Ceci est une ancienne révision du document !
Windows Privilege Escalation Guide
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ https://noobsec.net/privesc-windows/ https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ https://hackmag.com/security/elevating-privileges-to-administrative-and-further/ https://github.com/codingo/Windows-Privesc/blob/master/windows%20privesc%20sectalks%20BNE0x19.pdf
Common Windows Privilege Escalation Vectors
Stored Credentials Windows Kernel Exploit DLL Injection Unattended Answer File Insecure File/Folder Permissions Insecure Service Permissions DLL Hijacking Group Policy Preferences Unquoted Service Path Always Install Elevated Token Manipulation Insecure Registry Permissions Autologon User Credential User Account Control (UAC) Bypass Insecure Named Pipes Permissions
tools :
https://github.com/GDSSecurity/Windows-Exploit-Suggester
Linux Privilege Escalation Guide
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
commande utile :
si l'utilisateur non root en question peut par exemple executer perl en root
sudo -l sudo /usr/bin/perl -e 'exec "/bin/sh"'
Linux Privilege Escalation By Using SUID https://medium.com/@gbmbalag/linux-privilege-escalation-by-using-suid-19d37821ed12
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; find / -uid 0 -perm -4000 -type f 2>/dev/null* example privesc root : https://resources.infosecinstitute.com/hack-the-box-htb-walkthrough-irked/#gref
outils utile
This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits. https://github.com/sleventyeleven/linuxprivchecker (Attention ce script ne marche pas avec python3)
Description of privesc with LinEnum : https://null-byte.wonderhowto.com/how-to/use-linenum-identify-potential-privilege-escalation-vectors-0197225/ https://github.com/rebootuser/LinEnum
The project collects legitimate functions of Unix binaries that can be abused https://gtfobins.github.io/
Linux Soft Exploit Suggester - linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation. It focuses on software packages instead of Kernel vulnerabilities https://github.com/belane/linux-soft-exploit-suggester
pspy - unprivileged Linux process snooping https://github.com/DominicBreuker/pspy
Next-generation exploit suggester - https://github.com/jondonas/linux-exploit-suggester-2
LES: Linux privilege escalation auditing tool- https://github.com/mzet-/linux-exploit-suggester
Linux Privilege Escalation through SUDO abuse. https://github.com/TH3xACE/SUDO_KILLER
LinPEAS - Linux Privilege Escalation Awesome Script https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
auto exploit
A standalone python2/3 script which utilizes python's built-in modules to find SUID bins, separate default bins from custom bins, cross-match those with bins in GTFO Bin's repository & auto-exploit those, all with colors! https://github.com/Anon-Exploiter/SUID3NUM
Enumy is an ultra fast portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities. https://github.com/luke-goddard/enumy