSX, Solaris etc.
• No external dependencies
• Immune to heuristic and behavioral analysis
• Built-in aliases of often used shell commands
• Extends system shell with post-exploitation oriented functionalities
• Stealthy, with custom cleanup routine activated on exit
• Easily extensible (add new commands by creating Bash functions)
• Full tab completion

Execute the following command to download it from the GitHub:

 

To execute the script you need to run following command:

The help command will let you know all available options provide by bashark for post exploitation.

With help of portscan option, you can scan the internal network of the compromised machine.

To fetch all configuration file you can use getconf option. It will pull out all configuration file stored inside /etc directory. Similarly, you can use the getprem option to view all binaries files of the target‘s machine.

BeRoot

BeRoot Project is a post exploitation tool to check common misconfiguration to find a way to escalate our privilege. This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that has been found as a potential way to escalate our privilege.

 

To execute the script you need to run following command:

It will try to enumerate all possible loopholes which can lead to privilege Escalation, as you can observe the highlighted yellow color text represents a weak configuration that can lead to root privilege escalation whereas the red color represents the technique that can be used to exploit.

It’s Functions:

Check Files Permissions

SUID bin

NFS root Squashing

Docker

Sudo rules

Kernel Exploit

Conclusion: Above executed script are available on GitHub, you can easily download it from GitHub. These automated script try to identify the weak configuration that can lead to root privilege escalation.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

In this Post, we are shedding light on User Account Control shortly known as UAC. We will also look at how it can potentially protect you from malicious software and ignoring UAC prompt can trouble your system.

Table of Content

Introduction to UAC

• What is UAC?
• Working of UAC

Techniques 

1. Windows Escalate UAC Protection Bypass
2. Windows Escalate UAC Protection Bypass (In Memory Injection)
3. Windows UAC Protection Bypass (Via FodHelper Registry Key)
4. Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
5. Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

Introduction to User Account Control

What is User Account Control?

A well-structured User Account Control introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems to prevent unwanted system-wide changes in a way that is foreseen and requires a minimal effort.

In other words, it is a security feature of Windows which supports I preventing unauthorized modifications to the operating system UAC makes sure that the certain changes are made only with authorization from the administrator. If the changes are not permitted by the administrator, they are not executed, and Windows remains unchanged.

How does UAC work?

UAC works by preventing a program from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be “elevated”, compared to the programs running which are not running as administrator.

Some things which cannot be done without administrator rights:

• Registry modifications (if the registry key is under e.g. HKEY_LOCAL_MACHINE (since it affects more than one user) it will be read-only)
• Loading a device driver
• DLL injection
• Modifying system time (clock)
• Modifying User Account Control settings (via Registry, it can be enabled/disabled but you need the correct privileges to do this)
• Modify protected directories (e.g. Windows folder, Program Files)
• Scheduled tasks (e.g. to auto-start with administrator privileges)

UAC won’t just automatically block malicious software, the purpose wasn’t to determine if a program is malicious or not. It’s down to the user just as much. If a program is going to be executed with administrator privileges, the user will be alerted and will need to provide confirmation. 

//malwaretips.com/threads/why-uac-is-important-and-how-it-can-protect-you.47157/

Techniques 

Firstly exploit the target machine to obtain the meterpreter. Once you get the meterpreter session 1 then type the following command to check system authority and privileges.

If you don’t have system/admin authorities and privileges. Then you should go for bypass UAC Protection of the targeted system.

Windows Escalate UAC Protection Bypass

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command, you will get access of command prompt with administrator privilege.

Windows Escalate UAC Protection Bypass (In Memory Injection)

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

Ultimately you will get NT AUTHORITY\SYSTEM Privilege, now if you will run “shell” command, you will get access of command prompt with administrator privilege.

Windows UAC Protection Bypass (Via FodHelper Registry Key)

This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

Great!! Here we got NT AUTHORITY\SYSTEM Privilege, now if you will type “shell” command,  you will get access of command prompt with administrator privilege.

Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.

From given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

And again you will get NT AUTHORITY\SYSTEM Privilege.

Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entries are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation. This module requires the architecture of the payload to match the OS, but the current low-privilege Meterpreter session architecture can be different. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. This module invokes the target binary via cmd.exe on the target. Therefore if cmd.exe access is restricted, this module will not run correctly.

From the given image you can observe that meterpreter session 2 opened, now type the following command to determine the system authority privileges.

Finally, you will get NT AUTHORITY\SYSTEM Privilege, now if you will again run “shell” command then you will get access of command prompt with administrator privilege and this way we can help of Metasploit post exploit to bypass UAC protection.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hello Friends!! In our previous article we had discussed “Vectors of Windows Privilege Escalation using the automated script” and today we are demonstrating the Windows privilege escalation via Kernel exploitation methodologies. For this purpose, we will utilize an in-built Metasploit module known as Local Exploit Suggester. The objective of this suggested is to just identify what parts of a system can be exploitable and to give us an insight on the best matching possible exploits available, which can be further utilized to elevate the privileges.

Table of content

• Windows-Exploit-suggester
• Windows ClientCopyImage Win32k Exploit
• Windows TrackPopupMenu Win32k NULL Pointer Dereference
• Windows SYSTEM Escalation via KiTrap0D
• Windows Escalate Task Scheduler XML Privilege Escalation
• MS16-016 mrxdav.sys WebDav Local Privilege Escalation
• EPATHOBJ::pprFlattenRec Local Privilege Escalation
• MS13-053: NTUserMessageCall Win32k Kernel Pool Overflow
• MS16-032 Secondary Logon Handle Privilege Escalation
• RottenPotato

Windows-Exploit-suggester

The Metasploit in-built module suggests various local exploits that can be used to perform Privilege escalation and provides a suggestion based on the architecture, platform (i.e the operating system it’s being run on), session type and required default options. It saves our time as we don’t have to manually search around for local exploits until none of the options provided works.

It is also significant to note that, not ALL of these listed local exploits will be fired.

Usage

Note: For using the local exploit suggester, we must already have a Meterpreter session opened for our target machine. However, before running the Local Exploit suggester we need to put our existing active Meterpreter session to the background (CTRL + Z)

Below is the example of the same, let’s say our existing active Meterpreter session is 1

As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.

Windows ClientCopyImage Win32k Exploit

Vulnerabilities in Windows Kernel-Mode Drivers could allow elevation of privilege. This module exploits improper object handling in the win32k.sys kernel mode driver.

This module has been tested on vulnerable builds of Windows 7 x64 and x86, Windows 2008 R2 SP1 x64.

Let’s navigate to MSF console and execute this exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

 

Windows TrackPopupMenu Win32k NULL Pointer Dereference

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution.

This module has been tested on Windows XP SP3, Windows Server 2003 SP2, Windows 7 SP1 Windows Server 2008 32bits and Windows Server 2008 R2 SP1 64 bits.

Let’s navigate to MSF console and execute this exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

 

Windows SYSTEM Escalation via KiTrap0D

This module will create a new session with SYSTEM privileges via the KiTrap0D exploit If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

This module has been tested on vulnerable builds of Windows Server 2003, Windows Server 2008, Windows 7, XP for 32-bit Systems.

Let’s navigate to MSF console and execute this exploit

 Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Windows Escalate Task Scheduler XML Privilege Escalation

This Vulnerability in Task Scheduler could allow elevation of privileges

This security updates resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

This module has been tested on vulnerable builds of Windows Vista, Windows 7, Windows Server 2008 x64 and x86

Let’s navigate to MSF console and execute this exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

 

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

This module has been tested on the vulnerable build of Windows 7 SP1, x86 architecture

Let’s navigate to MSF console and execute this exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

EPATHOBJ::pprFlattenRec Local Privilege Escalation

This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory.

At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.

Let’s navigate to MSF console and execute this exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow

A kernel pool overflow in Win32k which allows local privilege escalation. The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome’s sandbox. NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.

At the moment, the module has been tested successfully on Windows 7 SP1 x86

Let’s navigate to MSF console and execute this exploit

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

Another Meterpreter session gets opened, once the selected exploit has been executed

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

RottenPotato

RottenPotato local privilege escalation from service account to SYSTEM.

It is important to impersonate the token (or run list_tokens -u) quickly after running the binary. With the current implementation, the token seems to disappear shortly after the binary is run. It is also important to follow the order of the steps. Make sure you “use incognito” before running the binary.

Incognito option in the meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system.

If we talk related to impersonate token then you can see currently there is no token available.

Now downloads Rottenpotato from GitHub for privilege escalation.

After downloading it will give rottenpotato.exe file.

Upload the exe file into the victim’s machine

Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

We all know that after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to the higher-privileged shell.

Table of Content

• Introduction
• Vectors of Privilege Escalation
• Windows-Exploit-Suggester
• Windows Gather Applied Patches
• Sherlock
• JAWS – Just Another Windows (Enum) Script
• PowerUp

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he tries to gather critical information related to systems such as hidden password and weak configured services or applications and etc. All this information help the attacker to make the post exploit against the machine for getting the higher-privileged shell.

Vectors Privilege Escalation

Following information are considered as critical Information of Windows System:

• The version of the operating system
• Any Vulnerable package installed or running
• Files and Folders with Full Control or Modify Access
• Mapped Drives
• Potentially Interesting Files
• Unquoted Service Paths
• Network Information (interfaces, arp, netstat)
• Firewall Status and Rules
• Running Processes
• AlwaysInstallElevated Registry Key Check
• Stored Credentials
• DLL Hijacking
• Scheduled Tasks

Several scripts are used in penetration testing to quickly identify potential privilege escalation vectors on Windows systems, and today we will elaborate each script that works smoothly.

Windows-Exploit-suggester

If you have victim’s low-privilege meterpreter or command session then use can use Exploit-Suggester.

This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It’s important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.

As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.

Windows Gather Applied Patches

This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.

As you can observe it has also shown that the target is possibly vulnerable to a recommended exploit that can provide higher-privilege shell.

Sherlock

It is a PowerShell script to quickly find the missing software patches for local privilege escalation vulnerabilities. It also as similar as above post exploit as gives suggestion the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.

Download it from GitHub with help of the following command and execute when you have a victim’s meterpreter session at least once.

Since this script should be executed in PowerShell, therefore, load PowerShell and then import the downloading script.

The above command will show that the target is possibly vulnerable to a recommended exploit that can be used to achieve a higher-privilege shell.

JAWS – Just Another Windows (Enum) Script

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.

Current Features

• Network Information (interfaces, arp, netstat)
• Firewall Status and Rules
• Running Processes
• Files and Folders with Full Control or Modify Access
• Mapped Drives
• Potentially Interesting Files
• Unquoted Service Paths
• Recent Documents
• System Install Files
• AlwaysInstallElevated Registry Key Check
• Stored Credentials
• Installed Applications
• Potentially Vulnerable Services
• MuiCache Files
• Scheduled Tasks

Once you have meterpreter shell, upload the downloaded script and use the command shell to run the uploaded script

It will store the critical information into a text file named as “JAWS-Enum.txt” 

As said the JAWS-Enum.txt file must have been stored the vector that can lead to privilege escalation, let’s open it and figure out the result.

In the following image, you can observe it has shown all user name and IP configuration.

In this image, we can clearly observe the result of NetStat.

In this image, we can clearly observe the result of the running process and services.

In this image, we can clearly observe all install program and patches.

In this image, we can clearly observe the folder with full control and Modify Access and hence many more information can be extracted by running this script.

PowerUp

PowerUp is a Powershell tool to assist with local privilege escalation on Windows systems. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfiguration.

Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The HTML Report flag will also generate a COMPUTER.username.html version of the report.

Current Feature

Service Enumeration:

• Get-ServiceUnquoted : – returns services with unquoted paths that also have a space in the name.
• Get-ModifiableServiceFile :- returns services where the current user can write to the service binary path or its config.
• Get-ModifiableService : – returns services the current user can modify.
• Get-ServiceDetail :- returns detailed information about a specified service.

Service Abuse:

• Invoke-ServiceAbuse : –   modifies a vulnerable service to create a local admin or execute a custom command.
• Write-ServiceBinary : – writes out a patched C# service binary that adds a local admin or executes a custom command.
• Install-ServiceBinary :- replaces a service binary with one that adds a local admin or executes a custom command.
• Restore-ServiceBinary :- restores a replaced service binary with the original executable.

DLL Hijacking:

• Find-ProcessDLLHijack : – finds potential DLL hijacking opportunities for currently running processes
• Find-PathDLLHijack :- finds service %PATH% DLL hijacking opportunities
• Write-HijackDll : – writes out a hijackable DLL

Registry Checks:

• Get-RegistryAlwaysInstallElevated:- checks if the AlwaysInstallElevated registry key is set
• Get-RegistryAutoLogon :- checks for Autologon credentials in the registry
• Get-ModifiableRegistryAutoRun :- checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns.

Now use the following command to download it from git hub as said above powerUp is the module of powersploit, therefore, we need to download package of powersploit.

Again, load PowerShell and then import the downloading script.

The above command will show that the target is possibly vulnerable to a recommended exploit that can be used to achieve a higher-privilege shell.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here