Just like Linux, Windows has several locations where users or programs store passwords by default. We can search the system for passwords if we know where these common locations are.

Windows Deployment Files

When organizations deploy a large number of machines across a network, they sometimes use a base image that uses a…

Configuration files contain configurations for various processes and programs running on the Linux system. They are generally stored under /etc. Configuration files can hold all sorts of information for programs running which makes it an extremely broad topic to discuss in terms of privilege escalation. The main idea is, if…

Intro

Linux has been around for quite some time now, and several distributions have been spun off the original kernel over the years. Each distribution and kernel will have their own exploits, but the general concepts and ideas will remain the same across different distributions. First it is important to understand…

I will be adding to this post occasionally, but the purpose of this post is to cover one-off privilege escalation methods found in the wild that are too specific to be covered in a dedicated post. If you find any unique methods please let me know in the contact form.

TMUX socket running as root

MySql is a widely used open-source database. As we all know, a database is used to store large amounts of relational data. Databases also have the ability to execute system commands depending on who the database is running as.

Before we jump into exploiting MySql, let’s get familiar with a…

Startups scripts are scripts that are executed at boot time. Linux startup scripts are generally located in /etc/init.d but this location can vary depending on the distribution. For example, you may find startup scripts under these locations: /etc/rc.d, /etc/rc.d/init.d, or /etc/init. …

This is a continuation of my previous post on searching for passwords on the system. The following post will dive into pulling passwords from memory.

Passwords in Memory

There are times when an application is running and a password provided to the application is stored in clear-text in the memory space allocated for…

There are multiple locations we can search for passwords (hashed and clear-text) on a Linux machine. These passwords can be used for multiple things. Sometimes the passwords will show you a clear text password for an administrator user, or even the root user. Sometimes these passwords will be used to…

Windows includes a useful command called RunAs that enables a user to run a program as a different user if credentials are known. This is useful if we have compromised Administrator credentials on another machine, and we want to execute commands as an Administrator on a different computer. Let’s say…

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store