Privilege escalation is a pivotal phase in the CompTIA PenTest+ framework, specifically within the Attacks and Exploits domain. It involves elevating access from a compromised low-level account to a higher-privileged one (vertical escalation) or accessing peer accounts (horizontal escalation).
In…Privilege escalation is a pivotal phase in the CompTIA PenTest+ framework, specifically within the Attacks and Exploits domain. It involves elevating access from a compromised low-level account to a higher-privileged one (vertical escalation) or accessing peer accounts (horizontal escalation).
In **Linux environments**, escalation often targets file permissions and kernel vulnerabilities. Testers hunt for executables with the **SUID** (Set User ID) bit set, which run with the owner's authority (often root). If these binaries have shell escape functionality, root access is trivial. Misconfigured **sudoers** files are another vector; running `sudo -l` might reveal that a user can execute commands like `vim` or `python` as root without a password. Additionally, attackers exploit writable **cron jobs** or unpatched kernel vulnerabilities (e.g., Dirty COW).
In **Windows systems**, techniques often exploit service configurations. **Unquoted Service Paths** occur when a service path contains spaces but lacks quotes, causing Windows to execute a malicious binary placed earlier in the file path (e.g., executing 'C:\Program.exe' instead of 'C:\Program Files\Service.exe'). **DLL Hijacking** involves placing a malicious Dynamic Link Library in a folder where an application searches for dependencies. Testers also look for **AlwaysInstallElevated** registry settings, which allow .msi files to install with system privileges. **Token manipulation**—stealing access tokens from high-privilege processes—is also common to impersonate administrators.
Ultimately, whether exploiting weak file permissions, kernel flaws, or stored credentials, the goal is obtaining root, Administrator, or SYSTEM level access to persist on the network and pivot to other targets.
What is Privilege Escalation? Privilege escalation is the process of gaining higher-level permissions on a system or network than what was originally granted. It typically occurs after an attacker has gained initial access (a foothold) but finds themselves restricted as a low-level user. There are two primary types:
1. Vertical Escalation: Moving from a standard user to a superuser (e.g., User to Root on Linux, or User to SYSTEM/Administrator on Windows). 2. Horizontal Escalation: Moving from one standard user to another standard user to access specific data or different groups.
Why is it Important? Without privilege escalation, a penetration tester is often limited to viewing non-sensitive files and cannot install tools, modify system configurations, dump password hashes, or establish persistence. Achieving Root or SYSTEM level access is usually the 'crown jewel' objective of the exploit phase.
How it Works: Common Techniques Escalation relies on misconfigurations, kernel vulnerabilities, or weak credentials. Here is how it breaks down by Operating System:
Linux Techniques: SUID/SGID Executables: Files with the SUID bit set run with the permissions of the file owner (often root) rather than the user running them. If these binaries have escape functionality, they can spawn a root shell. Misconfigured Sudo Rights: Using sudo -l allows a user to see what commands they can run as root without a password. Kernel Exploits: Exploiting vulnerabilities in the OS kernel (e.g., Dirty Cow) to force elevation. Cron Jobs: If a scheduled task runs a script that is writable by a low-level user, the user can replace the script with malicious code that the system executes as root.
Windows Techniques: Unquoted Service Paths: If a service path contains spaces and is not wrapped in quotes (e.g., C:\Program Files\My App\service.exe), Windows might execute a malicious binary placed at C:\Program.exe. DLL Hijacking: Placing a malicious DLL in a directory where an application looks for libraries before checking system folders. AlwaysInstallElevated: A registry setting that, if enabled, allows users to install MSI packages with elevated privileges. SAM Database: Accessing the Security Account Manager files to dump hashes.
Exam Tips: Answering Questions on Privilege Escalation When facing PenTest+ scenario questions, follow this logic:
1. Identify the OS: Look for context clues like 'C:\' vs '/' or 'service' vs 'daemon'. 2. Distinguish Enumeration from Exploitation: If the question asks what to do first, look for enumeration commands (e.g., whoami /priv, sudo -l, LinEnum.sh, PowerUp.ps1). If the question asks how to execute the attack, look for the specific exploit. 3. Look for 'Low-Hanging Fruit': The exam often tests on common misconfigurations. For Linux, always check for sudo misconfigurations or SUID bits (find / -perm -4000) first. For Windows, look for Unquoted Service Paths or Modifiable Services. 4. Credentials: Don't forget that finding a clear-text password in a config file or history file is a valid and common escalation technique. 5. Protection: If asked about remediation, the answer is usually 'Apply patches' (for kernel exploits), 'Quote the path' (for service paths), or 'Enforce least privilege' (for sudo/permissions).