2020-09-03, 15:00–15:40, Main stream
Local privilege escalation techniques are far beyond checking the Windows/Kernel version, looking for unquoted service paths or checking SUID binaries.
Moreover, a local privilege escalation could make a huge difference when trying to comprise a domain.
Several tools have been created to find possible privilege escalation paths, but most of the tools for Red Team and Pentesting just check for a few possible paths, so pentesters need to use several tools and do some manual recon to check for everything.
During this talk I will present a suite of open source privesc enumerators that I have created called PEASS (Privilege Escalation Awesome Scripts Suite). The goal of this suite is to check and highlight every possible privesc path so professionals don’t need to execute several different tools and can very easily find the vulnerabilities.
At the moment, this suite contains the most complete and user friendly privesc enumerators for Windows (in .Net and bat) and Unix (Linux, MacOS, OpenBSD, FreeBSD).
Notice that independently of the technical level of the audience I’m sure that they will learn some new privilege escalation vector.
I will start the talk presenting myself and the agenda of the talk.
Then, I will start talking about the importance of checking for possible local privilege escalations during pentests and red team exercises (persistence, read sensitive files information, lateral movement, domain privilege escalation...)
After that, I will present the suite PEAS (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite). I will explain that it contains the most complete open source priviesc enumerators because it has more checks than its competitors. And I will also explain it is more user friendly than its competitors as it avoids long lists of useless data and it uses colours to highlight possible privesc vectors detected.
At this point I will have already showed why PEAS is useful so I will show some demos.
First, I will use linpeas.sh inside a vulnerable Linux host so everyone can see how useful this script is and how easy is to spot vulnerabilities with it.
For explaining the checks performed by linpeas I will also show my cheatsheet and my notes about unix privesc:
- https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
- https://book.hacktricks.xyz/linux-unix/privilege-escalation
For the third and fourth demo I will execute winpeas.exe (.Net project) and winpeas.bat inside a vulnerable Windows machine and I will also explain the checks that these scripts do.
Again, the goal of these demos is to show how easy is to detect privilege escalation paths with PEAS in Windows.
I will also show my notes about Windows privesc and cheatsheet:
- https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
The goal of showing my notes about privesc is to give the attendees some extra information about privesc that they can read after the presentation if they want to learn more about the topic.
Please, notice that independently of the technical level of the audience I’m sure that they will learn about some new privilege escalation vector.
Carlos Polop, Spanish, Telecommunications Engineer by the UPM, Master in Cybersecurity by the UC3M, OSCP, CRTP and OSWE.
I have worked as Pentester in PWC Spain, as Security Specialist in the Department of Defence of Spain, and I'm currently working as Senior Pentester in SEC-1 (Claranet) based in London.
I'm also a hackaton and CTF player (SirBroccoli on HackTheBox).
You can learn every trick I learn about cybersecurity in my web page: https://book.hacktricks.xyz/