Privilege Escalation on Linux

OSCP Notes

1. Tools for enumeration

   • PowerUp (https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1)

   • sharpUp (https://github.com/GhostPack/SharpUp) - Useful when powershell is not available

   • sharpUp - Pre-compiled (https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe)

   • Seatbelt (https://github.com/GhostPack/Seatbelt) Pre-compiled binaries - (https://github.com/r3motecontrol/Ghostpack-CompiledBinaries)

   • WinPEAs (to enable colors enter this on prompt

     c:/> reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1)

2. Kernel exploit enumeration tools

   • Windows Exploit Suggester (https://github.com/bitsadmin/wesng)

     $python wes.py /tools/systeminfo.txt -i 'Elevation of Privilege' --exploits-only

   • Watson (https://github.com/rasta-mouse/Watson)

   • Pre-Compiled exploits - (https://github.com/SecWiki/windows-kernel-exploits)

   • accesscheck (https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk)

     accesscheck /accepteula -ucqv user <service name>

     accesscheck /accepteula -uwdq C:\

3. Services exploits

   • List services

     sc query

   • Query service configuration

     sc qc <service name>

   • Query current status

     sc query <service name>

   • modify service

     sc config <service name> <option>= <value>

   • Stop/Start service

     net start/stop <service name>

4. Registry enumeration

   • Check current values in Service registry

     req query HKLM\SYSTEM\CurrentControlSet\services\regsvc

   • Override a value in registry

     reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v <parameter> /t REG_EXPAND_SZ /d <value> /f

   • Autorun Programs

     reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   • Check for passwords

     reg query HKLM /f password /t REG_SZ /s

     reg query HKCU /f password /t REG_SZ /s

   • Check for config files

     dir /s *pass* == *.config

     findstr /si password *.xml *.ini *.txt

5. SAM and System files

   • SAM and System files can be located at : c:\Windows\System32\config
   • Backups of these files can be located at: C:\Windows\Repair OR C:\Windows\System32\config\RegBack
   • samdump or pwdump tools can help dump files. Use https://github.com/CiscoCXSecurity/creddump7.git to download creddump7 suite.

6. Startup apps can be found at -

   • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp