Despite differences in OS versions, patches, services, etc, there are some common vulnerabilities and misconfigurations we can exploit to escalate our privileges once we establish foothold on a host.
Some basic things to look for:
- Basic Linux Privilege Escalation - g0tmi1k
- Windows Privilege Escalation Fundamentals - fuzzysecurity
Some common things to look for on Windows:
- Windows local service enumeration
- unquoted service path
- weak service permissions
- weak service binary permissions
- UAC bypass
Check out enumeration and manual host enumeration since privilege escalation starts with gathering information on the target system & current user and trying to identify weak points. You may also find lateral movement and pivoting once you gain access a user account or system.
OPSEC warning
Restore all service configuration, application settings, and so on when privilege escalation is complete. Ensure that the availability of the service is not compromised.
You might not need to privesc
It is oftentimes not necessary to escalate privileges during a red team engagement, since plenty of sensitive information is disclosed without requiring privileged access. However, a privileged account can extract more useful information and credentials for lateral movement. Even though we are in a offensive context, it is still recommended to follow the principle of least privilege, in that a red team operator should not pursue privilege escalation for no reason (i.e. exhaust other possibilities before risking being detected by AV, EDR, etc).