Privilege Escalation

After we have gained access to a victim machine via the exploitation phase, the next step is to escalate privileges to a higher user account. The following accounts are what we try to reach as a pentester:

• In the Windows world, the target account is usually: Administrator or System.

• In the Linux world, the target account is usually: root

As you can tell, discovering what Operating System a device is running on is very important to determine how we will escalate our privileges later. Once we gain access as a lower level user, we will try to run another exploit or find a way to become root or administrator.

Privilege escalation can take many, many forms, some examples are:

• Cracking password hashes found on the target

• Finding a vulnerable service or version of a service which will allow you to escalate privilege THROUGH the service

• Password spraying of previously discovered credentials (password re-use)

• Using default credentials

• Finding secret keys or SSH keys stored on a device which will allow pivoting to another machine

• Running scripts or commands to enumerate system settings like 'ifconfig' to find network settings, or the command 'find / -perm

• -4000 -type f 2>/dev/null' to see if the user has access to any commands they can run as root

Types

There are two main privilege escalation variants:

1. Horizontal privilege escalation

This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. For instance, a normal user hijacking another normal user (rather than elevating to super user). This allows you to inherit whatever files and access that user has. This can be used, for example, to gain access to another normal privilege user, that happens to have an SUID file attached to their home directory which can then be used to get super user access. [Travel sideways on the tree]

2. Vertical privilege escalation (privilege elevation)

This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges. [Travel up on the tree]