recentpopularlog in

whip_lash : privesc   42

Update PoC code to try /sbin/ip if /sbin/ifconfig is not available. Tested with Ubuntu 18.04, 4.8.0-34-generic #36~16.04.1-Ubuntu and Docker 18.09.3 · GitHub
// This exploit combines exploitation of two vulnerabilities:
// - CVE-2017-18344 (OOB read in proc timers)
// - CVE-2017-1000112 (OOB write due to UFO packet fragmentation management)
// Both original exploits were written by Andrey Konovalov.
linux  kernel  privesc  privilegeescalation  pentest 
10 weeks ago by whip_lash
Privilege Escalation in Ubuntu Linux (dirty_sock exploit) | Shenanigans Labs
In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.
kernel  linux  privesc  dirty_sock  ubuntu 
february 2019 by whip_lash
Linux Privilege Escalation – Using apt-get/apt/dpkg to abuse sudo “NOPASSWD” misconfiguration – Logan S Diomedi – lsdsecurity
There are many well known and documented attack vectors for the sudo command that exist. Please see my Useful Resources page for the Windows & Linux Privilege Escalation piece that contains a ton of helpful knowledge in this category. Today, we’re going to be using a very poorly documented feature in apt-get when a normal user is allowed to execute apt-get as a root user. Let’s dive in!
linux  privesc  privilegeescalation  sudo  pentest  security 
january 2019 by whip_lash
A common path to Domain Admin - Laconic Wolf
Many common information gathering techniques and tools require you to be a part of the domain to use them (net users, etc.), so I decided to write a few IronPython scripts (located here) to do some basic enumeration tasks. I’m not going to get into the specifics of the code, but the first two scripts I wrote were a script to get a list of users and a script to guess passwords.
ironpython  bloodhound  activedirectory  privesc  privilegeescalation  pentest  pentesting 
december 2018 by whip_lash
Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM
NTLM relay from the local “NT AUTHORITY\SYSTEM” (we will just call it SYSTEM for brevity) account back to some other system service has been the theme for the Potato privilege escalation exploits. The first step is to trick the SYSTEM account into performing authentication to some TCP listener we control.

In the original Hot Potato exploit, we did some complex magic with NBNS spoofing, WPAD, and Windows Update services to trick it into authenticating to us over HTTP. For more information, see the original blog post.

Today, we’ll be discussing another method to accomplish the same end goal which James Forshaw discussed here. We’ll basically be tricking DCOM/RPC into NTLM authenticating to us. The advantage of this more complex method is that it is 100% reliable, consistent across Windows versions, and fires instantly rather than sometimes having to wait for Windows Update.
security  pentest  windows  privesc  privilegeescalation 
september 2018 by whip_lash
Advisory: CVE-2018-7572 – Pulse Secure Client Authentication Bypass – MDSec
By default, the Pulse client attempts to connect to the configured proxy service on port TCP port 80; supplying the configuration for a proxy server with a self-signed certificate forces the Pulse client to warn the user that the certificate is invalid but provides the option to “View” the certificate which when selected loads the standard Windows certificate wizard running as SYSTEM. From the Windows certificate wizard it is possible to select the option to export the certificate, then browse to a location where the certificate should be stored on the file system. Inevitably this provides the option to browse to cmd.exe, right click to obtain a command prompt as SYSTEM and full access to the workstation.
windows  privesc  pentest  pulsesecure 
september 2018 by whip_lash
Rotten Potato | Penetration Testing Lab
However there is a technique which can be used that tries to trick the “NT Authority\System” account to negotiate and authenticate via NTLM locally so the token for the “NT Authority\System” account would become available and therefore privilege escalation possible. This technique is called Rotten Potato and it was introduced in DerbyCon 2016 by Stephen Breen and Chris Mallz.
windows  privesc  privilegeescalation  pentest  security 
august 2018 by whip_lash
exploitexcel.png (1272×694)
Which privesc exploits work on which Windows versions
Windows  exploits  pentest  privesc  privilegeescalation 
july 2018 by whip_lash
The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. See the full list of functions.

This was inspired by the LOLBins project for Windows.
linux  pentesting  hacking  security  shell  privesc  privilegeescalation  gtfobins 
july 2018 by whip_lash
Microsoft COM for Windows - Privilege Escalation
The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects.
privesc  windows  pentest  exploit  security 
june 2018 by whip_lash
Pentester's Windows NTFS Tricks Collection | SEC Consult
Moreover, it’s possible that an administrator or a program configures such permissions and assumes that users are really not allowed to create folders in it.

This ACL can be bypassed as soon as a user can create files. Adding “::$INDEX_ALLOCATION” to the end of a filename will create a folder instead of a file and Windows currently doesn’t include a check for this corner case.

As shown above, a directory was successfully created and the user can create arbitrary files or folders in this directory (which can lead to privilege escalation if an administrator/program assumes that this is not possible because of the missing permissions).
ntfs  windows  privesc  privilegeescalation  security  whitelist-evasion 
june 2018 by whip_lash
LAPS - Part 2
In Part 1 we explored how one could go about discovering and mapping the LAPS configuration in a domain. In this part, we’ll look at various ways LAPS can be abused for persistence purposes.
laps  activedirectory  Microsoft  windows  privesc  postexploitation 
march 2018 by whip_lash
LAPS - Part 1
The purpose of this post, is to put together a more complete end-to-end process for mapping out the LAPS configuration in a domain.
laps  activedirectory  Microsoft  windows  privesc  postexploitation 
march 2018 by whip_lash
Feature, not bug: DNSAdmin to DC compromise in one line
We will shallowly delve into the protocol’s implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin.
dns  domain  activedirectory  exploit  privesc  pentest  security 
february 2018 by whip_lash
GitHub - dzonerzy/winescalation: Python based module to find common vulnerabilities which lead to Windows privilege escalation
This is a Python based module for fast checking of common vulnerabilities affecting windows which lead to privilege escalation
python  windows  privilegeescalation  privesc  pentest  security 
january 2018 by whip_lash
(Tod Miller's) Sudo/SudoEdit 1.6.9p21 / 1.7.2p4 - Privilege Escalation
(Tod Miller's) Sudo/SudoEdit 1.6.9p21 / 1.7.2p4 - Privilege Escalation. Local exploit for Multiple platform
privesc  sudo  privilegeescalation 
december 2016 by whip_lash
GitHub - jbarcia/priv-escalation
Contribute to priv-escalation development by creating an account on GitHub.
privesc  oscp  pentest  privilegeescalation 
december 2016 by whip_lash

Copy this bookmark:

to read