Advanced Privilege Escalation Techniques: Linux & Windows (December 2024)

This course provides in-depth knowledge of privilege escalation techniques, covering manual and automated enumeration, identifying and exploiting vulnerabilities, and defending against privilege escalation attacks on both Linux and Windows systems. You will gain hands-on experience using popular tools and techniques, such as kernel and service exploits, password mining, sudo abuse, mimikatz, and impersonation attacks.

Module 1: Introduction to Privilege Escalation

• Overview of Privilege Escalation
  • What is privilege escalation?
  • Types of privilege escalation: Vertical vs. Horizontal
  • Real-world examples of privilege escalation attacks
• Why privilege escalation matters in security assessments
  • Ethical hacking and penetration testing
  • Understanding the “attack surface” of operating systems

Module 2: Manual Enumeration for Privilege Escalation (Linux & Windows)

• User Enumeration
  • Listing users (Linux: /etc/passwd, Windows: net user)
  • Identifying high-privileged users and groups
  • Analyzing user permissions and groups
• Operating System and Kernel Details
  • Linux: uname -r, cat /proc/version
  • Windows: systeminfo, wmic os get
• Network Enumeration
  • Linux: ifconfig, netstat, route
  • Windows: ipconfig, netstat, route print
• Application and Service Enumeration
  • Identifying running services (Linux: ps aux, systemctl, Windows: tasklist, services.msc)
  • Verifying vulnerable services or misconfigurations
• Home Directory Enumeration
  • Identifying user home directories (Linux: ls -l /home, Windows: dir C:\Users)
  • Checking for world-writable files or files with improper permissions

Module 3: Automated Enumeration and Vulnerability Scanning Tools

• Automated Enumeration Tools
  • Linux Tools: LinPEAS, Lynis, GTFOBins, Linux Exploit Suggester
  • Windows Tools: PowerUp, Sherlock, Windows Exploit Suggester
• Vulnerability Scanning and Identification
  • Scanning for kernel vulnerabilities
  • Checking for unpatched services and applications
  • Using tools like Nmap, Nessus, or OpenVAS for vulnerability discovery

Module 4: Exploiting Privilege Escalation Vulnerabilities on Linux

• Kernel Exploits
  • Understanding and exploiting kernel vulnerabilities
  • Using tools like ExploitDB, Searchsploit, and Metasploit
• Service Exploits
  • Abusing misconfigured services for privilege escalation
  • Exploiting SUID/SGID binaries
  • Manipulating vulnerable system services (e.g., cron jobs, systemd timers)
• Password Mining and Cracking
  • Cracking password hashes (/etc/shadow) using tools like John the Ripper and Hashcat
• Abusing the PATH Variable
  • Understanding how PATH manipulation can escalate privileges
  • Crafting malicious executables in the PATH
• Sudo and Shell Escape Sequences
  • Exploiting misconfigurations in sudo permissions
  • Using shell escape sequences to gain higher privileges
  • Example: Exploiting sudo with python -c and other tricks
• Capabilites and Cron Jobs
  • Identifying misconfigured cron jobs and systemd timers
  • Abusing cron jobs to execute arbitrary commands

Module 5: Exploiting Privilege Escalation Vulnerabilities on Windows

• Kernel Exploits and Service Exploits
  • Exploiting Windows kernel vulnerabilities (e.g., Ring0 exploits)
  • Service misconfigurations (e.g., Service Control Manager (SCM) exploits)
• Registry Exploits
  • Abusing the Windows registry for privilege escalation
  • Modifying registry keys to escalate privileges
  • Example: Manipulating HKLM\SYSTEM\CurrentControlSet\Services for service hijacking
• Password Mining and Cracking
  • Extracting passwords from SAM and LSA Secrets
  • Using tools like Mimikatz to dump credentials and clear text passwords
• Scheduled Tasks
  • Identifying and exploiting vulnerable scheduled tasks
  • Creating malicious tasks for privilege escalation
  • Example: Using schtasks and at to schedule tasks with high privileges
• Impersonation Attacks
  • Understanding Token Impersonation and Pass-the-Hash attacks
  • Using mimikatz to impersonate high-privilege users
• Abusing Startup Apps for Privilege Escalation
  • Identifying and exploiting startup programs and services
  • Modifying startup programs (e.g., registry keys, Task Scheduler)

Module 6: Advanced Techniques for Privilege Escalation

• Linux NFS Root Squashing
  • Understanding NFS vulnerabilities and how to bypass root squashing
  • Exploiting NFS misconfigurations to escalate privileges
• Impersonation & “Potato” Attacks
  • Windows NTLMv1/2 impersonation using Impacket tools
  • Overview of Kerberos Ticket Granting Ticket (TGT) and Pass-the-Ticket attacks
  • “DCOM” and MS17-010 EternalBlue vulnerabilities for privilege escalation
• Living off the Land (LoL) and Post-Exploitation
  • Leveraging built-in tools and utilities for post-exploitation (e.g., PowerShell, bash, netcat)
  • Staying under the radar and maintaining persistence

Module 7: Defending Against Privilege Escalation

• Hardening Linux Systems
  • Using AppArmor and SELinux to restrict privilege escalation
  • Configuring sudo securely
  • Regularly patching the kernel and system services
  • Setting up file permissions and limiting access to sensitive files
  • Configuring auditing tools (e.g., auditd) to monitor for privilege escalation attempts
• Hardening Windows Systems
  • Configuring User Account Control (UAC) to prevent privilege escalation
  • Disabling or securing vulnerable services (e.g., SMBv1, RDP)
  • Enforcing least privilege through group policies and Windows Defender Application Control
  • Implementing Windows Defender to detect privilege escalation tools like Mimikatz
  • Enforcing BitLocker and Credential Guard for password protection
• Detection and Monitoring
  • Using SIEM tools (e.g., Splunk, Elastic Stack) for detecting privilege escalation indicators
  • Implementing audit trails and system logs to identify anomalous behavior
  • Setting up intrusion detection systems (IDS) for early detection of exploitation attempts