Connect with us at the Gartner® Security & Risk Management Summit June 9-11. Learn More

Request a Demo

Connect with us at the Gartner® Security & Risk Management Summit June 9-11. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

My 5 Top Ways to Escalate Privileges

Change theme to light My 5 Top Ways to Escalate Privileges
2 Minute Read by Bruno Oliveira

During a penetration test, rarely will the tester get access to a system with the administrator privileges in the first attempt. You are almost always required to use privilege escalation techniques to achieve the penetration test goals.

Several people have extensively discussed this topic, instead I decided to mention my top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.

I do not specify the escalation path, but the techniques below will fit most cases. For example: fromSYSTEM to domain account; from restricted domain account to SYSTEM/domain administrator; anonymous to system account; and so on.

1 – Dumping the SAM file

This is probably the most common way to escalate privileges. Often, it is possible to retrieve the LM hashes from a system that may include some domain credentials.

Depending on the penetration test, this can be done repeatedly, on many servers, until you find a domain administrator's hash. It is also possible to utilize the shadow copy feature from Microsoft Systems to get the "SYSKEY" and "SAM" files. One of the possible tools that could be used for this is hobocopy.

Here are some of the tools used: gsecdump, fgdump, pwdump, meterpreter, hobocopy.

BSL_12146_dc52efa4-8419-4ecc-b856-d3ee865fed53Figure 1: Dumping the SAM file using gsedump

 

2 – RETRIEVING THE /ETC/PASSWD FILE

When you either have credentials or some other type of access to aUnix's file system (when there is a non-chrooted FTP server, for example), it might be a very good idea retrieve the /etc/passwd file. With that file in hand you can simply enumerate the usernames of that particular system. Since users are still not used to creating or using strong passwords (specially when there is no policy enforcing), trying the username as the password for that account is always a good guess.

8212_1cb7757f-dbdc-46e5-9494-903ea69c64b9Figure 2: Accessing a non-chrooted FTP server and downloading the /etc/passwd file

 

3 – Weak Permissions on Processes

If you are in a system with high privileges (SYSTEM user on Windows systems), you will probably might want to take a look over the services running in that computer and check what users are running those services.

There is always the possibility to inject a malicious code in one of those processes and, with that retrieve privileges from the process owner, such as a domain administrator.

Tools: Process Injector (http://www.tarasco.org/security/Process_Injector/

8820_3ba731af-bd10-49f9-a679-3fea8f0f9bb9
Figure 3: Listing processes with "Process Injector" tool

 

4 – Sensitive Information Stored in Shared Folders

Shared folders can be very useful while doing a penetration test. The main reason is because it is quite common to find sensitive information being stored in those Shared Folders with either a few restrictions or none at all. I have already mentioned something similar on my last blog post but I do not see why I can not mention this technique again since it is usually very successful.

Tools: Metasploit (auxiliary/scanner/smb/smb_enumshares) – http://www.metasploit.com

[*] 10.0.20.36:139 IPC$ - Remote IPC (IPC), ADMIN$- Remote Admin (DISK), C$ - Default share (DISK)

[*] 10.0.20.37:139 print$ - Printer Drivers(DISK), Left_Xerox - Left_Xerox (PRINTER), C$ - Default share (DISK), intfaces- (DISK), Right_Xerox - Right_Xerox(PRINTER), Mailroom - Mailroom (PRINTER), *****4300 - ***** HP LaserJet 4300(PRINTER), F$ - Default share (DISK), Ops_Xerox - Ops_Xerox (PRINTER), IPC$ -Remote IPC (IPC), hp3380 - hp4240 (PRINTER), G$ - Default share (DISK), W$ -Default share (DISK), ADMIN$ - Remote Admin (DISK), Exec_Xerox - Exec_Xerox(PRINTER), T$ - Default share (DISK), LawsonPrint - PROACCT01 Lawson PrintDirectory (DISK), E$ - Default share (DISK), pospay - Bank Positive Pay Transaction Folder (DISK), Acct_4240 -Capex (PRINTER)

 

5 – DLL Preloading

Utilizing a combination of DLL preloading vulnerability and having access to network shares, a pen tester could look for a widely utilized shared folder where users actually execute certain applications from. Once this shared folder is found, the pen tester could replace one of the legitimate DLLs by a specially crafted malicious DLL.

There are already some countermeasures to this attack being applied by different software vendors, however it is always worth a shot.

A list of vulnerable applications can be accessed here:

http://www.exploit-db.com/dll-hijacking-vulnerable-applications/

I decided to blog about this for a few reasons: These techniques not only could be very helpful for anyone executing a penetration test, but they are also still very reliable in the process of compromising systems for most of the environments. If you job isn't penetration testing but defending against attacks it is a good idea that you are aware of these methods as well.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Lights Out and Stalled Factories: Using M.A.T.R.I.X to Learn About Modbus Vulnerabilities
A Deep-Rooted Infestation: How the ILOVEYOU Bug Continues its Legacy in Modern Worms
Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo