Privilege Escalation Techniques E-Book

Privilege Escalation Techniques

Learn the art of exploiting Windows and Linux systems

Alexis Ahmed

BIRMINGHAM—MUMBAI

Privilege Escalation Techniques

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Vijin Boricha

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Prashant Ghare

First published: October 2021

Production reference: 1061021

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-887-0

www.packt.com

In loving memory of my late grandfather.

Contributors

About the author

Alexis Ahmed is an experienced penetration tester and security researcher with over 7 years of experience in the cybersecurity industry. He started off his career as a Linux system administrator and soon discovered a passion and aptitude for security and transitioned into a junior penetration tester. In 2017, he founded HackerSploit, a cybersecurity consultancy that specializes in penetration testing and security training, where he currently works as a senior penetration tester and trainer.

Alexis has multiple cybersecurity certifications, ranging from the CEH and Sec+ to OSCP, and is a certified ISO 27001 associate. He is also an experienced DevSecOps engineer and helps companies secure their Docker infrastructure.

I would like to thank my family for giving me the space and support I've needed to write this book, even while the COVID-19 global pandemic was raging around us. I would like to thank the entire Packt editing team, which has helped, guided, and encouraged me during this process, and I'd like to give special thanks to Romy Dias, who edited most of my work, and Andy Portillo, who helped me with the technical aspects of the book.

About the reviewer

Andy Portillo (n3t1nv4d3) holds an MS in information assurance and cybersecurity. He holds several certifications ranging from Offensive Security's OSCP and OSWP to Pentester Academy's CRTE and CARTP, ISC² CISSP, SANS GWAPT, and GEVA, and ISACA's CISA and CDPSE. Andy has 8 years of experience in a wide range of information security disciplines and has industry experience in finance, payment cards, and academia. His career started as a network engineer before gaining extensive information security experience through roles including IS analyst and penetration tester, and he is currently working as a manager in a SecOps (vapt) team and lecturer at the University of Southern California. Above all the previously stated, he is a father, husband, and hacker!

To my wife and kids, thank you for your understanding and patience with me as I continue down my ever-growing learning paths and venture into a multitude of information security areas – working, teaching, studying, and now reviewing books.

Table of Contents

Preface

Section 1: Gaining Access and Local Enumeration

Chapter 1: Introduction to Privilege Escalation

What is privilege escalation?

How permissions and privileges are assigned

Horizontal privilege escalation

Vertical privilege escalation

Understanding the differences between privilege escalation on Windows and Linux

Windows security

Linux security

Exploring the types of privilege escalation attack

Kernel exploits

Exploiting SUID binaries

Exploiting vulnerable services and permissions

Insecure credentials

Exploiting SUDO

Summary

Chapter 2: Setting Up Our Lab

Technical requirements

Designing our lab

Virtualization

Hypervisors

Lab structure

Building our lab

Installing and configuring VirtualBox

Configuring a virtual network

Setting up our target virtual machines

Setting up Kali Linux

Putting it all together

Summary

Chapter 3: Gaining Access (Exploitation)

Technical requirements

Setting up Metasploit

The Metasploit structure

Setting up the Metasploit framework

Information gathering and footprinting

Network mapping with Nmap

Vulnerability assessment

Gaining access

Exploiting Metasploitable3

Exploiting Metasploitable2

Summary

Chapter 4: Performing Local Enumeration

Technical requirements

Understanding the enumeration process

Windows enumeration

System enumeration

User and group enumeration

Network enumeration

Password enumeration

Firewall and antivirus enumeration

Automated enumeration tools

Linux enumeration

System enumeration

User and group enumeration

Network enumeration

Automated enumeration tools

Summary

Section 2: Windows Privilege Escalation

Chapter 5: Windows Kernel Exploits

Technical requirements

Understanding kernel exploits

What is a kernel?

Windows NT

The Windows kernel exploitation process

Kernel exploitation with Metasploit

Manual kernel exploitation

Local enumeration

Transferring files

Enumerating kernel exploits

Compiling Windows exploits

Running the kernel exploit

Summary

Chapter 6: Impersonation Attacks

Technical requirements

Understanding Windows access tokens

Windows access tokens

Token security levels

Abusing tokens

Enumerating privileges

Token impersonation attacks

Potato attacks overview

Escalating privileges via a Potato attack

Manual escalation

Summary

Chapter 7: Windows Password Mining

Technical requirements

What is password mining?

Searching for passwords in files

Searching for passwords in Windows configuration files

Searching for application passwords

Dumping Windows hashes

SAM database

LM and NTLM hashing

Cracking Windows hashes

Cracking Windows hashes with John the Ripper

Authentication

Summary

Chapter 8: Exploiting Services

Technical requirements

Exploiting services and misconfigurations

Exploiting unquoted service paths

Exploiting secondary logon

Exploiting weak service permissions

DLL hijacking

Setting up our environment

The DLL exploitation process

Summary

Chapter 9: Privilege Escalation through the Windows Registry

Technical requirements

Understanding the Windows Registry

What is the Windows Registry?

How the Windows Registry stores data

Exploiting Autorun programs

Exploiting the Always Install Elevated feature

Exploiting weak registry permissions

Summary

Section 3: Linux Privilege Escalation

Chapter 10: Linux Kernel Exploits

Technical requirements

Understanding the Linux kernel

Understanding the Linux kernel exploitation process

Setting up our environment

Kernel exploitation with Metasploit

Manual kernel exploitation

Local enumeration tools

Transferring files

Enumerating system information

Enumerating kernel exploits

Running the kernel exploit

Summary

Chapter 11: Linux Password Mining

Technical requirements

What is password mining?

Setting up our environment

Extracting passwords from memory

Searching for passwords in configuration files

Searching for passwords

Transferring files

Searching for passwords in history files

Summary

Chapter 12: Scheduled Tasks

Technical requirements

Introduction to cron jobs

The crontab file

Escalation via cron paths

Enumeration with linPEAS

Transferring files

Finding cron jobs with linPEAS

Escalating privileges via cron paths

Escalation via cron wildcards

Escalation via cron file overwrites

Summary

Chapter 13: Exploiting SUID Binaries

Technical requirements

Introduction to filesystem permissions on Linux

Changing permissions

Understanding SUID permissions

Searching for SUID binaries

Searching for SUID binaries manually

Searching for SUID binaries with linPEAS

Identifying vulnerable SUID binaries

Escalation via shared object injection

Summary

Other Books You May Enjoy

Preface

This book is a comprehensive guide on the privilege escalation process for Windows and Linux systems and is designed to be practical and hands-on by providing you with real-world exercises and scenarios in the form of vulnerable environments and virtual machines. The book starts off by introducing you to privilege escalation and covers the process of setting up a hands-on virtual hacking lab that will be used to demonstrate the practical aspects of the techniques covered during the course of this book. Each chapter of this book builds on the previous chapter and validates the learning process by providing you with exercises and scenarios that you can replicate.

You will learn how to enumerate as much information as possible from a target system, utilize manual and automated enumeration tools, elevate privileges on Windows systems by leveraging various techniques, such as impersonation attacks or kernel exploits, among many others, and elevate privileges on Linux systems through the use of kernel exploits or by exploiting SUID binaries.

This book is sorted into three sections that build on each other, whereby the first section covers the introduction to privilege escalation, the process of obtaining the initial foothold on a target system, and enumerating information from target systems. The next two sections are dedicated to covering the various privilege escalation techniques and tools for both Windows and Linux systems.

This book will provide you with the necessary skills to enumerate information from target systems, identify potential vulnerabilities, and utilize manual techniques or automated tools in order to elevate their privileges on the target system.

Who this book is for

This book is designed for students, cyber security professionals, enthusiasts, security engineers, penetration testers, or for anyone who has a keen interest in penetration testing or information security. This book can be used as study material for individuals, companies, or training organizations.

Regardless of whether you're a student new to the information technology industry or a seasoned professional, this book has something to offer and is packed with useful information that you can use to improve your penetration testing skills.

What this book covers

Chapter 1, Introduction to Privilege Escalation, introduces you to the privilege escalation process, the various types of privilege escalation attacks, and the differences between privilege escalation on Windows and Linux.

Chapter 2, Setting Up Our Lab, introduces you to the concept of virtualization, how to build your own penetration testing lab, how to set up vulnerable virtual machines, and installing and configuring Kali Linux.

Chapter 3, Gaining Access (Exploitation), focuses on the process of setting up the Metasploit framework, performing information gathering with Nmap, identifying vulnerabilities, and exploiting them to gain access to a system.

Chapter 4, Performing Local Enumeration, covers the process of enumerating information from Windows and Linux systems manually and automatically.

Chapter 5, Windows Kernel Exploits, explores the process of performing kernel exploitation manually and automatically with Metasploit in order to elevate your privileges.

Chapter 6, Impersonation Attacks, explains how Windows access tokens work, outlines the process of enumerating privileges, explains token impersonation attacks, and covers the process of elevating your privileges via the Rotten Potato attack.

Chapter 7, Windows Password Mining, explores the process of searching for passwords in files and Windows configuration files, searching for application passwords, dumping Windows hashes, and cracking dumped password hashes in order to elevate your privileges.

Chapter 8, Exploiting Services, covers the process of exploiting unquoted service paths, exploiting the secondary logon handle, exploiting weak service permissions, and performing DLL hijacking.

Chapter 9, Privilege Escalation through the Windows Registry, examines the process of exploiting weak registry permissions, autorun programs, and exploiting the Always Install Elevated feature.

Chapter 10, Linux Kernel Exploits, explains the workings of the Linux kernel and covers the process of performing kernel exploitation both manually and automatically with Metasploit.

Chapter 11, Linux Password Mining, focuses on the process of extracting passwords from memory, searching for passwords in configuration files, and searching for passwords in Linux history files.

Chapter 12, Scheduled Tasks, introduces you to cron jobs on Linux and covers the process of escalating your privileges by exploiting cron paths, cron wildcards, and cron file overwrites.

Chapter 13, Exploiting SUID Binaries, outlines how filesystem permissions on Linux work and explores the process of searching for SUID binaries and elevating your privileges through the use of shared object injection.

To get the most out of this book

To get the most out of this book, you should have a fundamental understanding of networking, specifically TCP/IP, UDP, and their respective protocols. Furthermore, given the nature of the techniques covered in the book, you should have basic familiarity with the workings and functionality of Windows and Linux.

The hardware required to follow the techniques and exploits in this book is fairly standard. You can use a laptop or desktop computer that supports virtualization and is capable of running Oracle VirtualBox. As per the hardware and operating system specifications, the following configuration is recommended:

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Code in Action

The Code in Action videos for this book can be viewed at https://bit.ly/3CPN0DU.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801078870_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "After downloading the Bash script to our Kali VM, we need to transfer the linpeas.sh file to our target virtual machine."

A block of code is set as follows:

#include <stdio.h>

#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {

system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");

}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

#include <stdio.h>

#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {

system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");

}

Any command-line input or output is written as follows:

ls -al /home/user/

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "Select System info from the Administration panel."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Privilege Escalation Techniques, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Gaining Access and Local Enumeration

This section will give you an introduction to the privilege escalation process and will cover the process of gaining an initial foothold on the target system and how to perform local enumeration on target systems in order to identify potential vulnerabilities.

The following chapters are included in this section:

Chapter 1: Introduction to Privilege Escalation

Privilege escalation is a vital element of the attack life cycle and is a major determinant in the overall success of a penetration test.

The importance of privilege escalation in the penetration testing process cannot be overstated or overlooked. Developing your privilege escalation skills will mark you out as a good penetration tester. The ability to enumerate information from a target system and utilize this information to identify potential misconfigurations and vulnerabilities that can be exploited to elevate privileges is an essential skill set for any penetration tester.

This chapter aims to give you a clearer picture and understanding of the privilege escalation process and will act as a formal introduction to the various types of privilege escalation techniques, and how the process differs between Windows and Linux systems.

To fully understand and leverage the various privilege escalation tools and techniques, you first need to understand how permissions and privileges are implemented on various operating systems and how these differences in design and implementation affect the privilege escalation process as a whole.

By the end of this chapter, you will have a clear understanding of what privilege escalation is, and you will also understand how permissions are implemented on Windows and Linux systems and get a brief introduction to the various privilege escalation techniques that we will be exploring in depth in the upcoming chapters.

In this chapter, we will cover the following topics:

What is privilege escalation?

Privilege escalation is the process of exploiting vulnerabilities or misconfigurations in systems to elevate privileges from one user to another, typically to a user with administrative or root access on a system. Successful privilege escalation allows attackers to increase their control over a system or group of systems that belong to a domain, giving them the ability to make administrative changes, exfiltrate data, modify or damage the operating system, and maintain access through persistence, such as registry edits or cron jobs.

From a penetration tester's perspective, privilege escalation is the next logical step after the successful exploitation of a system and is typically performed by bypassing or exploiting authentication and authorization systems, whose purpose is to segregate user accounts based on their permissions and role.

A typical approach would be to use an initial access or foothold on a system to gain access to resources and functionality that is beyond what the current user account permissions offer. This process is commonly referred to as getting root privileges on a system.

Before we can get started with the various privilege escalation techniques, we need to understand how user accounts and permissions are implemented in modern operating systems.

How permissions and privileges are assigned

To better understand how to elevate privileges, we need to first understand how operating systems are designed in relation to user accounts and privilege.

Operating systems' authorizations are designed to handle multiple users with multiple roles and permissions. This segregation of roles is the primary factor behind the various user account implementation philosophies that are implemented in operating systems today.

This abstraction of user roles and permissions on a system is set up and facilitated by a system called a protection ring, as demonstrated in Figure 1.1. This specifies limits and enforces the functionality of users on a system and their corresponding access to resources.

As the name suggests, a protection ring is a hierarchical protection and segregation mechanism used to provide different levels of access to functionality and resources on a system. The various rings in the hierarchy represent layers of privilege within the operating system, as illustrated in the following screenshot:

Figure 1.1 – Protection ring

The rings in the hierarchy illustrated in Figure 1.1 are sorted and arranged from the most privileged (typically denoted by level 0) to the least privileged, where the least privileged is represented by the highest ring number. This segregation of privileges on a system leads to the adoption of two main roles, as follows:

1. The ability to install, uninstall, and modify system software or binaries

2. The ability to add, modify, or remove users and user groups

3. The ability to create, access, modify, and delete any system or user data

4. The ability to access and have control over all system hardware

5. The ability to access network functionality and networking utilities

6. The ability to create, manage, and kill system and user processes

1. The ability to start and stop user processes and programs

2. The ability to create, modify, and delete user data

3. The ability to have access to network functionality

This segregation of permissions highlights the importance of privilege escalation for penetration testers or attackers as it offers total and unparalleled control over a system or, potentially, a group of systems if they can get "root" or administrative access on a system.

Given the nature of privilege escalation attacks in relation to user accounts and permissions, there are two main methods of performing privilege escalation that can be utilized by attackers based on their intentions and objectives, as follows:

We will take a closer look at what they are in the next section.

Horizontal privilege escalation

Horizontal privilege escalation is the process of accessing the functionality or data of other user accounts on a system, as opposed to gaining access to accounts with administrative or root privileges. It primarily involves accessing or authorizing functionality on a system using accounts that are on the same user level of permissions, as opposed to user accounts that are higher up and that have more privileges and permissions.

Attackers or penetration testers would typically perform this type of privilege escalation attack if they were interested in accessing unprivileged user account data or in harvesting user account credentials or password hashes.

Scenario

The following screenshot illustrates a typical account setup on a computer, where we have two unprivileged users and one privileged user. In this case, the two unprivileged users are John and Mike, and the privileged user is Collin:

Figure 1.2 – Horizontal privilege escalation scenario

In this scenario, John is attempting to perform a typical horizontal privilege escalation attack by escalating his user account privileges to the account privileges of Mike. Note that John and Mike are on the same horizontal privilege level.

Figure 1.2 clearly outlines the sole objective of horizontal privilege escalation, the objective being to elevate privileges to user accounts that are on the same horizontal level as the user account performing the attack.

Vertical privilege escalation

Vertical privilege escalation is the process of exploiting a vulnerability in an operating system to gain root or administrative access on a system. This method is usually preferred by attackers and penetration testers as it offers the biggest payout given the permissions and functionality, as they now have total access and control over the system(s).

The following screenshot outlines a bottom-up approach to user account permissions and privileges, where the topmost account has the highest privileges, is the least accessible, and is typically assigned to system administrators. The lowest accounts are set up and configured to be used by standard users and services that require no administrative privileges as part of their daily tasks:

Figure 1.3 – Vertical privilege escalation

Figure 1.3 also illustrates a vertical approach to elevating privileges based on the user account and permissions for both Windows and Linux systems, the objective being to laterally move up the pecking order to the account with the highest privileges, therefore giving you complete access to the system.

Important note

Vertical privilege escalation may not solely emanate from the exploitation of a vulnerability within an operating system or service. It is common to find misconfigured systems and services that may allow non-administrative user accounts to run commands or binaries with administrative permissions. We will take a look at the various privilege escalation techniques in the upcoming chapters.

Scenario

The following screenshot illustrates a typical account setup on a computer, where we have two unprivileged users and one privileged user. In this case, the two unprivileged users are John and Mike, and the privileged user is Collin:

Figure 1.4 – Vertical privilege escalation scenario

For this scenario, Figure 1.4 illustrates a traditional vertical privilege escalation method where the user John is attempting to elevate privileges to the administrator account, which is Collin's account. If successful, John will get access to administrative privileges and will be able to access all user accounts and files, therefore giving him total access and control over the system. This scenario demonstrates the importance and potential impact of a successful vertical privilege escalation attack.

Now that we have an understanding of the two main privilege escalation methods and how they are orchestrated, we can begin taking a look at the various differences between privilege escalation on Windows and Linux.

Understanding the differences between privilege escalation on Windows and Linux

Now that we have a general understanding of how user accounts and permissions are implemented and have looked at the two main methods of performing privilege escalation, we can begin taking a look at the differences between Linux and Windows in the context of privilege escalation attacks and at how their individual design and development philosophies affect the privilege escalation process.

This nuanced approach will give us clarity on the strengths and weaknesses of both operating systems and their corresponding kernels in relation to vulnerabilities and potential exploitation.

The following table outlines common potential attack vectors for both operating systems and the services that can be exploited to elevate privileges:

Table 1.1 – Common potential attack vectors

To fully understand the differences between the two operating systems in terms of potential vulnerabilities and attack vectors, we need to understand how they handle authentication and security as this will give us an idea of where the security pitfalls exist. It is important to note, however, that the security differences between Windows and Linux boil down to their unique design philosophy.

Windows security

Windows is a proprietary operating system that is owned and developed by the Microsoft Corporation and controls a majority of the PC market share at about 93%, which means that most companies are likely to be running Windows clients for their end users and/or Windows Server deployments for their critical infrastructure.

For this reason, Windows is more likely to be running on employee laptops and workstations as it has a much more user-centered design (UCD) and philosophy. In order to understand the privilege escalation process on Windows, we need to understand how Windows manages and maintains system security. In order to do this, we will need to take a closer look at various components that are responsible for managing and maintaining authentication and security on Windows.

User authentication

Authentication is the process of verifying the identity of a user who is trying to access a system or system resource.

Authentication on most modern operating systems is typically enforced through a username and password combination; however, operating systems have begun implementing additional layers of authentication, in addition to implementing stronger encryption algorithms for user passwords.

Passwords and password hashes are usually a target for penetration testers, and we will take a look at how to dump system passwords and hashes later in the book.

User authentication on Windows is handled by the Windows Logon (Winlogon) process and Security Account Manager (SAM). SAM is a database that is used to manage and store user accounts on Windows systems.

Modern releases of Windows utilize the New Technology LAN Manager 2 (NTLM2) encryption protocol for password hashing and encryption, which is significantly stronger than the LAN Manager (LM) encryption protocol present in older versions of Windows.

Authentication onto domains on Windows is typically facilitated by authentication protocols such as Kerberos.

User identification

User identification is used to uniquely identify users on a system and is also used to establish a system of accountability, as actions performed on a system can be tracked down to the user who made or performed them. Understanding how identification works and is implemented on Windows is extremely useful in the privilege escalation process to identify users on a system, along with their roles and groups.

The process of user identification on Windows utilizes a security identifier (SID) for identification. Each user and group has a unique SID that consists of the components outlined in the following screenshot:

Figure 1.5 – Sample Windows SID

The different parameters from the preceding SID are discussed as follows:

- Null: 0

- World authority: 1

- Local authority: 2

- Creator authority: 3

- Non-unique authority: 4

- NT authority: 5

- Administrator: 500

- Guest user: 501

- Domain administrator: 512

- Domain computer: 515

You can enumerate the SIDs on a Windows system by running the following command in Command Prompt (CMD):

wmic useraccount get name,sid

This command will enumerate all user account SIDs on the system, as illustrated in the following screenshot. Pay close attention to the RIDs as they can be used to quickly identify administrator and guest accounts:

Figure 1.6 – Enumerating Windows SIDs

As displayed in Figure 1.6, we can identify user roles based on their RID, regardless of the account username. In this particular case, we have an administrator and guest account set up and they can be identified by their RID.

Access tokens

An access token is an object that describes and identifies the security context of a process or thread on a system. The access token is generated by the Winlogon process every time a user authenticates successfully, and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the initial process (typically the userinit.exe process), after which all child processes will inherit a copy of the access token from their creator and will run under the same access token.

On Windows, an access token will comprise the following elements:

We can list out the access token of a user by running the following command in the CMD:

Whoami /priv

If the user is unprivileged, the access token will be restricted, as outlined in the following screenshot:

Figure 1.7 – Restricted access token

It is important to note that the user highlighted in Figure 1.7 has administrative privileges; however, the cmd.exe process uses an access token that restricts privileges. If we run cmd.exe as an administrator, the user's access token will be listed with all privileges, as outlined in the following screenshot:

Figure 1.8 – Privileged access token

Access tokens can be leveraged during the privilege escalation process through attacks such as primary access token manipulation attacks, which involve tricking a system into believing that a process belongs to a different user from the one who started the process. We will learn how to utilize this attack vector to escalate our privileges later in the book.

Linux security

Linux is a free and open source operating system that comprises the Linux kernel, which was developed by Linus Torvalds, and the GNU's Not Unix (GNU) toolkit, which is a collection of software and utilities that was originally started and developed by Richard Stallman. This combination of open source projects is what makes up the Linux operating system as a whole, and it is commonly referred to as GNU/Linux.

Typically, most individuals and companies are likely to be running Windows clients and will be using Linux for their critical infrastructure—for instance, mail servers, databases, web servers, and intrusion detection systems (IDSes). Given the nature and deployment of Linux servers in organizations, attacks will be much more likely to severely affect a company and cause major disruption.

User authentication

User account details on Linux are stored in a /etc/passwd file. This file contains the user account username, the user ID (UID), an encrypted password, a group ID (GID), and personal user information.

This file can be accessed by all users on the system, which means that any user on the system can retrieve the password hashes of other users on the system. This makes the hash-dumping process on Linux much more straightforward and opens the door to potential password-cracking attacks. Most older Linux distributions utilized the Message Digest Algorithm 5 (MD5) hashing algorithm, which is much easier to crack, and as a result, most newer distributions have begun utilizing and implementing the Secure Hash Algorithm 256 (SHA-256) encryption protocol, therefore making it much more difficult to crack the hashes.

Identification

User authentication on Linux is facilitated through the use of a username that corresponds to a unique UID, comprising a numeric value that is automatically assigned or manually assigned by a system administrator. The root account on Linux will always have a UID of 0.

This user information, along with the hashed user passwords, is stored in the /etc/passwd file.

Access tokens

Access tokens on Linux work in a similar way to how they work on Windows but are stored in memory (random-access memory, or RAM) and attached to processes when initialized.

The access token on Linux will contain the following information:

Now that we have an understanding of the various authentication and security components used on Windows and Linux, we can take a look at the various types of privilege escalation attack and how they exploit the aforementioned security mechanisms.

Exploring the types of privilege escalation attack

We can now explore the most common privilege escalation attacks and how they work. The objective is to get a basic picture of the types of privilege escalation attack available and to understand how they are exploited.

We will take a look at how to exploit these vulnerabilities in depth on both Windows and Linux systems in the upcoming chapters.

Kernel exploits

Kernel exploits are programs or binaries that affect both Windows and Linux and are designed to exploit vulnerabilities in the underlying kernel, to execute arbitrary code with elevated or "root" permissions.

The exploitation process is multi-faceted and requires a good amount of enumeration in order to determine the operating system version and installed patches or hotfixes, and consequently whether it is affected by any kernel exploits, after which the kernel exploit code can be retrieved through various exploit repositories such as exploit-db. The exploit code should then be inspected and customized based on the required parameters and functionality. After customization, the code can be compiled into a binary and transferred over to the target for execution. In some cases, the exploit code will need to be downloaded and compiled on the target if it relies on certain dependencies.

After successful compilation and execution of the binary, the kernel exploit will grant the attacker "root" access on the target system in the form of a shell prompt, where they can run commands on the system with "root" privileges.

In many cases, precompiled kernel exploits for Windows already exist online and can be downloaded and executed directly, therefore avoiding the compilation