Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Privilege Escalation Techniques
Privilege Escalation Techniques

Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems

eBook
$29.99 $43.99
Paperback
$54.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Privilege Escalation Techniques

Chapter 1: Introduction to Privilege Escalation

Privilege escalation is a vital element of the attack life cycle and is a major determinant in the overall success of a penetration test.

The importance of privilege escalation in the penetration testing process cannot be overstated or overlooked. Developing your privilege escalation skills will mark you out as a good penetration tester. The ability to enumerate information from a target system and utilize this information to identify potential misconfigurations and vulnerabilities that can be exploited to elevate privileges is an essential skill set for any penetration tester.

This chapter aims to give you a clearer picture and understanding of the privilege escalation process and will act as a formal introduction to the various types of privilege escalation techniques, and how the process differs between Windows and Linux systems.

To fully understand and leverage the various privilege escalation tools and techniques, you first need to understand how permissions and privileges are implemented on various operating systems and how these differences in design and implementation affect the privilege escalation process as a whole.

By the end of this chapter, you will have a clear understanding of what privilege escalation is, and you will also understand how permissions are implemented on Windows and Linux systems and get a brief introduction to the various privilege escalation techniques that we will be exploring in depth in the upcoming chapters.

In this chapter, we will cover the following topics:

  • What is privilege escalation?
  • How permissions and privileges are assigned
  • Understanding the differences between privilege escalation on Windows and Linux
  • Exploring the types of privilege escalation attack

What is privilege escalation?

Privilege escalation is the process of exploiting vulnerabilities or misconfigurations in systems to elevate privileges from one user to another, typically to a user with administrative or root access on a system. Successful privilege escalation allows attackers to increase their control over a system or group of systems that belong to a domain, giving them the ability to make administrative changes, exfiltrate data, modify or damage the operating system, and maintain access through persistence, such as registry edits or cron jobs.

From a penetration tester's perspective, privilege escalation is the next logical step after the successful exploitation of a system and is typically performed by bypassing or exploiting authentication and authorization systems, whose purpose is to segregate user accounts based on their permissions and role.

A typical approach would be to use an initial access or foothold on a system to gain access to resources and functionality that is beyond what the current user account permissions offer. This process is commonly referred to as getting root privileges on a system.

Before we can get started with the various privilege escalation techniques, we need to understand how user accounts and permissions are implemented in modern operating systems.

How permissions and privileges are assigned

To better understand how to elevate privileges, we need to first understand how operating systems are designed in relation to user accounts and privilege.

Operating systems' authorizations are designed to handle multiple users with multiple roles and permissions. This segregation of roles is the primary factor behind the various user account implementation philosophies that are implemented in operating systems today.

This abstraction of user roles and permissions on a system is set up and facilitated by a system called a protection ring, as demonstrated in Figure 1.1. This specifies limits and enforces the functionality of users on a system and their corresponding access to resources.

As the name suggests, a protection ring is a hierarchical protection and segregation mechanism used to provide different levels of access to functionality and resources on a system. The various rings in the hierarchy represent layers of privilege within the operating system, as illustrated in the following screenshot:

Figure 1.1 – Protection ring

Figure 1.1 – Protection ring

The rings in the hierarchy illustrated in Figure 1.1 are sorted and arranged from the most privileged (typically denoted by level 0) to the least privileged, where the least privileged is represented by the highest ring number. This segregation of privileges on a system leads to the adoption of two main roles, as follows:

  • Privileged access: This is typically represented or assigned to the root or administrator account and provides complete access to all system commands and resources. The root or administrator account will typically have access to the following functionality:

    1. The ability to install, uninstall, and modify system software or binaries

    2. The ability to add, modify, or remove users and user groups

    3. The ability to create, access, modify, and delete any system or user data

    4. The ability to access and have control over all system hardware

    5. The ability to access network functionality and networking utilities

    6. The ability to create, manage, and kill system and user processes

  • Unprivileged access: This is typically represented or assigned to non-root or standard user accounts and is limited to a specific set of privileges that are designed and tailored for standard user access on a system. It limits the user functionality to basic tasks and access of user data on the system. Non-root accounts will commonly have the following functionality:

    1. The ability to start and stop user processes and programs

    2. The ability to create, modify, and delete user data

    3. The ability to have access to network functionality

This segregation of permissions highlights the importance of privilege escalation for penetration testers or attackers as it offers total and unparalleled control over a system or, potentially, a group of systems if they can get "root" or administrative access on a system.

Given the nature of privilege escalation attacks in relation to user accounts and permissions, there are two main methods of performing privilege escalation that can be utilized by attackers based on their intentions and objectives, as follows:

  • Horizontal privilege escalation
  • Vertical privilege escalation

We will take a closer look at what they are in the next section.

Horizontal privilege escalation

Horizontal privilege escalation is the process of accessing the functionality or data of other user accounts on a system, as opposed to gaining access to accounts with administrative or root privileges. It primarily involves accessing or authorizing functionality on a system using accounts that are on the same user level of permissions, as opposed to user accounts that are higher up and that have more privileges and permissions.

Attackers or penetration testers would typically perform this type of privilege escalation attack if they were interested in accessing unprivileged user account data or in harvesting user account credentials or password hashes.

Scenario

The following screenshot illustrates a typical account setup on a computer, where we have two unprivileged users and one privileged user. In this case, the two unprivileged users are John and Mike, and the privileged user is Collin:

Figure 1.2 – Horizontal privilege escalation scenario

Figure 1.2 – Horizontal privilege escalation scenario

In this scenario, John is attempting to perform a typical horizontal privilege escalation attack by escalating his user account privileges to the account privileges of Mike. Note that John and Mike are on the same horizontal privilege level.

Figure 1.2 clearly outlines the sole objective of horizontal privilege escalation, the objective being to elevate privileges to user accounts that are on the same horizontal level as the user account performing the attack.

Vertical privilege escalation

Vertical privilege escalation is the process of exploiting a vulnerability in an operating system to gain root or administrative access on a system. This method is usually preferred by attackers and penetration testers as it offers the biggest payout given the permissions and functionality, as they now have total access and control over the system(s).

The following screenshot outlines a bottom-up approach to user account permissions and privileges, where the topmost account has the highest privileges, is the least accessible, and is typically assigned to system administrators. The lowest accounts are set up and configured to be used by standard users and services that require no administrative privileges as part of their daily tasks:

Figure 1.3 – Vertical privilege escalation

Figure 1.3 – Vertical privilege escalation

Figure 1.3 also illustrates a vertical approach to elevating privileges based on the user account and permissions for both Windows and Linux systems, the objective being to laterally move up the pecking order to the account with the highest privileges, therefore giving you complete access to the system.

Important note

Vertical privilege escalation may not solely emanate from the exploitation of a vulnerability within an operating system or service. It is common to find misconfigured systems and services that may allow non-administrative user accounts to run commands or binaries with administrative permissions. We will take a look at the various privilege escalation techniques in the upcoming chapters.

Scenario

The following screenshot illustrates a typical account setup on a computer, where we have two unprivileged users and one privileged user. In this case, the two unprivileged users are John and Mike, and the privileged user is Collin:

Figure 1.4 – Vertical privilege escalation scenario

Figure 1.4 – Vertical privilege escalation scenario

For this scenario, Figure 1.4 illustrates a traditional vertical privilege escalation method where the user John is attempting to elevate privileges to the administrator account, which is Collin's account. If successful, John will get access to administrative privileges and will be able to access all user accounts and files, therefore giving him total access and control over the system. This scenario demonstrates the importance and potential impact of a successful vertical privilege escalation attack.

Now that we have an understanding of the two main privilege escalation methods and how they are orchestrated, we can begin taking a look at the various differences between privilege escalation on Windows and Linux.

Understanding the differences between privilege escalation on Windows and Linux

Now that we have a general understanding of how user accounts and permissions are implemented and have looked at the two main methods of performing privilege escalation, we can begin taking a look at the differences between Linux and Windows in the context of privilege escalation attacks and at how their individual design and development philosophies affect the privilege escalation process.

This nuanced approach will give us clarity on the strengths and weaknesses of both operating systems and their corresponding kernels in relation to vulnerabilities and potential exploitation.

The following table outlines common potential attack vectors for both operating systems and the services that can be exploited to elevate privileges:

Table 1.1 – Common potential attack vectors

Table 1.1 – Common potential attack vectors

To fully understand the differences between the two operating systems in terms of potential vulnerabilities and attack vectors, we need to understand how they handle authentication and security as this will give us an idea of where the security pitfalls exist. It is important to note, however, that the security differences between Windows and Linux boil down to their unique design philosophy.

Windows security

Windows is a proprietary operating system that is owned and developed by the Microsoft Corporation and controls a majority of the PC market share at about 93%, which means that most companies are likely to be running Windows clients for their end users and/or Windows Server deployments for their critical infrastructure.

For this reason, Windows is more likely to be running on employee laptops and workstations as it has a much more user-centered design (UCD) and philosophy. In order to understand the privilege escalation process on Windows, we need to understand how Windows manages and maintains system security. In order to do this, we will need to take a closer look at various components that are responsible for managing and maintaining authentication and security on Windows.

User authentication

Authentication is the process of verifying the identity of a user who is trying to access a system or system resource.

Authentication on most modern operating systems is typically enforced through a username and password combination; however, operating systems have begun implementing additional layers of authentication, in addition to implementing stronger encryption algorithms for user passwords.

Passwords and password hashes are usually a target for penetration testers, and we will take a look at how to dump system passwords and hashes later in the book.

User authentication on Windows is handled by the Windows Logon (Winlogon) process and Security Account Manager (SAM). SAM is a database that is used to manage and store user accounts on Windows systems.

Modern releases of Windows utilize the New Technology LAN Manager 2 (NTLM2) encryption protocol for password hashing and encryption, which is significantly stronger than the LAN Manager (LM) encryption protocol present in older versions of Windows.

Authentication onto domains on Windows is typically facilitated by authentication protocols such as Kerberos.

User identification

User identification is used to uniquely identify users on a system and is also used to establish a system of accountability, as actions performed on a system can be tracked down to the user who made or performed them. Understanding how identification works and is implemented on Windows is extremely useful in the privilege escalation process to identify users on a system, along with their roles and groups.

The process of user identification on Windows utilizes a security identifier (SID) for identification. Each user and group has a unique SID that consists of the components outlined in the following screenshot:

Figure 1.5 – Sample Windows SID

Figure 1.5 – Sample Windows SID

The different parameters from the preceding SID are discussed as follows:

  • SID String: S indicates that it's an SID string
  • Revision: Always set to 1; this refers to the structure revision number
  • Authority ID: Specifies who created or granted the SID, as follows:

    - Null: 0

    - World authority: 1

    - Local authority: 2

    - Creator authority: 3

    - Non-unique authority: 4

    - NT authority: 5

  • Subauthority ID/actual ID: Unique ID for the user, or comprises the domain identifier
  • RID: This stands for relative ID and is used in reference to other accounts to distinguish one user from another. Windows will have the following unique RIDs assigned to specific users. It is important to be able to identify privileged users based on their SID, as follows:

    - Administrator: 500

    - Guest user: 501

    - Domain administrator: 512

    - Domain computer: 515

You can enumerate the SIDs on a Windows system by running the following command in Command Prompt (CMD):

wmic useraccount get name,sid

This command will enumerate all user account SIDs on the system, as illustrated in the following screenshot. Pay close attention to the RIDs as they can be used to quickly identify administrator and guest accounts:

Figure 1.6 – Enumerating Windows SIDs

Figure 1.6 – Enumerating Windows SIDs

As displayed in Figure 1.6, we can identify user roles based on their RID, regardless of the account username. In this particular case, we have an administrator and guest account set up and they can be identified by their RID.

Access tokens

An access token is an object that describes and identifies the security context of a process or thread on a system. The access token is generated by the Winlogon process every time a user authenticates successfully, and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the initial process (typically the userinit.exe process), after which all child processes will inherit a copy of the access token from their creator and will run under the same access token.

On Windows, an access token will comprise the following elements:

  • User SID
  • Group SID
  • Logon SID
  • Privileges assigned to the user or the user's group
  • Discretionary access control list (DACL) being used
  • Source of the access token

We can list out the access token of a user by running the following command in the CMD:

Whoami /priv

If the user is unprivileged, the access token will be restricted, as outlined in the following screenshot:

Figure 1.7 – Restricted access token

Figure 1.7 – Restricted access token

It is important to note that the user highlighted in Figure 1.7 has administrative privileges; however, the cmd.exe process uses an access token that restricts privileges. If we run cmd.exe as an administrator, the user's access token will be listed with all privileges, as outlined in the following screenshot:

Figure 1.8 – Privileged access token

Figure 1.8 – Privileged access token

Access tokens can be leveraged during the privilege escalation process through attacks such as primary access token manipulation attacks, which involve tricking a system into believing that a process belongs to a different user from the one who started the process. We will learn how to utilize this attack vector to escalate our privileges later in the book.

Linux security

Linux is a free and open source operating system that comprises the Linux kernel, which was developed by Linus Torvalds, and the GNU's Not Unix (GNU) toolkit, which is a collection of software and utilities that was originally started and developed by Richard Stallman. This combination of open source projects is what makes up the Linux operating system as a whole, and it is commonly referred to as GNU/Linux.

Typically, most individuals and companies are likely to be running Windows clients and will be using Linux for their critical infrastructure—for instance, mail servers, databases, web servers, and intrusion detection systems (IDSes). Given the nature and deployment of Linux servers in organizations, attacks will be much more likely to severely affect a company and cause major disruption.

User authentication

User account details on Linux are stored in a /etc/passwd file. This file contains the user account username, the user ID (UID), an encrypted password, a group ID (GID), and personal user information.

This file can be accessed by all users on the system, which means that any user on the system can retrieve the password hashes of other users on the system. This makes the hash-dumping process on Linux much more straightforward and opens the door to potential password-cracking attacks. Most older Linux distributions utilized the Message Digest Algorithm 5 (MD5) hashing algorithm, which is much easier to crack, and as a result, most newer distributions have begun utilizing and implementing the Secure Hash Algorithm 256 (SHA-256) encryption protocol, therefore making it much more difficult to crack the hashes.

Identification

User authentication on Linux is facilitated through the use of a username that corresponds to a unique UID, comprising a numeric value that is automatically assigned or manually assigned by a system administrator. The root account on Linux will always have a UID of 0.

This user information, along with the hashed user passwords, is stored in the /etc/passwd file.

Access tokens

Access tokens on Linux work in a similar way to how they work on Windows but are stored in memory (random-access memory, or RAM) and attached to processes when initialized.

The access token on Linux will contain the following information:

  • UID of the user account
  • GID/GIDs of the groups that the user is a member of
  • User privileges
  • Primary group UID
  • Access control list (ACL) entries

Now that we have an understanding of the various authentication and security components used on Windows and Linux, we can take a look at the various types of privilege escalation attack and how they exploit the aforementioned security mechanisms.

Exploring the types of privilege escalation attack

We can now explore the most common privilege escalation attacks and how they work. The objective is to get a basic picture of the types of privilege escalation attack available and to understand how they are exploited.

We will take a look at how to exploit these vulnerabilities in depth on both Windows and Linux systems in the upcoming chapters.

Kernel exploits

Kernel exploits are programs or binaries that affect both Windows and Linux and are designed to exploit vulnerabilities in the underlying kernel, to execute arbitrary code with elevated or "root" permissions.

The exploitation process is multi-faceted and requires a good amount of enumeration in order to determine the operating system version and installed patches or hotfixes, and consequently whether it is affected by any kernel exploits, after which the kernel exploit code can be retrieved through various exploit repositories such as exploit-db. The exploit code should then be inspected and customized based on the required parameters and functionality. After customization, the code can be compiled into a binary and transferred over to the target for execution. In some cases, the exploit code will need to be downloaded and compiled on the target if it relies on certain dependencies.

After successful compilation and execution of the binary, the kernel exploit will grant the attacker "root" access on the target system in the form of a shell prompt, where they can run commands on the system with "root" privileges.

In many cases, precompiled kernel exploits for Windows already exist online and can be downloaded and executed directly, therefore avoiding the compilation process altogether. However, it is very important to inspect and analyze the exploit code before compiling it, as exploits could contain malicious code or payloads.

Important note

Kernel exploits are extremely powerful; however, they can cause system crashes and kernel panics that can hinder the privilege escalation process and can cause damage to the system.

Exploiting SUID binaries

SUID is an inbuilt Linux feature that allows users to execute binaries and files with the permissions of other users.

This feature is commonly used to allow non-root accounts to run system utilities and binaries with root permissions. You can set the program or utility SUID permission with the owner as "root." This will allow the program or utility to run with "root" privileges whenever a non-root user executes it. Attackers can exploit or take advantage of SUID misconfigurations and run arbitrary commands as root.

For example, programs or binaries that allow the execution of arbitrary commands such as vim should not have their SUID owner set as "root," as non-root users can leverage the command execution functionality within vim to run commands with "root."

Exploiting vulnerable services and permissions

Services offer the largest threat surface for attackers, given the variability and diversity of programs and services that can be found running on Windows and Linux systems.

Attackers will typically aim to identify misconfigured or vulnerable services and programs that could facilitate the escalation of privileges. For example, on Linux systems, attackers will try to identify and exploit misconfigurations with cron jobs and leverage the functionality to execute arbitrary code or malicious binaries.

Exploiting vulnerable or insecure services on Windows typically involves embedding a payload in a service with administrative privileges. When the service is executed, it executes a payload with the administrative privileges, therefore allowing the binary to execute commands with "root" privileges.

Insecure credentials

This technique involves searching for insecure credentials that have been stored on a system by users or by carrying out a process of cracking weak user credentials. Many users—and even system administrators—note down passwords in cleartext in documents, spreadsheets, and configuration files for various service accounts. These files can be located by running specialized search queries with various command-line utilities.

An example of this is the use of the find command-line utility on Linux to locate files with specific extensions and filenames.

Exploiting SUDO

Attackers will usually target users who have SUDO privileges. SUDO allows users to run commands as another user, typically the root user.

SUDO privileges are usually configured manually by administrators, which leaves the door open to potential misconfigurations. For example, an administrator can assign SUDO permissions to a non-root user for certain command-line utilities (such as find or vim) that can run shell commands or arbitrary code.

This can be leveraged by attackers to run arbitrary code or execute commands with "root" privileges.

Important note

SUDO is a Linux command and permission set that allows users to run commands or programs with superuser or "root" privileges.

These are just some of the privilege escalation attacks and techniques that can be used on both Windows and Linux systems. We will be taking a look at how to use these techniques in detail in the upcoming chapters.

Summary

This chapter introduced you to the privilege escalation process, explained how privileges and user accounts are implemented in modern operating systems, and looked at the differences between privilege escalation on Windows and Linux systems. It also highlighted the most common privilege escalation techniques and explained how they can be exploited.

You should now have a good understanding of the privilege escalation process, how permissions and privileges are implemented, and the various penetration testing techniques that are used on both Windows and Linux.

In the next chapter, we'll get started with setting up our virtual environment and preparing our penetration-testing distribution. We will also look at the various tools and frameworks we will be utilizing to enhance and optimize the privilege escalation process.

Left arrow icon Right arrow icon

Description

Privilege Escalation Techniques is a detailed guide to privilege escalation techniques and tools for both Windows and Linux systems. This is a one-of-a-kind resource that will deepen your understanding of both platforms and provide detailed, easy-to-follow instructions for your first foray into privilege escalation. The book uses virtual environments that you can download to test and run tools and techniques. After a refresher on gaining access and surveying systems, each chapter will feature an exploitation challenge in the form of pre-built virtual machines (VMs). As you progress, you will learn how to enumerate and exploit a target Linux or Windows system. You’ll then get a demonstration on how you can escalate your privileges to the highest level. By the end of this book, you will have gained all the knowledge and skills you need to be able to perform local kernel exploits, escalate privileges through vulnerabilities in services, maintain persistence, and enumerate information from the target such as passwords and password hashes.

Who is this book for?

If you’re a pentester or a cybersecurity student interested in learning how to perform various privilege escalation techniques on Windows and Linux systems – including exploiting bugs and design flaws – then this book is for you. You’ll need a solid grasp on how Windows and Linux systems work along with fundamental cybersecurity knowledge before you get started.

What you will learn

  • Understand the privilege escalation process and set up a pentesting lab
  • Gain an initial foothold on the system
  • Perform local enumeration on target systems
  • Exploit kernel vulnerabilities on Windows and Linux systems
  • Perform privilege escalation through password looting and finding stored credentials
  • Get to grips with performing impersonation attacks
  • Exploit Windows services such as the secondary logon handle service to escalate Windows privileges
  • Escalate Linux privileges by exploiting scheduled tasks and SUID binaries
Estimated delivery fee Deliver to South Africa

Standard delivery 10 - 13 business days

$12.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Nov 25, 2021
Length: 340 pages
Edition : 1st
Language : English
ISBN-13 : 9781801078870
Vendor :
Offensive Security
Category :
Languages :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to South Africa

Standard delivery 10 - 13 business days

$12.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Publication date : Nov 25, 2021
Length: 340 pages
Edition : 1st
Language : English
ISBN-13 : 9781801078870
Vendor :
Offensive Security
Category :
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 164.97
Privilege Escalation Techniques
$54.99
Adversarial Tradecraft in Cybersecurity
$54.99
Malware Analysis Techniques
$54.99
Total $ 164.97 Stars icon

Table of Contents

17 Chapters
Section 1: Gaining Access and Local Enumeration Chevron down icon Chevron up icon
Chapter 1: Introduction to Privilege Escalation Chevron down icon Chevron up icon
Chapter 2: Setting Up Our Lab Chevron down icon Chevron up icon
Chapter 3: Gaining Access (Exploitation) Chevron down icon Chevron up icon
Chapter 4: Performing Local Enumeration Chevron down icon Chevron up icon
Section 2: Windows Privilege Escalation Chevron down icon Chevron up icon
Chapter 5: Windows Kernel Exploits Chevron down icon Chevron up icon
Chapter 6: Impersonation Attacks Chevron down icon Chevron up icon
Chapter 7: Windows Password Mining Chevron down icon Chevron up icon
Chapter 8: Exploiting Services Chevron down icon Chevron up icon
Chapter 9: Privilege Escalation through the Windows Registry Chevron down icon Chevron up icon
Section 3: Linux Privilege Escalation Chevron down icon Chevron up icon
Chapter 10: Linux Kernel Exploits Chevron down icon Chevron up icon
Chapter 11: Linux Password Mining Chevron down icon Chevron up icon
Chapter 12: Scheduled Tasks Chevron down icon Chevron up icon
Chapter 13: Exploiting SUID Binaries Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Most Recent
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.4
(10 Ratings)
5 star 80%
4 star 0%
3 star 0%
2 star 20%
1 star 0%
Filter icon Filter
Most Recent

Filter reviews by




N/A Feb 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Pubblicazioni interessanti scritti con il giusto livello tecnico ma soprattutto in modo chiaro.
Feefo Verified review Feefo
Marek Zima Feb 13, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Tyshic May 03, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book by Alexis is excellent his straight up approach to explaining escalations others are too complex. worth buying.
Amazon Verified review Amazon
Milk123 Feb 15, 2022
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
It is a huge letdown, the book is really basic only goes into skin deep, but I am guessing it is maybe good for beginners to type out the commands and go through the motions?but you can pretty much get most of the information in this book through google searches for free.for a $50 price tag, I expect much much more out of it.
Amazon Verified review Amazon
Customer Jan 08, 2022
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
I was excited for this book, but 24 hours and 300+ pages later ...not so much. The other review that says the "book focuses solely on the subject of Privilege Escalation" is false. I didn't buy this book to learn how to gain access and survey systems. You don't even get into actual priv esc techniques until section 2/chapter 5 (page 111). Another reviewer said "because of it's size you can take it with you wherever you go." It's comparable in size to Grey Hat Hacking and Metasploit: The Penetration Tester's Guide... not anything near RTFM sized that I would consider taking wherever I go. As far as content, it relies pretty heavily on suggester scripts and Metasploit modules, although most of them do have a manual process explained as well. I was hoping for less beginner-level techniques. The book has VERY high level information and explanations. It repeats the same text multiple times throughout the book. Just one example, SeImpersonatePrivilege and its explanation is repeated three times on pages 134 & 136 alone... why? There are multiple errors in the example code. The example manual process in exploiting unquoted services paths is actually exploiting weak permissions to replace the binary, not exploiting the unquoted path. I could go on... Overall, a disappointment.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela