Tag

Pentesting

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Exploiting Autorun

Introduction

Windows allows users to set specific programs to automatically start whenever the system boots, the list of programs that have this functionality enabled is stored in the Windows Registry. Although this feature can be very handy if startup programs are setup with improper permissions it may allow attackers to escalate privileges, as these programs are executed in the context of the user who is logging in at that point in time.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Vulnerable Sudo Version

Introduction

Sudo is a program for Unix-like operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of Sudo were designed to run commands only as the superuser. It is commonly used in scenarios where normal users need to be able to perform actions as root.

Over the years, certain versions of Sudo were found to be affected by vulnerabilities that allowed attackers to escalate privileges to root, this guide will demonstrate how to identify a vulnerable Sudo version and how to exploit it in order to perform privilege escalation.

Read more
CTF Walkthroughs, VulnHub

VulnHub – Stapler: 1 Walkthrough

Introduction

This was an easy Linux machine that involved exploiting a WordPress plugin to gain access to the wp-config.php file which contained database credentials and uploading a malicious plugin into WordPress to gain remote access. Privilege escalation was then possible by exploiting a clear-text password left in the BASH history or an insecure cron job.

Read more
CTF Walkthroughs, Hack The Box

Hack The Box – Bucket Walkthrough

Introduction

This was an intermediate Linux box that involved exploiting an insecure AWS S3 bucket to upload a PHP reverse shell to gain remote access, using credentials found in an unprotected DynamoDB database to gain a user shell and exploiting a vulnerable PHP script to extract the root user’s private SSH keys and escalate privileges to root through the DynamoDB database.

Read more
CTF Walkthroughs, TryHackMe

TryHackMe – Skynet Walkthrough

Introduction

This was an easy Linux box that involved accessing an open SMB share containing a list of credentials that could be used to bruteforce a SquirrelMail web application, finding SMB credentials on the application to access a new share which revealed a second web application, and exploiting a remote file inclusion vulnerability in Cuppa CMS to gain remote access. Privilege escalation was possible due to a misconfigured cron job running as root and using a wildcard with the tar command.

Read more
CTF Walkthroughs, VulnHub

VulnHub – Kioptrix 1.4 Walkthrough

Introduction

This was an easy Linux box that involved exploiting a directory traversal vulnerability in the pChart web application in order to access the rules in the Apache configuration file, which revealed a user agent change was necessary to be able to navigate to the PHPTax web application hosted on port 8080, which was affected by a remote code execution vulnerability that could be used to gain remote access to the machine. A simple kernel exploit can then be used to escalate privileges to root.

Read more
Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Kernel Exploits

Introduction

The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.

Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to system.

Read more
CTF Walkthroughs, Hack The Box

Hack The Box – Laboratory Walkthrough

Introduction

This was a fairly easy Linux box that involved exploiting a local file inclusion and remote code execution vulnerability in GitLab to gain remote access to the machine, obtaining administrative access to GitLab through the console to find a user’s private key and exploiting a PATH hijack vulnerability within a SUID script to escalate privileges to root.

Read more
Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Shell Sessions

Introduction

The Linux shell (or terminal) is a program that receives commands from the user, gives them to the operating system to process, and then displays the output on the screen. To make life easier when interacting with a system through a shell, terminal multiplexers can be used; these are software applications that have the ability to combine several separate pseudoterminal-based login sessions inside a single terminal display and they are particularly useful when dealing with multiple programs from a command-line interface and for creating sub-processes that will continue running even when the user is disconnected. Their main purpose is to increase productivity, by allowing users to run multiple programs within a single interface and switch between them seamlessly.

If a terminal multiplexer session is still active as a privileged user (or a different user from the current one), a low-privileged user could be able to attach to it to elevate its access to the user the multiplexer session is running as.

Read more