A Word on Privilege Escalation Enumeration Scripts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

21 hours 43 minutes
Video Transcription
a word on privilege escalation enumeration scripts
are learning objectives are to understand the good, the bad and the ugly of privilege escalation scripts
and you need to decide which privilege escalation scripts that you're going to use. You know, SCP.
So why do we use privilege escalation scripts? Well you might be asking yourself, Clint, why did you go through the Lennox and Windows privilege escalation lessons so quickly about manual enumeration? Well because we have these great scripts that we can use that does the manual enumeration work that would take us days to do in minutes or seconds.
So that's to say that part of my strategy uh when it comes to privilege escalation
is using privilege escalation scripts. I say that. But I also did a C. T. F. Recently with a with a buddy
and I didn't use a privilege escalation script. Um So what I ended up doing we're all these manual queries you know like using D. I. R. And fine string and looking in the registry. It taught me a whole lot. But it also took me 10 times as long as it took my friend. But
you know I do think that it's like I'm probably dating myself but
when I was learning how to drive you know people would say go out and get lost and figure out where you are. You know maybe drive up to a gas station, figure out where you are.
But it's good to get lost and and know how to find your way back home. Of course now we have phones and GPS and all that stuff but I kind of feel like that's the way it should be with privilege escalation is we shouldn't rely on these scripts
but they do make things a whole lot easier. Just like are you know using your google maps makes life a whole lot easier.
Don't let it be a crutch though. And the other thing is information overload. When you run these scripts, you're going to get a whole lot of output.
They also may have false positives in them as well, which is going to waste our time.
So that's to say read the script
before you use it, read it. Like I said, you know, understand the code, know what it's looking for.
If it tells you that as a sewage binary and you don't know what a sewage binary, how how to exploit that, then that's not going to give you a whole lot of help.
So understand the output it gives you and understand how to exploit the things that it tells you may be vulnerable.
Also, I know I shouldn't have to say this, but you should already be using these when you do the labs or hack the box or try hack me or whatever lab environment you are in. You should, this should be a tried and true script and it shouldn't be just one. Should be one or two.
Probably too because some of these boxes may not have python when you're relying on a python script,
especially on a windows box, but we'll talk about that more as we go on.
So Lennox privilege escalation scripts. Lynn Pease is a newer one. It takes a long time, but I think it has a really great output. Um it was very helpful, I used it recently and hacked the box and
it was very helpful. There's also linea noon, another shell script that I've used that has been very, very helpful in the past.
UNIX priv esc checker comes in Cali by default. Not a big fan of it, but if it's all you have, well, that's all you have.
There's also Lennox proof checker dot py a python script.
I would pick two of these. I mean you could pick more but of course even on a on a Lennox box, maybe it doesn't have python on it. And you love Lennox proof checker and you can't use it because it doesn't have python.
You need to have a backup script.
And I say that talk about Windows too, because some of these Windows privilege escalation
scripts are written in python. And of course Windows doesn't really have python on it by default. So
I wouldn't really rely on a python script to use in a Windows box.
There's Windows protest checker from pen test monkey. Of course if it comes and execute Herbal, that's great for us on a Windows box.
And there's also power shell scripts.
Now, we hope that anti viruses off that we hope that Windows defender isn't picking these things up.
But I know when I was using wind peas, uh my anti virus picked it up and deleted it. So
you know, be cognizant of that with with any of these things. Um when you download it that your machine may think it is malicious.
I should also say look into Sharp split as well. Talk about power up a lot. Sharp Split is another uh, Windows privilege escalation uh script that you can use. A lot of red teamers use it. But I I kind of rely more on on power up but also look into sharp split.
So prove esque script tips easy to go down rabbit holes. There's a whole lot of output.
You know, some people start at the bottom, some people start at the top, some people start in the middle.
Um but again, no what the script does and know where to focus on.
Um And again, like I said, have more than one script that you can rely on. You know, you when it comes to test that you should have all these scripts,
preferably in a folder, somewhere that you can use for tools in your tool belt that you can put on the box. And again, like I said, it doesn't have python in it use a shell script or using executed on a windows box.
So in summary, we should understand the good, the bad and the ugly of privilege escalation scripts and decide which privilege escalation script
to use an O SCP well before test.
Up Next