General Info
Understanding Yourself & Context
The moment you gain access to a system the first step to take is to completely userstand all details about the user that you are logged in as. Information could range from just the name, context, groups that you are part of and the acces privilege that you may possess.
This command displays the username the shell is running as,
The above command is available in both Windows and Linux.
Details about the User
Once you know the name of the user that the shell is running under, you can gather more info about that user.
This is a Windows command that provides information about the password profile, workstation access, home directory, local & global group memberships.
A similar command in linux,
Other Users
The next step is to identify other accounts that may be available in the same operating system.
The above command is Windows based and to gather similar info from a Linux system the "passwd" file can be read.
Hostname
Hostname can give away a lot of information such as whether the system is a webserver, database or a domain controller.
OS Details
Next we gather info about the operating system,
Windows
Linux
Running Services & Processes
Once we know the operating system, we have to gather information about the running processes and services that can be exploited,
Windows
Linux
Identifying the services/processes running as root/administrator can be useful for privilege escalation
Networking Information
Next step is to identify the various IP addresses assigned to the system and the various applications listening on different ports. Though you may have conducted a port scan from outside of the system, a lot of processes may listen on the loopback address - 127.0.0.1.
Windows
Linux
Firewalls & Access Permissions
Firewall access permissions are a crucial part of privilege escalation, since a system may not be accessible from a remote server due to the rules of the firewall it may well be accessible locally. It also serves for tunnelling and port forwarding for furthering the attack within the network.
Windows
Linux
In Linux the user has to have root privileges to access the iptables rules, hence it is not possible to get the rules directly. However, we may be able to get pieces of information by scouting around the commands and files in the etc directory.
Look for files firewall rules files that may be left around with weak permissions.
If the user had executed this command, then the rules of the firewall will be dumped into the file mentioned in that command.
Scheduled Tasks
Scheduled tasks are one of the easiest vulnerabilities that one can exploit to conduct privilege escalation. In many cases the tasks are created by users with higher privileges but leave scripts with weakened permissions conducting the task. One of the best ways to exploit this case is to explore whether the file or its actions can be hijacked to serve our purpose.
Windows
Linux
Applications & Versions
Another method is to look at the list of installed applications and their versions, then using this information to look for know vulnerabilities and exploits.
Windows
The second command provides the list of system wide updates.
Linux
Readable & Writtable Files
Knowing the list of readable and writable files come in handy when this exploit is combined with some of the earlier mentioned actions such as scheduled tasks or installed applications.
Linux
Mounted Drives
Usually drives are mounted at boot time, but there can be unmounted drives left connected to the system. These unmounted drives can have valuable data that can prove useful in privilege escalation.
Windows
Linux
The following command can be used to list all available disks,
Device Drivers & Kernel Modules
Similar to applications and services being susceptible to exploits, device drivers and kernels can pose flaws that can be exploited.
Windows
The above command will list the drivers and kernel modules that are loaded on the target. We will also need the version of the modules, which can be derived using the following command,
Linux
Once we have the list of loaded modules using the above command, we can gather more specific information using the following command,
AutoElevating Binaries
There is a registry setting "AlwaysInstallElevated" which can allow the current user to run Windows installer packages with elevated privileges. In order to exploit this vulnerability, the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE should have this key enabled.
If the setting is enabled, then an MSI can be designed and run to elevate our privileges.
Similarly in Linux when an executable is run, it takes the permissions of the user that runs it. But if an executable has SUID bit set, then the executable runs with the permissions of the owner of the exe.
Last updated