General Info
Understanding Yourself & Context
The moment you gain access to a system the first step to take is to completely userstand all details about the user that you are logged in as. Information could range from just the name, context, groups that you are part of and the acces privilege that you may possess.
This command displays the username the shell is running as,
whoami
The above command is available in both Windows and Linux.
Details about the User
Once you know the name of the user that the shell is running under, you can gather more info about that user.
net user <username>
This is a Windows command that provides information about the password profile, workstation access, home directory, local & global group memberships.
A similar command in linux,
id
Other Users
The next step is to identify other accounts that may be available in the same operating system.
net user
The above command is Windows based and to gather similar info from a Linux system the "passwd" file can be read.
cat /etc/passwd
Hostname
Hostname can give away a lot of information such as whether the system is a webserver, database or a domain controller.
hostname
OS Details
Next we gather info about the operating system,
Windows
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Linux
cat /etc/issue
cat /etc/*-release
uname -a
Running Services & Processes
Once we know the operating system, we have to gather information about the running processes and services that can be exploited,
Windows
tasklist /SVC
Linux
ps axu
Identifying the services/processes running as root/administrator can be useful for privilege escalation
Networking Information
Next step is to identify the various IP addresses assigned to the system and the various applications listening on different ports. Though you may have conducted a port scan from outside of the system, a lot of processes may listen on the loopback address - 127.0.0.1.
Windows
ipconfig /all
route print
netstat -ano
Linux
ip a
/sbin/route
ss -anp
Firewalls & Access Permissions
Firewall access permissions are a crucial part of privilege escalation, since a system may not be accessible from a remote server due to the rules of the firewall it may well be accessible locally. It also serves for tunnelling and port forwarding for furthering the attack within the network.
Windows
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
Linux
In Linux the user has to have root privileges to access the iptables rules, hence it is not possible to get the rules directly. However, we may be able to get pieces of information by scouting around the commands and files in the etc directory.
cd /etc/iptables/
Look for files firewall rules files that may be left around with weak permissions.
history | grep "iptables-save"
If the user had executed this command, then the rules of the firewall will be dumped into the file mentioned in that command.
Scheduled Tasks
Scheduled tasks are one of the easiest vulnerabilities that one can exploit to conduct privilege escalation. In many cases the tasks are created by users with higher privileges but leave scripts with weakened permissions conducting the task. One of the best ways to exploit this case is to explore whether the file or its actions can be hijacked to serve our purpose.
Windows
schtasks /query /fo LIST /v
Linux
ls -lah /etc/cron*
cat /etc/crontab
Applications & Versions
Another method is to look at the list of installed applications and their versions, then using this information to look for know vulnerabilities and exploits.
Windows
wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn
The second command provides the list of system wide updates.
Linux
dpkg -l
Readable & Writtable Files
Knowing the list of readable and writable files come in handy when this exploit is combined with some of the earlier mentioned actions such as scheduled tasks or installed applications.
Linux
find / -writable -type d 2>/dev/null
Mounted Drives
Usually drives are mounted at boot time, but there can be unmounted drives left connected to the system. These unmounted drives can have valuable data that can prove useful in privilege escalation.
Windows
mountvol
Linux
cat /etc/fstab
The following command can be used to list all available disks,
/bin/lsblk
Device Drivers & Kernel Modules
Similar to applications and services being susceptible to exploits, device drivers and kernels can pose flaws that can be exploited.
Windows
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
The above command will list the drivers and kernel modules that are loaded on the target. We will also need the version of the modules, which can be derived using the following command,
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
Linux
lsmod
Once we have the list of loaded modules using the above command, we can gather more specific information using the following command,
/sbin/modinfo libata
AutoElevating Binaries
There is a registry setting "AlwaysInstallElevated" which can allow the current user to run Windows installer packages with elevated privileges. In order to exploit this vulnerability, the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE should have this key enabled.
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
If the setting is enabled, then an MSI can be designed and run to elevate our privileges.
Similarly in Linux when an executable is run, it takes the permissions of the user that runs it. But if an executable has SUID bit set, then the executable runs with the permissions of the owner of the exe.
find / -perm -u=s -type f 2>/dev/null
Last updated
Was this helpful?