Linux Privilege Escalation – Vulnerable Sudo Version

Introduction

Sudo is a program for Unix-like operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of Sudo were designed to run commands only as the superuser. It is commonly used in scenarios where normal users need to be able to perform actions as root.

Over the years, certain versions of Sudo were found to be affected by vulnerabilities that allowed attackers to escalate privileges to root, this guide will demonstrate how to identify a vulnerable Sudo version and how to exploit it in order to perform privilege escalation.

May 2, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Kernel Exploits

Introduction

The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.

Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to system.

April 24, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Shell Sessions

Introduction

The Linux shell (or terminal) is a program that receives commands from the user, gives them to the operating system to process, and then displays the output on the screen. To make life easier when interacting with a system through a shell, terminal multiplexers can be used; these are software applications that have the ability to combine several separate pseudoterminal-based login sessions inside a single terminal display and they are particularly useful when dealing with multiple programs from a command-line interface and for creating sub-processes that will continue running even when the user is disconnected. Their main purpose is to increase productivity, by allowing users to run multiple programs within a single interface and switch between them seamlessly.

If a terminal multiplexer session is still active as a privileged user (or a different user from the current one), a low-privileged user could be able to attach to it to elevate its access to the user the multiplexer session is running as.

April 19, 2021 | by Stefano Lanaro | Leave a comment

Enumeration, Guides

SMB Enumeration Guide

Introduction

Server Message Block is a network protocol used to provide shared access to files, printers, and serial ports between nodes on a network. SMB servers can be accessed through various command-line tools such as SMBClient or through file browsing tools. This service runs on either port 139 or port 445 by default.

This guide will cover the main methods to enumerate an SMB server in order to find potential vulnerabilities or misconfiguration.

April 17, 2021 | by Stefano Lanaro | 1 Comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – DLL Hijacking

Introduction

DLLs (Dynamic Link Library) are libraries that contain code and procedures used by Windows programs. They are similar to EXE files as they are based on the Portable Executable (PE) file format although they cannot be executed directly. They are similar to .so (Shared Library) files in Unix.

DLL hijacking is a method of injecting malicious code into a given service or application by loading an evil DLL, often replacing the original one, that will be executed when the service starts. This is possible due to the way some Windows applications search and load DLLs, more specifically, if the path to a service’s DLL isn’t already loaded or stored in the system, Windows will start looking for it in the environment path, an attacker can therefore place the malicious DLL in a directory that is part of it to trigger the malicious code.

March 31, 2021 | by Stefano Lanaro | 6 Comments

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Credentials Harvesting

Introduction

Linux-based operating systems and applications often store clear text, encoded or hashed credentials in files or in memory.

When gaining initial access to a Linux machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.

There are various methods to harvest credentials in a Linux system in order to escalate privileges, the following ones are the most common and they are always worth a try.

March 28, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Bashrc

Introduction

The .bashrc file is a script used in Linux-based operating systems that is executed whenever a user logs in. It contains important configurations for the terminal session such as the coloring, aliases, history length, or any commands that need to be executed at login.

It is a hidden file as it begins with a dot and it is normally located in the user’s home directory and like other files stored in this location, by default, it can be read by all users although it can only be edited by the owner or super users. If improper permissions have been applied to this file, it could allow potential attackers to add malicious commands that will be run when the user logs in.

March 20, 2021 | by Stefano Lanaro | 2 Comments

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Scheduled Tasks

Introduction

Windows operating systems, like most systems, have a way of scheduling the launch of programs or scripts based on certain time intervals to help automate recurring tasks. This can often become weaknesses and allow attackers to escalate privileges to root if improperly configured.

This guide will go through the main methods used to exploit scheduled tasks.

March 3, 2021 | by Stefano Lanaro | 2 Comments

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting the LXC/LXD Groups

Introduction

LXC is the well-known and heavily tested low-level Linux container runtime. It is in active development since 2008 and has proven itself in critical production environments world-wide. LXD is a next generation system container manager. that offers a user experience similar to virtual machines but using Linux containers instead.

The LXC/LXD groups are used to allow users to create and manage Linux containers. These can be exploited by creating a root-level privilege container from the current file system and interacting with it, executing /bin/sh and therefore starting a root shell.

March 1, 2021 | by Stefano Lanaro | Leave a comment

Enumeration, Guides

FTP Enumeration Guide

Introduction

FTP is a network protocol used to transfer files from a server to a client over a network. FTP servers can be accessed either via the ftp command-line tool or via third-party applications such as FileZilla. This service runs on port 21 by default.

This guide will cover the main methods to enumerate an FTP server in order to find potential vulnerabilities or misconfigurations.

February 27, 2021 | by Stefano Lanaro | Leave a comment