Questions about this topic? Sign up to ask in the talk tab.

Privilege Escalation

From NetSec
Jump to: navigation, search

Once you've spawned a shell on the box that you're pentesting on, you might wonder; "What's next?". Hopefully this article will alleviate some of those questions.

One of the first things you would want to do is escalate your permissions from that of, persay, 'apache' or 'nobody' to the 'root' or super user. This requires a bit of luck, critical thinking and having a bad administrator, like most hacking or pentesting. The most common way of escalating permissions is by a local root exploit which preys upon an outdated kernel which has a bug that results in either code execution or some kind of unintended action resulting into your code being executed.


Privilege Escalation - *NIX

In this section we will assume that you have access to run commands on the server that you are trying to escalate privileges on.

One of the first things to check would be the kernel version by running this command:

$ uname -a
Linux hostname 4.0.5-1-ARCH #1 SMP PREEMPT Sat Jun 6 18:37:49 CEST 2015 x86_64 GNU/Linux

This should show you information about the Kernel version being used (4.0.5-1), what date the Kernel was built on (the important part is the year, 2015) and the architecture (x86_64). The information gathered from this is very important so that you can pick a local root exploit that works on your system.

Here are some popular and well known local root exploits, check and see if any of these will work for your kernel version.

mempodipper
semtex
perf_swevent
half_nelson
pipe_c
udp_sendmsg
sock_sendpage
dzug_c
perf_events

A simple google search or checking https://exploit-db.com/ will provide you with the source code. Most of these exploits can be compiled like so:

gcc -o YOUR_EXPLOIT the_exploit.c

Privilege Escalation - ARM

== Privilege Escalation - Windows ==