system and host attacks windows privilege escalation overview

Post Exploitation

This section explains ways we can elevate our privileges on a Windows system once we have exploited it. This is a part of the post exploitation phase of a test. We need to make sure that what we do is in scope, and that we record every change we make. These changes can then be included in the report so they can be reset if the client wants. The time and date that the changes are made should also be included in the report. If we make permanent changes to a machine, we need to keep a backup of the original data. This goes for logs, too - we need to make a backup copy of them before we delete them. We need to encrypt all data we capture from machines when it is stored locally on our attacking machines. Once the engagement is over, we need to securely wipe the data from our machines. When we give proof to a client of sensitive data we have found, we need to obfuscate it (usernames and passwords etc).

We can see the post exploitation stage of a penetration test as been cyclical. This process has stages: local enumeration of the compromised machine; optionally transferring files and upgrading shells; privilege escalation and establishing persistence; data harvesting; scanning internal networks and then the exploitation of new systems including pivoting to new sub-nets. As stated above, this section will focus on the privilege escalation part of the post exploitation phase of the test.

Privilege Escalation

Once we are on a machine, we will want to elevate our privilleges so that we can access more sensitive data. This can be achieved by exploiting vulnerabilities in operating systems or other software via bugs or design flaws. Priv esc can be vertical or horizontal (lateral). With horizontal priv esc, we move from one user to another who has the same level of system access. With vertical, we move from a lower user to a higher user (such as from a domain user to a domain admin on Windows). We can search for ways to escalate privileges and we can use local exploits to escalate privileges.

Privilege escalation depends very much on the environment which we find ourselves in when we land on a machine. This is why local enumeration is very important. When we land on a machine, we need to gather information about its system and users. This is the local enumeration part of post exploitation which needs to happen before we try to elevate our privileges.

Once we know what type of machine we are working with, we need to quickly try to establish persistence. This is because with some shells they can be closed by the remote user. This can easily happen with meterpreter shells, for example a remote user could close a browser which has established a meterpreter session via a client side exploit.

We can start to gain persistence by migrating our process to a different one. With meterpreter, we can use an automated way to do this: run post/windows/manage/migrate We can do this manually by first of all finding the process IDs of processes which are already running on the compromised machine. We can do this by using: ps We can then choose a PID to migrate to (for example 1200) and use: migrate 1200 We can find out which process id we are using with this command: getpid Processes such as lsass and explorer are good ones to migrate to as they are stable. We can quickly find the pid using: pgrep explorer

Once we have migrated to a different process, we need to think about how we can establish persistence. Most of the ways to do this require higher privileges, however, so we need to look for ways to do priv esc first. This is one reason privilege escalation is so important. It is also important because with higher level privileges we will be able to enumerate the victim machine more and potentially have access to more sensitive data - it is a crucial part of a penetration test.

There are many ways we can elevated privileges - this section deals with some of them in more depth.