A Word on Privilege Escalation Enumeration Scripts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
>> A word on privilege,
00:00
escalation, enumeration scripts.
00:00
Our learning objectives are to
00:00
understand the good, the bad,
00:00
and the ugly of privilege escalation scripts and you need
00:00
to decide which privilege escalation scripts
00:00
that you're going to use in OSCP.
00:00
Why do we use privilege escalation scripts?
00:00
Well, you might be asking yourself, Clint,
00:00
why did you go through the Linux and Windows
00:00
privilege escalation lessons so
00:00
quickly about manual enumeration?
00:00
Well, because we have
00:00
these great scripts that we can use that
00:00
does the manual enumeration work
00:00
that would take us days,
00:00
to do in minutes or seconds.
00:00
That's to say that part of my strategy when it comes
00:00
to privilege escalation is
00:00
using privilege escalation scripts.
00:00
I say that but I also did a CTF recently
00:00
with a buddy and
00:00
I didn't use a privilege escalation script.
00:00
What I ended up doing were
00:00
all these manual queries using DIR,
00:00
and find string,
00:00
and looking in the registry.
00:00
It taught me a whole lot,
00:00
but it also took me 10
00:00
times as long as it took my friend.
00:00
I do think that it's like I'm probably dating myself,
00:00
but when I was learning how to drive people would say,
00:00
"Go out and get lost and figure out where you are.
00:00
Maybe drive up to a gas station,
00:00
figure out where you are."
00:00
But it's good to get lost
00:00
and know how to find your way back home.
00:00
Of course, now we have phones and
00:00
GPS and all that stuff but
00:00
I feel like that's the way it should
00:00
be with privilege escalation,
00:00
is we shouldn't rely on these scripts,
00:00
but they do make things a whole lot easier,
00:00
just like using your
00:00
Google Maps makes life a whole lot easier.
00:00
Don't let it be a crutch though.
00:00
The other thing is information overload.
00:00
When you run these scripts, you're going to get
00:00
a whole lot of output.
00:00
They also may have false positives in them as well,
00:00
we're just going to waste our time.
00:00
That's to say read the script,
00:00
before you use it read it.
00:00
Like I said, understand the code,
00:00
know what it's looking for.
00:00
If it tells you that as
00:00
a pseudo binary and you don't know what a pseudo binary,
00:00
how to exploit that,
00:00
then that's not going to give you a whole lot of help.
00:00
Understand the output it gives you and understand how to
00:00
exploit the things that it tells you may be vulnerable.
00:00
Also, I know I shouldn't have to say this,
00:00
but you should already be using these
00:00
when you do the labs,
00:00
or hack the box,
00:00
or try hack me or whatever lab environment you are in,
00:00
this should be a tried and true script
00:00
and it shouldn't be just one,
00:00
should be one or two,
00:00
probably two, because some of these boxes may not have
00:00
Python when you're relying on a Python script,
00:00
especially on a Windows box,
00:00
but we'll talk about that more as we go on.
00:00
Linux privilege, escalation
00:00
scripts blend pieces in newer one.
00:00
It takes a long time,
00:00
but I think it has really great output.
00:00
It was very helpful, I used it recently and hacked
00:00
the box and it was very helpful.
00:00
There's also LinEnum,
00:00
another shell script that I've used
00:00
that has been very helpful in the past.
00:00
Unix privesc check,
00:00
it comes in Kali by default.
00:00
Not a big fan of it,
00:00
but if it's all you have,
00:00
well, that's all you have.
00:00
There's also linuxprivchecker.py, a Python script.
00:00
I would pick two of these.
00:00
You could pick more,
00:00
but of course, even on a Linux box,
00:00
maybe it doesn't have Python on it and you love
00:00
linuxprivchecker and you can't
00:00
use it because it doesn't have Python,
00:00
you need to have a backup script.
00:00
I say that talking about windows too,
00:00
because some of these windows
00:00
privilege escalation scripts are
00:00
written in Python and of course,
00:00
Windows doesn't really have Python on it by default
00:00
so I wouldn't really
00:00
rely on a Python script to use in a Windows box.
00:00
There's windows privesc checker from pentestmoneky.
00:00
Of course, if it comes in executable,
00:00
that's great for us in a Windows box,
00:00
and there's also PowerShell scripts.
00:00
Now we hope that antiviruses off,
00:00
that we hope Windows Defenders and
00:00
picking these things up.
00:00
But I know when I was using winPEAS,
00:00
my antivirus picked it up and deleted it.
00:00
Be cognizant of that with any of
00:00
these things when you download it,
00:00
that your machine may think it is malicious.
00:00
I should also say look into sharp split as well.
00:00
I talked about power up a lot.
00:00
Sharp split is another
00:00
Windows privilege escalation script
00:00
that you can use,
00:00
a lot of red teamers use it,
00:00
but I rely more on power up,
00:00
but also looking to sharp split.
00:00
Privesc script tips, easy to go down rabbit holes.
00:00
There's a whole lot of output,
00:00
some people start at the bottom,
00:00
some people start at the top,
00:00
some people start in the middle, but again,
00:00
know what the script does and know where to focus on.
00:00
Again, like I said, have
00:00
more than one script that you can rely on.
00:00
When it comes to testing, you should have
00:00
all these scripts preferably in a folder
00:00
somewhere that you can use for
00:00
tools in your tool belt that you can put on the box.
00:00
Again, like I said, if doesn't have Python in it,
00:00
use a shell script or use an executable on Windows box.
00:00
In summary, we should understand the good, the bad,
00:00
and the ugly of privilege escalation scripts and decide
00:00
which privilege escalation script to
00:00
use in OSCP well before test day.
Up Next