Local Privilege Escalation Workshop (Linux & Windows) (lang: EN)
2020-09-02, 12:30–15:30, Workshops stream

Local privilege escalation techniques are far beyond checking the Windows/Kernel version, looking for unquoted service paths or checking SUID binaries.

Moreover, a local privilege escalation could make a huge difference when trying to comprise a domain.
Several tools have been created to find possible privilege escalation paths, but most of the tools for Red Team and Pentesting just check for a few possible paths, so pentesters need to use several tools and do some manual recon to check for everything.

During this training I will present a suite of open source privesc enumerators that I have created called PEASS (Privilege Escalation Awesome Scripts Suite) and we will use it to discover and exploit several vulnerabilities on Linux, Windows.
The goal of this suite is to check and highlight every possible privesc path so professionals don’t need to execute several different tools and can very easily find the vulnerabilities.
At the moment, this suite contains the most complete and user friendly privesc enumerators for Windows (in .Net and bat) and Unix (Linux, OpenBSD, FreeBSD).

Independently of the technical level of the audience I’m sure that they will learn some new privilege escalation vector.

Then, I will start talking about the importance of checking for possible local privilege escalations during pentests and red team exercises (persistence, read sensitive files information, lateral movement, domain privilege escalation...)
After that, I will present the suite PEAS (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite). I will explain that it contains the most complete open source priviesc enumerators because it has more checks than its competitors. And I will also explain it is more user friendly than its competitors as it avoids long lists of useless data and it uses colours to highlight possible privesc paths detected.

At this point I will have already showed why PEAS is useful so I will start with the demos.
First, I will use linpeas.sh inside a vulnerable Linux host. This host will be a vulnerable VM that will be available for everyone who wants to follow the training in his laptop.

During this demo, I will explain the main checks performed by linpeas, which common files could contain interesting information and I will exploit some of the discovered privilege escalation vulnerabilities.
I will also show how to fix those vulnerabilities.

During the presentation I will also show my cheatsheet and my notes about Unix privesc to help the people understand what is happening.

For the third and fourth demo I will execute winpeas.exe (.Net project) and winpeas.bat inside a vulnerable Windows machine and I will also explain the checks that these scripts do.
I will share the VM or a script that generates the vulnerabilities so attendees can exploit the same vulnerabilities in their own VM.

Again, the goal of these demos is to show how easy it is to detect privilege escalation paths with PEAS in Windows and to show how to exploit some of them.
Moreover, I will explain how to fix the vulnerabilities.

You can purchase tickets here: https://nonamecon.2event.com/

Carlos Polop, Spanish, Telecommunications Engineer by the UPM, Master in Cybersecurity by the UC3M, OSCP, CRTP and OSWE.
I have worked as Pentester in PWC Spain, as Security Specialist in the Department of Defence of Spain, and I'm currently working as Senior Pentester in SEC-1 (Claranet) based in London.
I'm also a hackaton and CTF player (SirBroccoli on HackTheBox).
You can learn every trick I learn about cybersecurity in my web page: https://book.hacktricks.xyz/

This speaker also appears in: