My 5 Top Ways to Escalate Privileges

During a penetration test, rarely will the tester get access to a system with the administrator privileges in the first attempt. You are almost always required to use privilege escalation techniques to achieve the penetration test goals.

Several people have extensively discussed this topic, instead I decided to mention my top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.

I do not specify the escalation path, but the techniques below will fit most cases. For example: fromSYSTEM to domain account; from restricted domain account to SYSTEM/domain administrator; anonymous to system account; and so on.

1 – Dumping the SAM file

This is probably the most common way to escalate privileges. Often, it is possible to retrieve the LM hashes from a system that may include some domain credentials.

Depending on the penetration test, this can be done repeatedly, on many servers, until you find a domain administrator's hash. It is also possible to utilize the shadow copy feature from Microsoft Systems to get the "SYSKEY" and "SAM" files. One of the possible tools that could be used for this is hobocopy.

Here are some of the tools used: gsecdump, fgdump, pwdump, meterpreter, hobocopy.

Figure 1: Dumping the SAM file using gsedump

2 – RETRIEVING THE /ETC/PASSWD FILE

When you either have credentials or some other type of access to aUnix's file system (when there is a non-chrooted FTP server, for example), it might be a very good idea retrieve the /etc/passwd file. With that file in hand you can simply enumerate the usernames of that particular system. Since users are still not used to creating or using strong passwords (specially when there is no policy enforcing), trying the username as the password for that account is always a good guess.

Figure 2: Accessing a non-chrooted FTP server and downloading the /etc/passwd file

3 – Weak Permissions on Processes

If you are in a system with high privileges (SYSTEM user on Windows systems), you will probably might want to take a look over the services running in that computer and check what users are running those services.

There is always the possibility to inject a malicious code in one of those processes and, with that retrieve privileges from the process owner, such as a domain administrator.

Tools: Process Injector (http://www.tarasco.org/security/Process_Injector/) 

Figure 3: Listing processes with "Process Injector" tool

4 – Sensitive Information Stored in Shared Folders

Shared folders can be very useful while doing a penetration test. The main reason is because it is quite common to find sensitive information being stored in those Shared Folders with either a few restrictions or none at all. I have already mentioned something similar on my last blog post but I do not see why I can not mention this technique again since it is usually very successful.

Tools: Metasploit (auxiliary/scanner/smb/smb_enumshares) – http://www.metasploit.com

[*] 10.0.20.36:139 IPC$ - Remote IPC (IPC), ADMIN$- Remote Admin (DISK), C$ - Default share (DISK)

[*] 10.0.20.37:139 print$ - Printer Drivers(DISK), Left_Xerox - Left_Xerox (PRINTER), C$ - Default share (DISK), intfaces- (DISK), Right_Xerox - Right_Xerox(PRINTER), Mailroom - Mailroom (PRINTER), *****4300 - ***** HP LaserJet 4300(PRINTER), F$ - Default share (DISK), Ops_Xerox - Ops_Xerox (PRINTER), IPC$ -Remote IPC (IPC), hp3380 - hp4240 (PRINTER), G$ - Default share (DISK), W$ -Default share (DISK), ADMIN$ - Remote Admin (DISK), Exec_Xerox - Exec_Xerox(PRINTER), T$ - Default share (DISK), LawsonPrint - PROACCT01 Lawson PrintDirectory (DISK), E$ - Default share (DISK), pospay - Bank Positive Pay Transaction Folder (DISK), Acct_4240 -Capex (PRINTER)

5 – DLL Preloading

Utilizing a combination of DLL preloading vulnerability and having access to network shares, a pen tester could look for a widely utilized shared folder where users actually execute certain applications from. Once this shared folder is found, the pen tester could replace one of the legitimate DLLs by a specially crafted malicious DLL.

There are already some countermeasures to this attack being applied by different software vendors, however it is always worth a shot.

A list of vulnerable applications can be accessed here:

http://www.exploit-db.com/dll-hijacking-vulnerable-applications/

I decided to blog about this for a few reasons: These techniques not only could be very helpful for anyone executing a penetration test, but they are also still very reliable in the process of compromising systems for most of the environments. If you job isn't penetration testing but defending against attacks it is a good idea that you are aware of these methods as well.