Awesome Privilege Escalation

A curated list of awesome privilege escalation

Table of Contents

• Linux
  • Escape restricted shells
  • SUDO and SUID
  • Capabilities
  • Tools
    • Find CVEs
  • Chkrootkit
  • NFS
  • Presentations
• Windows
  • Hot Potato
  • Unquoted services with spaces
  • Groups.xml
  • Tools
  • Presentations
• Linux and Windows
• Docker
  • Docker socks
• AWS

Linux

• Basic Linux Privilege Escalation
• Linux elevation of privileges ToC
• Pentest Book - Privilege Escalation: common Linux privilege escalation techniques.
• A guide to Linux Privilege Escalation
• Enumeration is the Key
• My 5 Top Ways to Escalate Privileges: Bruno Oliveira's top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.
• Understanding Privilege Escalation: Some techniques malicious users employ to escalate their privileges on a Linux system.
• How privileges work in operating systems?
• Linux Privilege Escalation via Dynamically Linked Shared Object Library: How RPATH and Weak File Permissions can lead to a system compromise.
• Reach the root! How to gain privileges in Linux?
• Linux Privilege Escalation: an introduction to Linux escalation techniques, mainly focusing on file/process permissions, but along with some other stuff too.
• Local Linux Enumeration & Privilege Escalation Cheatsheet: a few Linux commands that may come in useful when trying to escalate privileges on a target system.
• PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS
• Local Linux privilege escalation overview: This article will give an overview of the basic Linux privilege escalation techniques. It separates the local Linux privilege escalation in different scopes: kernel, process, mining credentials, sudo, cron, NFS, and file permission.
• Attack and Defend: LinuxPrivilege Escalation Techniques of 2016: This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them.
• Local Linux Enumeration & Privilege Escalation: a few Linux commands that may come in useful when trying to escalate privileges on a target system.
• Back To The Future: Unix Wildcards Gone Wild: This article will cover one interesting old-school Unix hacking technique, that will still work in 2013.
• POST CATEGORY : Privilege Escalation: Privilege escalation post category in Raj Chandel's Blog.
• Privilege Escalation & Post-Exploitation
• Linux - Privilege Escalation
• Privilege escalation: Linux
• Penetration-Testing-Grimoire/Privilege Escalation/linux.md
• Privilege Escalation Cheatsheet (Vulnhub): This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples.
• Hackers Hut: Some random hacking hints, mainly from a Linux point of view.
• Hacking Linux Part I: Privilege Escalation

Escape restricted shells

• Escaping Restricted Linux Shells: Resource for penetration testers to assist them when confronted with a restricted shell.
• Restricted Linux Shell Escaping Techniques: The focus of this article is on discussing and summarizing different techniques to escape common Linux restricted shells and also simple recommendations for administrators to protect against it.
• Linux Restricted Shell Bypass
• Escaping from Restricted Shell and Gaining Root Access to SolarWinds Log & Event Manager (SIEM) Product
• Breaking out of rbash using scp

SUDO and SUID

• GTFOBins: GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
• Abusing SUDO: Some of the binary which helps you to escalate privilege using the sudo command.
• Sudo (LD_PRELOAD): Privilege Escalation from an LD_PRELOAD environment variable.
• How I got root with Sudo
• Gaining a Root shell using MySQL User Defined Functions and SETUID Binaries: How a MySQL User Defined Function (UDF) and a SETUID binary can be used to elevate user privilege to a root shell.

Capabilities

• Exploiting capabilities: Parcel root power, the dark side of capabilities
• getcap, setcap and file capabilities
• Capabilities
• Spicing up your own access with capabilities
• An Interesting Privilege Escalation vector (getcap/setcap)

Tools

• LinEnum
• pspy: unprivileged Linux process snooping
• LES: LES: Linux privilege escalation auditing tool
• Linux_Exploit_Suggester: Linux Exploit Suggester; based on operating system release number.
• Linux Exploit Suggester 2: Next-generation exploit suggester based on Linux_Exploit_Suggester
• linuxprivchecker.py: Linux Privilege Escalation Check Script
• linux-soft-exploit-suggester: linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation.
• exploit-suggester: This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try.
• unix-privesc-check: Shell script to check for simple privilege escalation vectors on Unix systems
• BeRoot: BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
• kernelpop: kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation.
• AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically.
• Linux Privilege Escalation Check Script: Originally forked from the linuxprivchecker.py (Mike Czumak), this script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as word writable files, misconfigurations, clear-text password and applicable exploits.
• uptux: Specialized privilege escalation checks for Linux systems.
• Unix-Privilege-Escalation-Exploits-Pack: Exploits for getting local root on Linux, BSD, AIX, HP-UX, Solaris, RHEL, SUSE etc.
• AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically
• PrivEsc: A collection of Windows, Linux and MySQL privilege escalation scripts and exploits.
• linux-smart-enumeration: Linux enumeration tools for pentesting and CTFs
• linux-kernel-exploits

Find CVEs

• LPVS: Linux Package Vulnerability Scanner for CentOS and Ubuntu.
• active-cve-check: Checks a list of packages against the "active" (not yet patched) CVE's as listed in the Ubuntu CVE Tracker.
• cve-check-tool: Original Automated CVE Checking Tool.
• Arch-Audit: A tool to check vulnerable packages in Arch Linux.

Chkrootkit

• Local root exploit in Chkrootkit: Security researchers have found an local exploit for Chkrootkit 0.49 who allow to a simple user to make root’s commands.

NFS

• Linux Privilege Escalation using Misconfigured NFS: How to exploit a misconfigured NFS share to gain root access to a remote host machine.
• Exploiting a Mis-Configured NFS Share
• BeRoot: A Post Exploitation Tool To Check Common Misconfigurations For Windows Linux And Mac OS.
• NFS weak permissions

Presentations

• Linux Privilege Escalation - Tradecraft Security Weekly #22: Methodology for performing various privilege escalation techniques against Linux-based systems.
• Linux privilege escalation for fun, profit, and all around mischief: Examine opportunities for privilege escalation that can vault you from zero to hero in a few easy steps.
• Privilege Escalation FTW: Demonstrate various privilege escalation techniques that are possible primarily due to misconfigurations.

Windows

• Windows Privilege Escalation Fundamentals
• Privilege Escalation Windows
• Windows Privilege Escalation Guide
• Windows - Privilege Escalation
• LOLBAS: Living Off The Land Binaries and Scripts (and also Libraries)
• Windows elevation of privileges ToC
• awesome-windows-security
• Privilege escalation: Windows
• Windows Privilege Escalations
• Windows-Privilege-Escalation: Step-by-step windows privlege escalation methodology.
• Privilege Escalation: There are also various other (local) exploits that can be used to also escalate privileges.
• Windows Post Gather Modules: Metasploit offers a number of post exploitation modules that allow for further information gathering on your target network.

Hot Potato

• Hot Potato – Windows Privilege Escalation: Privilege Escalation on Windows 7, 8, 10, Server 2008, Server 2012 … and a new network attack.
• Hot Potato: Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host.
• Hot Potato: Windows 7, 8, 10, Server 2008, Server 2012 Privilege Escalation in Metasploit & PowerShell.

Unquoted services with spaces

• Windows Privilege Escalation — Part 1 (Unquoted Service Path)
• Unquoted Service Path
• UNQUOTED SERVICE PATHS
• Windows Privilege Escalation via Unquoted Service Paths
• PrivEsc: Unquoted Service Path
• Practical Guide to exploiting the unquoted service path vulnerability in Windows
• Windows Privilege Escalation – Unquoted Services
• Windows Privilege Escalation – Unquoted Services

Groups.xml

• gpp-decrypt Package Description: A simple ruby script that will decrypt a given GPP encrypted string.
• Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

Tools

• JAWS - Just Another Windows (Enum) Script: JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
• Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. (Deprecated)
• Watson: Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
• PowerSploit: PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
• Potato: Potato Privilege Escalation on Windows 7, 8, 10, Server 2008, Server 2012.
• RottenPotato: RottenPotato local privilege escalation from service account to SYSTEM. (No longer maintained)
• RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
• Tater: Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.
• SessionGopher: SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools.
• windows-privesc-check: Standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
• WinPwnage: UAC bypass, Elevate, Persistence and Execution methods. The goal of this repo is to study the Windows penetration techniques.
• WindowsEnum: A Powershell Privilege Escalation Enumeration Script.
• juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

Presentations

• SANS Webcast: Pen Testing with PowerShell - Local Privilege Escalation Techniques
• Windows Privilege Escalation Unquoted Service - Part 1
• Windows Privilege Escalation Unquoted Service - Part 2
• Windows Privilege Escalation Unquoted Service - Part 3
• Windows Privilege Escalation Techniques (Local) - Tradecraft Security Weekly #2
• Level Up! Practical Windows Privilege Escalation - Andrew Smith
• Level Up! - Practical Windows Privilege Escalation (Presentation Slides)

Linux and Windows

• Awesome-Hacking-Resources (Privilege escalation section): A collection of hacking / penetration testing resources to make you better!
• Metasploit Local Exploit Suggester: Do Less, Get More!

Docker

• Container security notes
• Hack Allows Escape of Play-with-Docker Containers
• Escaping Docker container using waitid() – CVE-2017-5123
• Hacking Docker the Easy way
• Escaping the Whale: Things you probably shouldn’t do with Docker (Part 1)

Docker socks

• Don't expose the Docker socket (not even to a container)
• Escaping Containers to Execute Commands on Play with Docker Servers
• Dirty COW - (CVE-2016-5195) - Docker Container Escape

AWS

• AWS-IAM-Privilege-Escalation: A centralized source of all AWS IAM privilege escalation methods released by Rhino Security Labs.