diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md new file mode 100644 index 0000000..f56c0e3 --- /dev/null +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -0,0 +1,87 @@ +# Linux - Privilege Escalation + +## Tools + +- [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum) + ```powershell + ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t + ``` +- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) +- [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123) + +## Checklists + +* Kernel and distribution release details +* System Information: + * Hostname + * Networking details: + * Current IP + * Default route details + * DNS server information +* User Information: + * Current user details + * Last logged on users + * Shows users logged onto the host + * List all users including uid/gid information + * List root accounts + * Extracts password policies and hash storage method information + * Checks umask value + * Checks if password hashes are stored in /etc/passwd + * Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc + * Attempt to read restricted files i.e. /etc/shadow + * List current users history files (i.e .bash_history, .nano_history etc.) + * Basic SSH checks +* Privileged access: + * Which users have recently used sudo + * Determine if /etc/sudoers is accessible + * Determine if the current user has Sudo access without a password + * Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.) + * Is root’s home directory accessible + * List permissions for /home/ +* Environmental: + * Display current $PATH + * Displays env information +* Jobs/Tasks: + * List all cron jobs + * Locate all world-writable cron jobs + * Locate cron jobs owned by other users of the system + * List the active and inactive systemd timers +* Services: + * List network connections (TCP & UDP) + * List running processes + * Lookup and list process binaries and associated permissions + * List inetd.conf/xined.conf contents and associated binary file permissions + * List init.d binary permissions +* Version Information (of the following): + * Sudo + * MYSQL + * Postgres + * Apache + * Checks user config + * Shows enabled modules + * Checks for htpasswd files + * View www directories +* Default/Weak Credentials: + * Checks for default/weak Postgres accounts + * Checks for default/weak MYSQL accounts +* Searches: + * Locate all SUID/GUID files + * Locate all world-writable SUID/GUID files + * Locate all SUID/GUID files owned by root + * Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc) + * Locate files with POSIX capabilities + * List all world-writable files + * Find/list all accessible *.plan files and display contents + * Find/list all accessible *.rhosts files and display contents + * Show NFS server details + * Locate *.conf and *.log files containing keyword supplied at script runtime + * List all *.conf files located in /etc + * Locate mail +* Platform/software specific tests: + * Checks to determine if we're in a Docker container + * Checks to see if the host has Docker installed + * Checks to determine if we're in an LXC container + +## References + +- []() \ No newline at end of file diff --git a/Methodology and Resources/Metasploit CheatSheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md similarity index 100% rename from Methodology and Resources/Metasploit CheatSheet.md rename to Methodology and Resources/Metasploit - Cheatsheet.md diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index d5bc2ea..3a090a8 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1,5 +1,12 @@ # Windows - Privilege Escalation +## Tools + +- [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson) +- [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) +- [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) +- [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) + ## Windows Version and Configuration ```powershell @@ -211,6 +218,11 @@ The Metasploit module `post/windows/gather/enum_unattend` looks for these files. Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue ``` +```powershell +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config +C:\inetpub\wwwroot\web.config +``` + ## Processes Enumeration and Tasks What processes are running? @@ -292,6 +304,30 @@ wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name ``` +## Kernel Exploit + +List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits) + +##### #Security Bulletin   #KB     #Description    #Operating System +- [MS17-017](./MS17-017)  [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8) +- [CVE-2017-8464](./CVE-2017-8464)  [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008) +- [CVE-2017-0213](./CVE-2017-0213)  [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008) +- [CVE-2018-0833](./CVE-2018-0833) [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2) +- [CVE-2018-8120](./CVE-2018-8120) [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1) +- [MS17-010](./MS17-010)  [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP) +- [MS16-135](./MS16-135)  [KB3199135]  [Windows Kernel Mode Drivers]  (2016) +- [MS16-111](./MS16-111)  [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1) +- [MS16-098](./MS16-098)  [KB3178466]  [Kernel Driver]  (Win 8.1) +- [MS16-075](./MS16-075)  [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012) +- [MS16-034](./MS16-034)  [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012) +- [MS16-032](./MS16-032)  [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012) +- [MS16-016](./MS16-016)  [KB3136041]  [WebDAV]  (2008/Vista/7) +- [MS16-014](./MS16-014)  [K3134228]  [remote code execution]  (2008/Vista/7) +... +- [MS03-026](./MS03-026)  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003) + + + ## References @@ -302,4 +338,17 @@ gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Whe * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/) * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/) * [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) -* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/) \ No newline at end of file +* [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/) +* [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/) +* [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/) +* [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/) +* [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/) +* [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/) +* [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/) +* [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/) +* [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/) +* [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) +* [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/) +* [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/) +* [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) +* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) \ No newline at end of file