Exploring the types of privilege escalation attack
We can now explore the most common privilege escalation attacks and how they work. The objective is to get a basic picture of the types of privilege escalation attack available and to understand how they are exploited.
We will take a look at how to exploit these vulnerabilities in depth on both Windows and Linux systems in the upcoming chapters.
Kernel exploits
Kernel exploits are programs or binaries that affect both Windows and Linux and are designed to exploit vulnerabilities in the underlying kernel, to execute arbitrary code with elevated or "root" permissions.
The exploitation process is multi-faceted and requires a good amount of enumeration in order to determine the operating system version and installed patches or hotfixes, and consequently whether it is affected by any kernel exploits, after which the kernel exploit code can be retrieved through various exploit repositories such as exploit-db
. The exploit code should then be inspected and customized based on the required parameters and functionality. After customization, the code can be compiled into a binary and transferred over to the target for execution. In some cases, the exploit code will need to be downloaded and compiled on the target if it relies on certain dependencies.
After successful compilation and execution of the binary, the kernel exploit will grant the attacker "root" access on the target system in the form of a shell prompt, where they can run commands on the system with "root" privileges.
In many cases, precompiled kernel exploits for Windows already exist online and can be downloaded and executed directly, therefore avoiding the compilation process altogether. However, it is very important to inspect and analyze the exploit code before compiling it, as exploits could contain malicious code or payloads.
Important note
Kernel exploits are extremely powerful; however, they can cause system crashes and kernel panics that can hinder the privilege escalation process and can cause damage to the system.
Exploiting SUID binaries
SUID is an inbuilt Linux feature that allows users to execute binaries and files with the permissions of other users.
This feature is commonly used to allow non-root accounts to run system utilities and binaries with root permissions. You can set the program or utility SUID permission with the owner as "root." This will allow the program or utility to run with "root" privileges whenever a non-root user executes it. Attackers can exploit or take advantage of SUID misconfigurations and run arbitrary commands as root.
For example, programs or binaries that allow the execution of arbitrary commands such as vim
should not have their SUID owner set as "root," as non-root users can leverage the command execution functionality within vim
to run commands with "root."
Exploiting vulnerable services and permissions
Services offer the largest threat surface for attackers, given the variability and diversity of programs and services that can be found running on Windows and Linux systems.
Attackers will typically aim to identify misconfigured or vulnerable services and programs that could facilitate the escalation of privileges. For example, on Linux systems, attackers will try to identify and exploit misconfigurations with cron jobs and leverage the functionality to execute arbitrary code or malicious binaries.
Exploiting vulnerable or insecure services on Windows typically involves embedding a payload in a service with administrative privileges. When the service is executed, it executes a payload with the administrative privileges, therefore allowing the binary to execute commands with "root" privileges.
Insecure credentials
This technique involves searching for insecure credentials that have been stored on a system by users or by carrying out a process of cracking weak user credentials. Many users—and even system administrators—note down passwords in cleartext in documents, spreadsheets, and configuration files for various service accounts. These files can be located by running specialized search queries with various command-line utilities.
An example of this is the use of the find
command-line utility on Linux to locate files with specific extensions and filenames.
Exploiting SUDO
Attackers will usually target users who have SUDO privileges. SUDO allows users to run commands as another user, typically the root user.
SUDO privileges are usually configured manually by administrators, which leaves the door open to potential misconfigurations. For example, an administrator can assign SUDO permissions to a non-root user for certain command-line utilities (such as find
or vim
) that can run shell commands or arbitrary code.
This can be leveraged by attackers to run arbitrary code or execute commands with "root" privileges.
Important note
SUDO is a Linux command and permission set that allows users to run commands or programs with superuser or "root" privileges.
These are just some of the privilege escalation attacks and techniques that can be used on both Windows and Linux systems. We will be taking a look at how to use these techniques in detail in the upcoming chapters.