4-2: Privilege Escalation
For now, the assumption with privilege escalation here is that the goal is to increase the level of access on a system, as opposed to an individual application. There are going to be cases where escalation within an application is necessary, and I consider those to still be part of the initial access steps.
Note here that like all other stages, this may require more than a linear move from a non-privileged user to a root/admin level of access. It could be necessary to move laterally from our initial user to another one, with higher access levels, that we've gained access to through either additional exploits or exposed credentials.
There are a wide range of privilege escalation techniques, and many are specific to the operating system being targeted. At this point the system recon will have identified one or more viable paths to test out for privilege escalation. In rough order of difficulty we have a few categories to consider:
- Exposed credentials
- Weak permissions (covers a lot of ground, including over-permissioned applications/binaries, read/write/execute access on files/directories that should be more restricted, etc.)
- Service exploits
- Kernel exploits
Each of these has distinct techniques to consider, so going into detail on them is out of scope for this methodology-focused document. With that said, there are a few easy manual checks that can be used attempt to exploit #1 and #2.
Manual checks
If you do have any kind of credentials, even if it's for unrelated services, always check for password reuse, or in rare cases a passwordless root account.
On Linux su -
to switch to root, and either gaining access or testing out known passwords is a good first move.
For Windows runas
can do similar testing to the switch user in Linux, specifically if you try and spawn a cmd or Powershell.
The next manual check on Linux systems worth performing is for any sudo permissions on the user with sudo -l
. On Windows a rough equivalent is whoami /priv
.
In later editions I will flesh this area out more. For now it would get a little too deep into specific commands.