There are many ways, H1tM0nk3y, and I'll let others answer, too.  But often times, it's a matter of simply using the access you've already gained to find other exploitable services, etc, on the target, which you can then go after (such as services that, from the ourside, were filtered by firewall, but from local machine, are easily reachable.)

Other methods vary, from uploading and running existing exploit code, to starting up an exploitable service or program on the target, which then enables you to hook into system dll's, with escalated privileges, etc.

Edit:  I'll try to post some relevant links later (time is NOT on my side, this morning,) unless sil or others beat me to it!  

Once again, it goes back to recon and information gathering. See what you can find in terms of users, hashes, running services, file contents, etc. Is the machine running any network services? If so, can you capture traffic on it? Search for scripts and batch files. I've found credentials stored in those on numerous occasions. Why waste time trying to be l33t when they have the info sitting right there for you?

The most used technique on Linux is:
- Look at the kernel version (uname -a) and try an exploit (from e.g. exploit-db) matching that version.

You could also try:
- Read the /etc/passwd (readable, useful to find accounts to bruteforce into) and /etc/shadow (shouldn't be readable, but you never know.)
- Exploit a vulnerable (perhaps local) service running directly as root.
- Bruteforce the root login (su or sudo)
- Try "sudo", your current user may already have sudo privileges! (You may be able to read /etc/sudoers in rare cases.)
- Look for "personal files" that may contain hints to what the password might be. (Some people write their passwords in text files on their computer.)

On Windows, there's a few modules in Metasploit that I know of which has been implemented.

I know that the VNC Injection usually drops a command prompt running as "system" too.

The Meterpreter payload is able to migrate into other processes, and migrating into a process running with higher privileges is also and usually possible where you're usually able to gain higher privileges this way too.

However on boxes with Vista, XP, 7, etc. you're usually already Admin or local Admin. If you're not, try "Pass the Hash" to gain access to other computers or devices on the network which may be a part of an AD (a domain), look for "files" or clues on these boxes too.

Well, that's mostly what you can and should do   There is of course, probably a lot more techniques.

Oh yeah, +1 to ziggy_567 and dynamik, "backups" of passwords etc. is good to look for as well, along with the default admin / admin and admin / password credentials.

Don't forget MitM attacks too if you're in a live and real network! I used that method to grab all the passwords for the mail clients in a real (IRL) scenario, however be _sure_ that you don't do any mistakes so the clients on the network won't loose their Internet or network connections.

Oh for sure! I <3 DB connection strings.

You can then get the user hashes for whatever app they're using, and you'll occasionally find people that reuse them elsewhere. Jackpot.

I really get your point now. I can't thank you guys enough!!!   

And as far as tools are concerned, just in Backtrack 4, there are 57 tools in the "Privilege Escalation | All" directory. But you guys already know that...

Alright, so things have slowed down for me enough to post a long rambling (rough week had interop testing, presentations, etc). Let's take a 50K foot view and review with what I'll call "I haz shell now what?!"

What steps did you go through to get a shell account. For those reading this, it will be a part intro, part explanation and so on. Typically the penetration tester will go through phases to access a machine. These phases include a variation of the following:

• Recon
  Enumeration of services
  Enumeration of accounts if possible
  Collection of exploits against the services (where vulnerable)
  etc., etc

When you set out to test the security of this machine from a penetration tester's point of view, you at some point had to run some form of "mapping" software to determine what services were running on the machine in order to circumvent slash exploit one to work your way in. You've made your way in but have determined, it's not where you need to be. You need to escalate for one reason or another.

Sidetrack: In most cases, getting in is enough period (believe it or not) and anyone who tells you otherwise is off their rockers. Analogy time: Imagine coming home from dinner one day to find your apartment was burglarized. Nothing was stolen, but someone ransacked through all your belongings. Do you sit there and say: "So what! Nothing was taken, no harm no foul." Highly doubtful. There is the entire concept of someone going through your personal belongings. Not to mention the fact of insecurity you will feel. "Will they come back again", "will they clean me out next time" and so on.

Forwardtrack: So you've managed to get access... How did you get access again? Through a process. You now need to go through that same process using a different approach. The procedures are the same:

• Recon
  Enumeration of services
  Enumeration of accounts if possible
  Collection of exploits against the system you're on

On *nix

Where am I first of all


Who am I and what groups am I in?


I can't read shadow, maybe I can find an account I can escalate to


In some cases, this file could be really large especially in an enterprise. Let's see only accounts worth seeing (get rid of nologin and false):



I see there are mechanisms/programs in place to potentially see/monitor what is going on (snort, ossec, osiris, arpwatch, nagios). Better play it safe and keep things silent (non-noisy as snort will see it) man sleep Meaning, if I need to do something network related, I want to keep my intervals high to avoid tripping IPS/IDS alarms. If an interval command is not available, I'll use sleep for N amount of seconds, e.g.:

HEAD 10.20.30.2 ; sleep 180 ; nextCommand

Anyhow, Let me see what other networks I'm on...


Now that I see a private address, let's see what is visible on the private side. Forget nmap since it may NOT be on the machine and there is no way in hell I'm setting off alarms. Hello good old faithful netcat, I need you as a scanner today. You come preinstalled on just about everything nowadays:


Strange, these weren't visible to me from the outside world when I ran nmap. Let me keep note, find a potential matching program and see if I can find any potential working exploits against these services....


I can go Google exploits against this later. Right now, just jotting down what's visible slash accessible to me. Get the picture? It pays to understand systems from a systems administrator perspective otherwise one will always ask the question: "I haz shell now what?" Hopefully this made sense to those who've been asking themselves that same question. The remainder is sort of elementary. Much similar to gathering data from the outside view, gather it now from the inside view. This could mean finding services, finding an account with better privileges (more /etc/group), finding any errors with file permissions. Finding any potential TOCTOU issues and so on.

It's good practice to build a "dossier" of the system your own instead of trying to hack it wildly. The time you spend doing so (hacking wildly) could lead to you being detected and or kicked/blocked off the system rendering your test moot (to a degree... After all you did get in). Practice, patience and understanding allow you to go far. I can't stress it enough, one needs to truly understand a system from even a junior admin level as it makes things easier and allows one to streamline processes to make things quicker, more effective and more stealthy sometimes.

For anyone with an OMFG on this in regards to gary7, take note, I replaced my system information with gary7. I wouldn't go fiddling with that machine if I were you. (No really I wouldn't)

sil and former33t went further for you on where I was leading.  End point is, exactly as former33t put it in the quote above...  Ultimately, at the end of the day, the point is showing what you can get to, and as he said, if it's a mail server, and you can snarf all the mail, you've successfully achieved the goal.  Now on to the next box, and the next, and the next.  (Although, if you're wily enough to gain privileged shells, and enumerate usernames and passwords for OTHER machines on the same network, then you've made life all that much easier to continue.

Good luck!