Skip to main content
HashnodeCyber Journey

Command Palette

Search for a command to run...

HTB CPTS: Study session (Privilege Escalation, Enumeration)

Updated
2 min read
HTB CPTS: Study session (Privilege Escalation, Enumeration)
J
Jonas Satkauskas
Part of seriesHTB CPTS

Privilege Escalation

  • Once we gain initial access to a box, we want to thoroughly enumerate the box to find any potential vulnerabilities we can exploit to achieve a higher privilege level.

  • There are checklists for privilege escalation online. A good place is HackTricks.

There are some scripts for Linux and Windows Enumeration:

Linux:

  • LinEnum

  • linuxprivchecker

Windows:

  • Seatbelt

  • JAWS

For server enumeration we could use Privilege Escalation Awesome Scripts Suite (PEASS).:

  • PEASS is a good place which is maintained and includes scripts for Windows And Linux

We could also check Vulnerable Software with commands like:

  • dpkg -l or to check Program Files in windows.

  • To check what commands we can do as super users we can type - sudo -l

  • To switch to the root user we can type sudo su . By the way, su stands for super user.

  • We can exploit via sudo privileges. A good place to see what kind of commands can work with sudo is GTFOBins

  • For windows there’s a list of programs that we can exploit too. LOLBAS is the place to look.

Scheduled Tasks

  • We can schedule a task

  • If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed.

  • Directories where we should write scheduled tasks are:

    • /etc/crontab

    • /etc/cron.d

    • /var/spool/cron/crontabs/root

Thoughts after privilege escalation room in HTB

Privilege escalation is very important and very powerful part. When I was trying to escalate my privileges to another user it took some thought process. Very useful command is sudo -l. You can see what privileges as a super user you have.

Also a good method is to check the system info with uname -a.

Another method is to check installed packages on the system with dpkg -l. You can search for the “holes” in the packages with a tool like GTFOBins.

I’ve managed to get both flags, as a different user and as a root. It was also an interesting method to connect with ssh id_rsa.

OUTRO

Learn one new thing everyday and you will be armed with knowledge in the future.

See ya in the next blog posts.

Shout out to HTB for making learning Cyber Security so interactive, challenging and fun.

#cybersecurity#cybr#cybersecurity-1#cybersec#cyber-security#information-security#infosec-cjbi6apo9015yaywu2micx2eo#linux#bash#privilege-escalation#htb#cpts#htb-cpts#learning#learning-journey
29 views

HTB CPTS

Part 3 of 9

In this series I'm preparing for highly hands on certification - Hack The Box Certified Penetration Testing Specialist.

Up next

HTB CPTS: Study session (Note taking apps, Webserver tools, Shells)

Some good note taking options Notepad++ GitBook (has fetures to host a page or make wiki page) Cherrytree Evernote Sublime Text Notion Visual Studio Code It is important to make sure that any client data is only stored locally and not synced...

More from this blog

C

Cyber Journey

41 posts