Linux Privilege Escalation – Exploiting Misconfigured SSH Keys

Introduction

Secure Shell (SSH) is a cryptographic network protocol which allows users to securely perform a number of network services, such as remote authentication or file transfer, over an unsecured network. SSH keys provide a more secure way of logging into a server through SSH than via a password authentication.

If improperly configured, SSH keys could allow an attacker to authenticate as another user to escalate privilege, potentially even as root.

February 16, 2021 | by Stefano Lanaro | 4 Comments

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting User Groups

Introduction

In Linux, groups are an attribute that can be allocated to users to allow them to access certain files/binaries or perform certain actions in the operating system.

Some groups, when assigned to a given user, can allow them to perform actions that go beyond their usual privileges and potentially escalate privileges to root.

February 14, 2021 | by Stefano Lanaro | Leave a comment

Buffer Overflow, Guides, Stack Buffer Overflow

Complete Guide to Stack Buffer Overflow (OSCP Preparation)

Introduction

Stack buffer overflow is a memory corruption vulnerability that occurs when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer, therefore overflowing to a memory address that is outside of the intended data structure.

This will often cause the program to crash, and if certain conditions are met, it could allow an attacker to gain remote control of the machine with privileges as high as the user running the program, by redirecting the flow execution of the application to malicious code.

The purpose of this guide is to teach the basics of stack buffer overflow, especially for students preparing for the OSCP certification exam.

February 10, 2021 | by Stefano Lanaro | 12 Comments

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – SUID Binaries

Introduction

Linux has several access attributes that can allow users or groups to perform certain actions against files, such as execute, modify or view files.

SUID (Set User Identification) and GUID (Set Group Identification) are permissions that allow users to execute a binary or script with the permissions of its owner (SUID) or of its group (GUID).

Some binaries have this permission by default as they require to perform certain actions with elevated privileges, for example the passwd binary needs to run as root in order to change a user’s password, although certain binaries can be exploited to escalate privileges if they have the SUID bit set.

February 8, 2021 | by Stefano Lanaro | Leave a comment

Buffer Overflow, Guides, Stack Buffer Overflow

Stack Buffer Overflow – Exploiting SLMail 5.5

Introduction

This guide will demonstrate the various steps involved in exploiting the remote buffer overflow vulnerability that is present in the Seattle Lab Mail (SLMail) 5.5 POP3 application, in order to gain remote access to a vulnerable machine.

A POC along with the vulnerable software can be found at this link.

February 7, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – AlwaysInstallElevated Policy

Introduction

The Windows installer is a utility which through the use MSI packages can install new software. The AlwaysInstallElevated is a Windows policy that allows unprivileged users to install software through the use of MSI packages using SYSTEM level permissions, which can be exploited to gain administrative access over a Windows machine.

This option is equivalent to granting full SYSTEM rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting.

February 3, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Runas (Stored Credentials)

Introduction

Runas is a Windows command-line tool that allows a user to run specific tools, programs or commands with different permissions than the user’s current logon provides.

If a user’s credentials are cached in the system, the Runas command can be run using the /savecred flag which will automatically authenticate and execute the command as that user.

February 3, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Weak Permission

Introduction

Windows services are sometimes configured with weak permissions linked to the service itself, or to the directory the service is being run from.

This can allow attackers to manipulate the service in order to execute arbitrary code when it starts and escalate privileges to SYSTEM.

February 2, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Unquoted Service Paths

Introduction

This is a vulnerability that manifests itself whenever the path to the executable used for a service is not surrounded by quotes.

This can be exploited to execute an arbitrary binary when the vulnerable service starts, which could allow to escalate privileges to SYSTEM

February 1, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Scheduled Tasks

Introduction

Linux-based operating systems, like most systems, have a way of scheduling the launch of programs or scripts based on certain time intervals to help automate recurring tasks. This can often become weaknesses and allow attackers to escalate privileges to root if improperly configured.

This guide will go through the main methods used to exploit scheduled tasks.

January 30, 2021 | by Stefano Lanaro | Leave a comment