Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

My 5 Top Ways to Escalate Privileges

During a penetration test, rarely will the tester get access to a system with the administrator privileges in the first attempt. You are almost always required to use privilege escalation techniques to achieve the penetration test goals.

Several people have extensively discussed this topic, instead I decided to mention my top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.

I do not specify the escalation path, but the techniques below will fit most cases. For example: fromSYSTEM to domain account; from restricted domain account to SYSTEM/domain administrator; anonymous to system account; and so on.

1 – Dumping the SAM file

This is probably the most common way to escalate privileges. Often, it is possible to retrieve the LM hashes from a system that may include some domain credentials.

Depending on the penetration test, this can be done repeatedly, on many servers, until you find a domain administrator's hash. It is also possible to utilize the shadow copy feature from Microsoft Systems to get the "SYSKEY" and "SAM" files. One of the possible tools that could be used for this is hobocopy.

Here are some of the tools used: gsecdump, fgdump, pwdump, meterpreter, hobocopy.

BSL_12146_dc52efa4-8419-4ecc-b856-d3ee865fed53Figure 1: Dumping the SAM file using gsedump

 

2 – RETRIEVING THE /ETC/PASSWD FILE

When you either have credentials or some other type of access to aUnix's file system (when there is a non-chrooted FTP server, for example), it might be a very good idea retrieve the /etc/passwd file. With that file in hand you can simply enumerate the usernames of that particular system. Since users are still not used to creating or using strong passwords (specially when there is no policy enforcing), trying the username as the password for that account is always a good guess.

8212_1cb7757f-dbdc-46e5-9494-903ea69c64b9Figure 2: Accessing a non-chrooted FTP server and downloading the /etc/passwd file

 

3 – Weak Permissions on Processes

If you are in a system with high privileges (SYSTEM user on Windows systems), you will probably might want to take a look over the services running in that computer and check what users are running those services.

There is always the possibility to inject a malicious code in one of those processes and, with that retrieve privileges from the process owner, such as a domain administrator.

Tools: Process Injector (http://www.tarasco.org/security/Process_Injector/

8820_3ba731af-bd10-49f9-a679-3fea8f0f9bb9
Figure 3: Listing processes with "Process Injector" tool

 

4 – Sensitive Information Stored in Shared Folders

Shared folders can be very useful while doing a penetration test. The main reason is because it is quite common to find sensitive information being stored in those Shared Folders with either a few restrictions or none at all. I have already mentioned something similar on my last blog post but I do not see why I can not mention this technique again since it is usually very successful.

Tools: Metasploit (auxiliary/scanner/smb/smb_enumshares) – http://www.metasploit.com

[*] 10.0.20.36:139 IPC$ - Remote IPC (IPC), ADMIN$- Remote Admin (DISK), C$ - Default share (DISK)

[*] 10.0.20.37:139 print$ - Printer Drivers(DISK), Left_Xerox - Left_Xerox (PRINTER), C$ - Default share (DISK), intfaces- (DISK), Right_Xerox - Right_Xerox(PRINTER), Mailroom - Mailroom (PRINTER), *****4300 - ***** HP LaserJet 4300(PRINTER), F$ - Default share (DISK), Ops_Xerox - Ops_Xerox (PRINTER), IPC$ -Remote IPC (IPC), hp3380 - hp4240 (PRINTER), G$ - Default share (DISK), W$ -Default share (DISK), ADMIN$ - Remote Admin (DISK), Exec_Xerox - Exec_Xerox(PRINTER), T$ - Default share (DISK), LawsonPrint - PROACCT01 Lawson PrintDirectory (DISK), E$ - Default share (DISK), pospay - Bank Positive Pay Transaction Folder (DISK), Acct_4240 -Capex (PRINTER)

 

5 – DLL Preloading

Utilizing a combination of DLL preloading vulnerability and having access to network shares, a pen tester could look for a widely utilized shared folder where users actually execute certain applications from. Once this shared folder is found, the pen tester could replace one of the legitimate DLLs by a specially crafted malicious DLL.

There are already some countermeasures to this attack being applied by different software vendors, however it is always worth a shot.

A list of vulnerable applications can be accessed here:

http://www.exploit-db.com/dll-hijacking-vulnerable-applications/

I decided to blog about this for a few reasons: These techniques not only could be very helpful for anyone executing a penetration test, but they are also still very reliable in the process of compromising systems for most of the environments. If you job isn't penetration testing but defending against attacks it is a good idea that you are aware of these methods as well.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More