Hands-on: Gaining Root and Administrator Access in Linux and Windows (en)
Privilege Escalation on Ubuntu 24.04 Server Linux and Windows 10
Privilege escalation is a technique used to gain higher access rights than those granted, such as gaining root access on Linux or administrator access on Windows. This process often begins after successfully gaining initial access to the target system.
The following is an explanation and example of privilege escalation on Ubuntu 24.04 Server Linux and Windows 10.
Privilege Escalation on Ubuntu 24.04 Server Linux
Method: Sudo Misconfiguration
Misconfiguration in `sudoers` can be an entry point for attackers to gain root access. For example, if a user can run certain commands with root privileges without a password.
Exploit Steps:
- Check sudo Permissions:
In Ubuntu, we can check what commands can be run without a password using:
sudo -l
Suppose the output is like this:
(ALL) NOPASSWD: /usr/bin/find
This means that the user can run the `find` command as root without a password.
- Exploit:
With this capability, we can run a shell as root using:
sudo find . -exec /bin/bash \;
Now you have root access.
Method: Kernel Exploits (Dirty Pipe)
Certain versions of Ubuntu are sometimes vulnerable to kernel exploits such as Dirty Pipe, which allow privilege escalation.
Identify Kernel Version:
- Check the kernel version used:
uname -r
- Dirty Pipe Exploit:
If the kernel is vulnerable to Dirty Pipe (example: kernel 5.8.x), then you can use the exploit available on GitHub or other sites. After running this exploit, you will get root access.
Privilege Escalation on Windows 10
Method: Insecure Service Permissions
Services running with `SYSTEM` privileges can be vulnerable if not configured properly. An unprivileged user can modify the binaries of such services to run with `SYSTEM` privileges.
Exploitation Steps:
Check Vulnerable Services:
- Use `accesschk` to check service permissions:
accesschk.exe -uwcqv "Authenticated Users" *
Identify Services with Modify Permissions:
- If there is a service that allows users to change the executable path, we can replace the service binary with our own payload.
Exploitation:
- Change the path of the service binary with your own payload (e.g. reverse shell). Restart the service to run the payload with `SYSTEM` permissions.
sc config [service name] binpath= "C:\path\to\payload.exe" net start [service name]
After that, you will get access with `SYSTEM` permissions.
Method: Token Impersonation (SeImpersonatePrivilege)
On Windows, the SeImpersonatePrivilege privilege allows to take over another process's token.
Check Privilege:
- Use `whoami /priv` to check if `SeImpersonatePrivilege` is available.
Exploit with Juicy Potato:
- If the privilege is available, use a tool like Juicy Potato to exploit the token and run the payload as `SYSTEM`.
Conclusion:
Privilege escalation involves exploiting a misconfiguration or vulnerability in the system. The examples above show different methods on Ubuntu and Windows 10, which are often taught in ethical hacking courses. For practical purposes, you can create a secure virtual environment for students to test these techniques legally and in a controlled manner.