Linux - PrivEsc - First draft
Swissky
parent
38c3bfbd9f
commit
b9efdb52d3
|
|
@ -0,0 +1,87 @@
|
|||
# Linux - Privilege Escalation
|
||||
|
||||
## Tools
|
||||
|
||||
- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
|
||||
```powershell
|
||||
./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
|
||||
```
|
||||
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
||||
- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123)
|
||||
|
||||
## Checklists
|
||||
|
||||
* Kernel and distribution release details
|
||||
* System Information:
|
||||
* Hostname
|
||||
* Networking details:
|
||||
* Current IP
|
||||
* Default route details
|
||||
* DNS server information
|
||||
* User Information:
|
||||
* Current user details
|
||||
* Last logged on users
|
||||
* Shows users logged onto the host
|
||||
* List all users including uid/gid information
|
||||
* List root accounts
|
||||
* Extracts password policies and hash storage method information
|
||||
* Checks umask value
|
||||
* Checks if password hashes are stored in /etc/passwd
|
||||
* Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
|
||||
* Attempt to read restricted files i.e. /etc/shadow
|
||||
* List current users history files (i.e .bash_history, .nano_history etc.)
|
||||
* Basic SSH checks
|
||||
* Privileged access:
|
||||
* Which users have recently used sudo
|
||||
* Determine if /etc/sudoers is accessible
|
||||
* Determine if the current user has Sudo access without a password
|
||||
* Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
|
||||
* Is root’s home directory accessible
|
||||
* List permissions for /home/
|
||||
* Environmental:
|
||||
* Display current $PATH
|
||||
* Displays env information
|
||||
* Jobs/Tasks:
|
||||
* List all cron jobs
|
||||
* Locate all world-writable cron jobs
|
||||
* Locate cron jobs owned by other users of the system
|
||||
* List the active and inactive systemd timers
|
||||
* Services:
|
||||
* List network connections (TCP & UDP)
|
||||
* List running processes
|
||||
* Lookup and list process binaries and associated permissions
|
||||
* List inetd.conf/xined.conf contents and associated binary file permissions
|
||||
* List init.d binary permissions
|
||||
* Version Information (of the following):
|
||||
* Sudo
|
||||
* MYSQL
|
||||
* Postgres
|
||||
* Apache
|
||||
* Checks user config
|
||||
* Shows enabled modules
|
||||
* Checks for htpasswd files
|
||||
* View www directories
|
||||
* Default/Weak Credentials:
|
||||
* Checks for default/weak Postgres accounts
|
||||
* Checks for default/weak MYSQL accounts
|
||||
* Searches:
|
||||
* Locate all SUID/GUID files
|
||||
* Locate all world-writable SUID/GUID files
|
||||
* Locate all SUID/GUID files owned by root
|
||||
* Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
|
||||
* Locate files with POSIX capabilities
|
||||
* List all world-writable files
|
||||
* Find/list all accessible *.plan files and display contents
|
||||
* Find/list all accessible *.rhosts files and display contents
|
||||
* Show NFS server details
|
||||
* Locate *.conf and *.log files containing keyword supplied at script runtime
|
||||
* List all *.conf files located in /etc
|
||||
* Locate mail
|
||||
* Platform/software specific tests:
|
||||
* Checks to determine if we're in a Docker container
|
||||
* Checks to see if the host has Docker installed
|
||||
* Checks to determine if we're in an LXC container
|
||||
|
||||
## References
|
||||
|
||||
- []()
|
||||
|
|
@ -1,5 +1,12 @@
|
|||
# Windows - Privilege Escalation
|
||||
|
||||
## Tools
|
||||
|
||||
- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
|
||||
- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
|
||||
- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
|
||||
- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
|
||||
|
||||
## Windows Version and Configuration
|
||||
|
||||
```powershell
|
||||
|
|
@ -211,6 +218,11 @@ The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
|
|||
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
|
||||
```
|
||||
|
||||
```powershell
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
|
||||
C:\inetpub\wwwroot\web.config
|
||||
```
|
||||
|
||||
## Processes Enumeration and Tasks
|
||||
|
||||
What processes are running?
|
||||
|
|
@ -292,6 +304,30 @@ wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr
|
|||
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
|
||||
```
|
||||
|
||||
## Kernel Exploit
|
||||
|
||||
List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
|
||||
|
||||
##### #Security Bulletin #KB #Description #Operating System
|
||||
- [MS17-017](./MS17-017) [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
|
||||
- [CVE-2017-8464](./CVE-2017-8464) [LNK Remote Code Execution Vulnerability] (windows 10/8.1/7/2016/2010/2008)
|
||||
- [CVE-2017-0213](./CVE-2017-0213) [Windows COM Elevation of Privilege Vulnerability] (windows 10/8.1/7/2016/2010/2008)
|
||||
- [CVE-2018-0833](./CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
|
||||
- [CVE-2018-8120](./CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
|
||||
- [MS17-010](./MS17-010) [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
|
||||
- [MS16-135](./MS16-135) [KB3199135] [Windows Kernel Mode Drivers] (2016)
|
||||
- [MS16-111](./MS16-111) [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)
|
||||
- [MS16-098](./MS16-098) [KB3178466] [Kernel Driver] (Win 8.1)
|
||||
- [MS16-075](./MS16-075) [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
|
||||
- [MS16-034](./MS16-034) [KB3143145] [Kernel Driver] (2008/7/8/10/2012)
|
||||
- [MS16-032](./MS16-032) [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
|
||||
- [MS16-016](./MS16-016) [KB3136041] [WebDAV] (2008/Vista/7)
|
||||
- [MS16-014](./MS16-014) [K3134228] [remote code execution] (2008/Vista/7)
|
||||
...
|
||||
- [MS03-026](./MS03-026) [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
|
@ -302,4 +338,17 @@ gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Whe
|
|||
* [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
|
||||
* [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
|
||||
* [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
|
||||
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
|
||||
* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
|
||||
* [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
|
||||
* [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
|
||||
* [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/)
|
||||
* [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/)
|
||||
* [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)
|
||||
* [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
|
||||
* [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/)
|
||||
* [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/)
|
||||
* [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/)
|
||||
* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
|
||||
* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
|
||||
* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
|
||||
* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
|
||||
Loading…
Reference in New Issue