Hacking Principals

Privilege Escalation Mitigation Techniques

Privilege escalation refers to an attack in which the attacker gains access to a user account

and determines how to increase the rights attached to that account (vertically), uses that

access to gain access to additional user accounts (horizontally), or both. The attacks aim to

break into networks to steal data, disrupt business operations, or create backdoors that will

give access to the systems in the future. The following are the mitigation strategies for this

kind of attack:

Password Policies

Users must carefully select one-of-a-kind, safe passwords and change them frequently. Since

this is challenging to put into reality, employing two-factor authentication is a sensible way to

get around the risky nature of passwords, especially for crucial systems and administrator

accounts.

Specialized users and groups with minimum privileges

The organization’s user base should be examined, and user accounts and groups should be

reconfigured to ensure everyone has a specific purpose and the least amount of file access

and capabilities possible. This guarantees that the likelihood of privilege escalation is

significantly decreased even if an account is compromised. This rule applies to every

account; even administrators and super-users should only have limited access to the systems

to which they are authorized to get access or exercise control. No administrator needs

unrestricted access to most network systems, if not all of them.

Most significantly, user accounts should be terminated when they are no longer needed, and a

clear, essential system should be in place to handle employee leave.

Closing unused ports and limiting file access

Network ports ought to be, by default, disabled and should only be activated for legitimate

purposes. Default configurations that operate unnecessary services ought to be found and shut

down. Similarly, only those individuals and groups who need write access should be able to

edit files.

Secure database and sanitize user inputs

Since many database systems come with hazardous defaults, much effort must be done to

guarantee that databases are safe and secured with strong authentication. Data at rest should,

whenever possible, be encrypted. Sanitize all user inputs and patch databases to prevent

attacks from SQL and other forms of code injection.

Changing Default credentials on all devices

It is advisable to delete or rename user accounts that are no longer in use. The default login

information should be modified for every hardware system, including routers, printers, and

IoT devices. An attacker can execute a privilege escalation attack with just one device,

default credentials, and an open network port.

Attack Taxonomy

Buffer overflow

Buffer flow is a common software coding issue attackers may exploit to acquire system

access. When a buffer contains more data than it can handle, it overflows, spilling data into

nearby storage. As a result, buffer overflows are usually caused by coding faults. An injection

attack is what is being committed. Following are some additional classifications:

Privilege escalation

The goal of a privilege escalation assault is to acquire access to a network, applications, and

mission-critical systems by utilizing vulnerabilities and security flaws. An active attack is a

term for this type of attack. The two types of attacks are vertical and horizontal. Vertical

attacks happen when a hacker gains access to a user account to take over the user’s role,

whereas horizontal attacks happen when a hacker gains access to a user account with

restricted permissions, requiring the escalation of privileges.

Rootkits

Computer software frequently hides that it or other software exists and is designed to grant

access to a computer or parts of its program that would not typically be allowed.

Trojans

An assault degrades a system by tricking users into believing it has other objectives. They can

convey destructive payloads, establish a backdoor, and steal personal data. It has a malware

classification.

Backdoors

Attacks of this kind allow threat actors to control a system remotely. Often, the ultimate step

in gaining total control of a system is to use the backdoor. It has a Trojan classification.

Viruses

They are categorized as malware since they can replicate and proliferate once installed on a

user’s system and attach to other programs. These are their classifications: There are many

viruses, including resident viruses, browser hijackers, web scripting viruses, macro viruses,

and file-infecting viruses.

Return Oriented programming

It is an exploit method for computers where the attacker takes over the call stack and utilizes

it to run hand-picked machine instructions in existing program code’s subroutines, much like

a threaded code interpreter might. It is categorized as a stack-smashing attack.

Common social engineering attacks

Attacks of this kind manipulate victims into evading common security precautions. Attackers

use this to gain user trust and get unauthorized access to systems and networks for their

financial gain. The types of attacks are broken down into the following groups: phishing

assaults, smishing assaults, baiting, tailgating pretexting, scareware, and watering hole

assaults.

Gaining access to the system

It is necessary to first open the Kioptrix. The pictures show the Kioptrix home page.

Launch the Kioptrix workstation, then search your local network for the victim's IP address.
The netdiscover command is utilized for this.

The target IP address, as seen in the picture, is 192.168.56.143.

I started by acquiring the IP address of the target computer before checking it for open ports

and protocols. The Nmap sv aggressive command was used to run a version scan on the

target system. The screenshot displays the results.

exploiting the target's weakness by using the msfconsole command. Utilizing this command

starts Metasploit. In order to access the target machine at this point, the exploit module is

used. The screenshot displays the search results for the phrase "transopen."

The default payload is already selected in the screenshots. The options must now be

configured. The RHOSTS variable is used to store the destination machine's IP address.
LHOST is used to save the attacker's IP address, as shown in the screenshot. Finally, the

assault can be carried out using the exploit command.

I gained root immediately after performing the exploit. The screenshot depicts a root login.

Since the computer already grants us root access, we can keep it by creating a new account

and adding it to the sudoers group, as seen in the screenshot below.

The screenshot below shows changing the password for the user “jill.”

Upon adding a user, we immediately grant them full admin privileges. To do this, we include

the user in the sudoers file. Some programs can occasionally be accessed as root, and the file

details every user's administrative privileges.

To have unrestricted access, add "ALL=(ALL) ALL" along with the newly created user. As

illustrated in the screenshot.

The user can be verified if it was successfully added using ssh.