Privilege Escalation on Linux
-
Tools for enumeration
-
PowerUp (https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1)
-
sharpUp (https://github.com/GhostPack/SharpUp) - Useful when powershell is not available
-
sharpUp - Pre-compiled (https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe)
-
Seatbelt (https://github.com/GhostPack/Seatbelt) Pre-compiled binaries - (https://github.com/r3motecontrol/Ghostpack-CompiledBinaries)
-
WinPEAs (to enable colors enter this on prompt
c:/> reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1)
-
-
Kernel exploit enumeration tools
-
Windows Exploit Suggester (https://github.com/bitsadmin/wesng)
$python wes.py /tools/systeminfo.txt -i 'Elevation of Privilege' --exploits-only -
Pre-Compiled exploits - (https://github.com/SecWiki/windows-kernel-exploits)
-
accesscheck (https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk)
accesscheck /accepteula -ucqv user <service name>accesscheck /accepteula -uwdq C:\
-
-
Services exploits
-
List services
sc query -
Query service configuration
sc qc <service name> -
Query current status
sc query <service name> -
modify service
sc config <service name> <option>= <value> -
Stop/Start service
net start/stop <service name>
-
-
Registry enumeration
-
Check current values in Service registry
req query HKLM\SYSTEM\CurrentControlSet\services\regsvc -
Override a value in registry
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v <parameter> /t REG_EXPAND_SZ /d <value> /f -
Autorun Programs
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -
Check for passwords
reg query HKLM /f password /t REG_SZ /sreg query HKCU /f password /t REG_SZ /s -
Check for config files
dir /s *pass* == *.configfindstr /si password *.xml *.ini *.txt
-
-
SAM and System files
- SAM and System files can be located at : c:\Windows\System32\config
- Backups of these files can be located at: C:\Windows\Repair OR C:\Windows\System32\config\RegBack
- samdump or pwdump tools can help dump files. Use https://github.com/CiscoCXSecurity/creddump7.git to download creddump7 suite.
-
Startup apps can be found at -
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp