General Info

Understanding Yourself & Context

The moment you gain access to a system the first step to take is to completely userstand all details about the user that you are logged in as. Information could range from just the name, context, groups that you are part of and the acces privilege that you may possess.

This command displays the username the shell is running as,

whoami

The above command is available in both Windows and Linux.

Details about the User

Once you know the name of the user that the shell is running under, you can gather more info about that user.

net user <username>

This is a Windows command that provides information about the password profile, workstation access, home directory, local & global group memberships.

A similar command in linux,

id

Other Users

The next step is to identify other accounts that may be available in the same operating system.

net user

The above command is Windows based and to gather similar info from a Linux system the "passwd" file can be read.

cat /etc/passwd

Hostname

Hostname can give away a lot of information such as whether the system is a webserver, database or a domain controller.

hostname

OS Details

Next we gather info about the operating system,

Windows

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Linux

cat /etc/issue
cat /etc/*-release
uname -a

Running Services & Processes

Once we know the operating system, we have to gather information about the running processes and services that can be exploited,

Windows

tasklist /SVC

Linux

ps axu

Identifying the services/processes running as root/administrator can be useful for privilege escalation

Networking Information

Next step is to identify the various IP addresses assigned to the system and the various applications listening on different ports. Though you may have conducted a port scan from outside of the system, a lot of processes may listen on the loopback address - 127.0.0.1.

Windows

ipconfig /all
route print
netstat -ano

Linux

ip a
/sbin/route
ss -anp

Firewalls & Access Permissions

Firewall access permissions are a crucial part of privilege escalation, since a system may not be accessible from a remote server due to the rules of the firewall it may well be accessible locally. It also serves for tunnelling and port forwarding for furthering the attack within the network.

Windows

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Linux

In Linux the user has to have root privileges to access the iptables rules, hence it is not possible to get the rules directly. However, we may be able to get pieces of information by scouting around the commands and files in the etc directory.

cd /etc/iptables/

Look for files firewall rules files that may be left around with weak permissions.

history | grep "iptables-save"

If the user had executed this command, then the rules of the firewall will be dumped into the file mentioned in that command.

Scheduled Tasks

Scheduled tasks are one of the easiest vulnerabilities that one can exploit to conduct privilege escalation. In many cases the tasks are created by users with higher privileges but leave scripts with weakened permissions conducting the task. One of the best ways to exploit this case is to explore whether the file or its actions can be hijacked to serve our purpose.

Windows

schtasks /query /fo LIST /v

Linux

ls -lah /etc/cron*
cat /etc/crontab

Applications & Versions

Another method is to look at the list of installed applications and their versions, then using this information to look for know vulnerabilities and exploits.

Windows

wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn

The second command provides the list of system wide updates.

Linux

dpkg -l

Readable & Writtable Files

Knowing the list of readable and writable files come in handy when this exploit is combined with some of the earlier mentioned actions such as scheduled tasks or installed applications.

Linux

find / -writable -type d 2>/dev/null

Mounted Drives

Usually drives are mounted at boot time, but there can be unmounted drives left connected to the system. These unmounted drives can have valuable data that can prove useful in privilege escalation.

Windows

mountvol

Linux

cat /etc/fstab

The following command can be used to list all available disks,

/bin/lsblk

Device Drivers & Kernel Modules

Similar to applications and services being susceptible to exploits, device drivers and kernels can pose flaws that can be exploited.

Windows

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

The above command will list the drivers and kernel modules that are loaded on the target. We will also need the version of the modules, which can be derived using the following command,

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Linux

lsmod

Once we have the list of loaded modules using the above command, we can gather more specific information using the following command,

/sbin/modinfo libata

AutoElevating Binaries

There is a registry setting "AlwaysInstallElevated" which can allow the current user to run Windows installer packages with elevated privileges. In order to exploit this vulnerability, the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE should have this key enabled.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

If the setting is enabled, then an MSI can be designed and run to elevate our privileges.

Similarly in Linux when an executable is run, it takes the permissions of the user that runs it. But if an executable has SUID bit set, then the executable runs with the permissions of the owner of the exe.

find / -perm -u=s -type f 2>/dev/null