Windows Privilege Escalation – Insecure GUI Applications

Introduction

Certain applications may be running or may be allowed to run with higher privileges than the current user due to their need to access particular system files or simply due to misconfigurations. Since anything done within the said application will be executed with the privileges of the process, if it allows to perform other actions such as opening a command prompt or running executables those will also be executed with high privileges, therefore allowing to escalate privileges.

September 27, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting User-Defined Functions

Introduction

User-Defined Functions in MySQL are used to extend the functionality by adding external code that will work the same as inbuilt functions. Certain versions of MySQL are affected by vulnerabilities that could allow attackers with database root access to execute code in the context of the MySQL process, which is often root, and escalate privileges.

August 28, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Startup Applications

Introduction

Windows allows users to set specific applications to automatically start whenever a user authenticates, by placing their executables in a directory designed specifically for startup programs. Although this feature can be very handy, if startup programs are set up with improper permissions it may allow attackers to escalate privileges, as these programs are executed in the context of the user who is logging in at that point in time.

August 14, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Capabilities

Introduction

Capabilities in Linux are special attributes that can be allocated to processes, binaries, services and users and they can allow them specific privileges that are normally reserved for root-level actions, such as being able to intercept network traffic or mount/unmount file systems. If misconfigured, these could allow an attacker to elevate their privileges to root.

June 13, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting NFS Shares

Introduction

Network File System is a protocol that allows users to access files over a computer network much like local storage is accessed, like many other protocols, it builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. If misconfigured, it could allow regular users to escalate privileges to root.

June 2, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Exploiting Autorun

Introduction

Windows allows users to set specific programs to automatically start whenever the system boots, the list of programs that have this functionality enabled is stored in the Windows Registry. Although this feature can be very handy if startup programs are setup with improper permissions it may allow attackers to escalate privileges, as these programs are executed in the context of the user who is logging in at that point in time.

May 8, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Vulnerable Sudo Version

Introduction

Sudo is a program for Unix-like operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of Sudo were designed to run commands only as the superuser. It is commonly used in scenarios where normal users need to be able to perform actions as root.

Over the years, certain versions of Sudo were found to be affected by vulnerabilities that allowed attackers to escalate privileges to root, this guide will demonstrate how to identify a vulnerable Sudo version and how to exploit it in order to perform privilege escalation.

May 2, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Kernel Exploits

Introduction

The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.

Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to system.

April 24, 2021 | by Stefano Lanaro | Leave a comment

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Shell Sessions

Introduction

The Linux shell (or terminal) is a program that receives commands from the user, gives them to the operating system to process, and then displays the output on the screen. To make life easier when interacting with a system through a shell, terminal multiplexers can be used; these are software applications that have the ability to combine several separate pseudoterminal-based login sessions inside a single terminal display and they are particularly useful when dealing with multiple programs from a command-line interface and for creating sub-processes that will continue running even when the user is disconnected. Their main purpose is to increase productivity, by allowing users to run multiple programs within a single interface and switch between them seamlessly.

If a terminal multiplexer session is still active as a privileged user (or a different user from the current one), a low-privileged user could be able to attach to it to elevate its access to the user the multiplexer session is running as.

April 19, 2021 | by Stefano Lanaro | Leave a comment

Guides, Privilege Escalation, Windows

Windows Privilege Escalation – DLL Hijacking

Introduction

DLLs (Dynamic Link Library) are libraries that contain code and procedures used by Windows programs. They are similar to EXE files as they are based on the Portable Executable (PE) file format although they cannot be executed directly. They are similar to .so (Shared Library) files in Unix.

DLL hijacking is a method of injecting malicious code into a given service or application by loading an evil DLL, often replacing the original one, that will be executed when the service starts. This is possible due to the way some Windows applications search and load DLLs, more specifically, if the path to a service’s DLL isn’t already loaded or stored in the system, Windows will start looking for it in the environment path, an attacker can therefore place the malicious DLL in a directory that is part of it to trigger the malicious code.

March 31, 2021 | by Stefano Lanaro | 6 Comments