Just like Linux, Windows has several locations where users or programs store passwords by default. We can search the system for passwords if we know where these common locations are.

Windows Deployment Files

When organizations deploy a large number of machines across a network, they sometimes use a base image that uses a password saved in the file system to install the required programs. Check these file locations to see if anything is there. You may have to base64 decode the password if it is encoded:

C:\sysprep.inf
C:\sysprep\sysprep.xml
C:\unattend.txt
C:\unattend.xml
C:\autounattend.txt
C:\autounattend.xml
C:\Groups.xml

VMWare Deployments

VMWare deployments sometimes use encoded credentials to deploy systems. There…


Configuration files contain configurations for various processes and programs running on the Linux system. They are generally stored under /etc. Configuration files can hold all sorts of information for programs running which makes it an extremely broad topic to discuss in terms of privilege escalation. The main idea is, if you have write access to a file, try to find some way to abuse it so it runs commands as an elevated user. To identify configuration files that we have write access to, you can run this command:

find / -perm -o+w -type f 2>/dev/null | grep -v '/sys\|proc'

After…


Intro

Linux has been around for quite some time now, and several distributions have been spun off the original kernel over the years. Each distribution and kernel will have their own exploits, but the general concepts and ideas will remain the same across different distributions. First it is important to understand how the Linux OS works in a general sense. It’s important to have a general understanding of the Linux OS so later exploits will have some context as to what they do and why they work.

The Linux Kernel

The Kernel is the heart and backbone of the Linux operating system. It is…


I will be adding to this post occasionally, but the purpose of this post is to cover one-off privilege escalation methods found in the wild that are too specific to be covered in a dedicated post. If you find any unique methods please let me know in the contact form.

TMUX socket running as root

If the TMUX session is running as root, attach to the session and run any commands you’d like as root. You can run the history command as well to get more info about how the TMUX session was started.

# List out TMUX sessionstmux ls# Attach to TMUX…

MySql is a widely used open-source database. As we all know, a database is used to store large amounts of relational data. Databases also have the ability to execute system commands depending on who the database is running as.

Before we jump into exploiting MySql, let’s get familiar with a few basic commands:

Logging In

# Logging into to MySql with passwordmysql --host=192.168.1.101 -u root -p Password123!# Logging into MySql requesting a password promptmysql --host=192.168.1.101 -u root -p

Interacting With MySql

show databases;use <database name>show tables;select * from <table_name>

Dump All Databases

mysqldump -u root -p Password123! --all-databases > all_db_backup.sql

Exploiting MySql

So in…


SSH is a protocol that allows users to securely manage a system remotely. It is widely used because of its ease of use and built-it security. Users can transfer files securely via the SSH protocol if desired. Generally, the SSH protocol requires a user to present a username and password to authenticate.

A more secure option includes the use of something called SSH Keys. SSH keys consist of a public and private cryptographic key. They are randomly generated using high levels of entropy. When a user attempts to login to a computer via SSH keys, the server will first check…


Startups scripts are scripts that are executed at boot time. Linux startup scripts are generally located in /etc/init.d but this location can vary depending on the distribution. For example, you may find startup scripts under these locations: /etc/rc.d, /etc/rc.d/init.d, or /etc/init. These scripts can either be default scripts that are pre-installed, or they can be user created startup scripts.

To attack a vulnerable startup script, you must determine if you have write access to a certain startup script. …


This is a continuation of my previous post on searching for passwords on the system. The following post will dive into pulling passwords from memory.

Passwords in Memory

There are times when an application is running and a password provided to the application is stored in clear-text in the memory space allocated for the application. Access of the memory space is only possible if we have the same privileges as the application running. Let’s jump right into an example and see how this works.

Python FTP Server

In this example we are going to start up a Python FTP server on our Kali machine and pretend…


There are multiple locations we can search for passwords (hashed and clear-text) on a Linux machine. These passwords can be used for multiple things. Sometimes the passwords will show you a clear text password for an administrator user, or even the root user. Sometimes these passwords will be used to pivot to another user on the machine, then from there you can escalate your privileges. Other times, the passwords may be used to login to other services running on the machine. The possibilities are endless, but anytime you can find passwords on a machine, it’s usually good news. …


Windows includes a useful command called RunAs that enables a user to run a program as a different user if credentials are known. This is useful if we have compromised Administrator credentials on another machine, and we want to execute commands as an Administrator on a different computer. Let’s say you wanted to run a program called MathProgram.exe as the Administrator user, we could run something like this:

C:\> runas /user:Administrator "C:\User\Bob\Desktop\MathProgram.exe"

The program would start up and prompt you for a password before it was executed as the Administrator user. This is nice if you sitting at the computer…

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store