Published: 06 August 2021    Last Updated: 03 November 2022

I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!

Published: 06 August 2021    Last Updated: 03 November 2022

Recently during a CTF I found a few users were unfamiliar with abusing setuid on executable on Linux systems for the purposes of privilege escalation. If an executable file on Linux has the “suid” bit set when a user executes a file it will execute with the owners permission level and not the executors permission level. Meaning if you find a file with this bit set, which is owned by a user with a higher privilege level than yourself you may be able to steal their permissions set.

Published: 06 August 2021    Last Updated: 03 November 2022

I posted earlier about Privilege Escalation through Unquoted Service Paths and how it’s now rare to be able to exploit this in the real world due to the protected nature of the C:\Program Files and C:\Windows directories. It’s still possible to exploit this vulnerability, but only when the service executable is installed outside of these protect directories which in my experience is rare. Writing that post though got me thinking about another method of privilege escalation which I think is a little more common to see – DLL Hijacking.

Published: 06 August 2021    Last Updated: 03 November 2022

One method for escalating permission from Local/Domain User to Local Administrator, is "Unquoted Service paths". In my experience finding unquoted service paths is a common occurrence, however actually being able to exploit them is not. In this article we'll explore how to find these issues and how to quickly determine if they're exploitable or not.

Published: 19 October 2020    Last Updated: 03 November 2022

We recently published an article on using Incognito for privilege escalation as part of a short series on using Metasploit. In this article we’ll cover an alternative approach for privilege escalation – extracting plaintext credentials. Whilst incognito is generally easier to use, Mimikatz is powerful and flexible.

In this part we’re just going to look at password extraction; but Mimikatz can be used for many other attacks – such as extracting domain hashes from a domain controller. As before, password extraction is really a post-exploitation steps and is very useful for escalating from local administrator access to domain administrator access. As this is a post-exploitation step, we’ll be starting with a SYSTEM shell through PsExec for this demonstration. As an example of when these steps could be deployed, they could be a step taken after successfully performing an attack to gain an initial foothold such as LLMNR and NBT-NS Spoofing, which we covered previously.

Published: 19 October 2020    Last Updated: 03 November 2022

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We'll investigate its use here.

There are several types of authentication token on Windows systems, but Delegation tokens can be used network wide. This therefore allows an attacker to extract one of these tokens and then execute commands on other machines (such as the Domain Controller). Incognito can be executed within Meterpreter, or as a standalone EXE.

Published: 11 December 2015    Last Updated: 03 November 2022

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).

GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.