Privilege Escalation
Overview
When we first gain access to a remote server, we often land as a low-privileged user. To get full control, we must find a local/internal vulnerability that lets us escalate our privileges — usually to root (Linux) or administrator/SYSTEM (Windows).
This section walks through common privilege escalation approaches.
PrivEsc Checklists
Once initial access is obtained, thoroughly enumerate the box for potential escalation paths.
Helpful resources:
- HackTricks
- PayloadsAllTheThings
Enumeration Scripts
Scripts automate common enumeration commands.
Common Linux scripts
- LinEnum – https://github.com/rebootuser/LinEnum.git
- linuxprivchecker – https://github.com/sleventyeleven/linuxprivchecker
Common Windows scripts
- Seatbelt – https://github.com/GhostPack/Seatbelt
- JAWS – https://github.com/411Hall/JAWS
PEASS / LinPEAS
Well-maintained privilege escalation enumeration scripts: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Kernel Exploits
Look for outdated kernels that have public exploits.
Example:
- Kernel version
3.9.0-73-generic - Vulnerable to DirtyCow (CVE-2016-5195)
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
Vulnerable Software
Check installed software:
Linux:
dpkg -l
Windows:
- Inspect
C:\Program Files* - Check versions against public CVEs
User Privileges
Always check sudo rights:
sudo -l
If full sudo:
sudo su -
NOPASSWD example:
(user : user) NOPASSWD: /bin/echo
Use:
sudo -u user /bin/echo Hello World!
GTFOBins
LOLBAS (Windows)
https://lolbas-project.github.io/#/
Scheduled Tasks / Cron
Escalation paths:
- Add new tasks
- Hijack an existing one
Linux cron paths:
- /etc/crontab
- /etc/cron.d/
- /var/spool/cron/crontabs/root
Exposed Credentials
Examples:
/var/www/html/config.php: password123
Try reuse:
su -
SSH Keys
Readable private keys:
- ~/.ssh/id_rsa
- /root/.ssh/id_rsa
Use:
chmod 600 id_rsa
ssh root@10.10.10.10 -i id_rsa
If writable:
echo "ssh-rsa AAAA... user@parrot" >> authorized_keys