PenTest: Privilege Escalation in Practice - Pentestmag

PenTest: Privilege Escalation in Practice


Get the access to all our courses via Subscription


Category: Tag:



Dear PenTest Readers,

This month’s edition of PenTest Magazine brings in another selection of diverse offensive security articles and tutorials. Whereas the contents present various topics, we would like to draw your attention to Privilege Escalation scenarios, provided for both Windows and Linux environments. Sushant Kamble presents you with a great introduction of implementing exploitation techniques in Windows OS, while Malvern Shaurwa takes advantage of the LD_Preload variable of the Linux system in his case study.

If you want to dig deeper into a different type of exploitation techniques, Rodolpho Concurde publishes another one of his great tutorials, this time on SEH overwrite to get a Shell. If you’re into exploiting, this is definitely a must read!

We are more than happy to have Bruce Williams among our contributors again! This time, Bruce presents an interesting real-life case of Threat Hunting that resulted in a discovery of an APT. This kind of threat should never be underestimated, and the article proves it. If you particularly like the Threat Hunting topic, Filipi Pires, our regular contributor, publishes another excellent case study related to this area.

For those of you  interested in cryptography, we have a special treat too! Sanjay Phanshikar, Ashiq Khader, and Jyotisman Chakrabarty continue presenting his research results. This time he demystifies Kerberos authentication process. 

Undoubtedly, everyone is aware of an increasing popularity of the discussion on blockchain technology these days. We are honoured to publish an academic paper by Shujun Li, discussing the tension between blockchain technology and privacy. Continuing the topic of privacy, Hitoshi Kokumai publishes another piece on his innovative concept of password usage and its impact on the general public. Gilad Mayaan discusses the importance of VDI security in 2021, presenting threats and solutions. Last but not least, the edition closes with the interview with Mike Muscatell - seasoned cybersecurity veteran, trainer and speaker.

Without further ado,

Let’s dive into the reading!

PenTest Magazine's Editorial Team

Table of Contents

Windows Privilege Escalation

by Sushant Kamble

The attacker can perform Windows privilege escalations through various methods by exploiting startup applications, services, kernel, registry, schedules tasks, potatoes and password mining, and many other techniques. The attacker can perform these attacks manually after getting user-level access or using automation tools such as winpeas, PowerShell scripts, or Metasploit.

From SEH Overwrite to Get a Shell

by Rodolpho Concurde

The Windows operating system has a default "handler" that catches any exception that is not handled by the program. When Windows handles an exception in an application, you will usually see the message: "program has encountered a problem and needs to close". The SEH works in chain and are localized in end of stack. In the classic Buffer Overflow (vanilla), the exploit overwrites the return address without worrying about writing more bytes in the stack, but with the SEH Overwrite technique, it is possible to obtain more space for the shellcode, in order to have an exploit more stable.

Threat Hunting: Seeing the Invisible

by Bruce Williams

The history of the term Threat Hunt is explained in the context of the need to protect critical assets from Advanced Persistent Threats (APTs). The analysis of an APT attack on an Australian University that used a threat hunt to identify the attack is discussed using the Lockheed Martin Kill Chain and the MITRE ATT&CK playbook of techniques that are used by the attackers. What are the tools to hunt the threat? I was working at another university when this attack occurred, which was experiencing the same spear phishing style of attack. The same technique was being used of a fictitious meeting.

Malware undetected by CrowdStrike

by Filipi Pires

Regarding the test performed, the first objective was to simulate targeted attacks using known malware to obtain a panoramic view of the resilience presented by the solution with regard to the efficiency in its detection by signatures and downloading these artifacts directly on the victim's machine. The second objective consisted of analyzing the detection of those same 32 folders downloaded with malware (or those not detected yet) when the directories were changed. The idea here is to work with manipulation of samples (without execution), and the third focal objective was the execution of a ScanNow inside victim's machines for effectiveness analysis.

Privilege Escalation in Linux Systems through LD_PRELOAD

by Malvern D Shaurwa

In this article, we are going to discuss how to gain more permissions or access rights with an account already compromised by an attacker in a Linux system. The gaining of more permissions or access rights in a computer system is called privilege escalation. We are going to take advantage of “LD_Preload”, which is an environment variable in Linux systems to perform privilege escalation.

Kerberos Authentication Process Demystified

by Sanjay Phanshikar, Ashiq Khader, and Jyotisman Chakrabarty

The article covers the authentication process implemented in Kerberos infrastructure. Evaluating Kerberos against the most recent authentication technologies is not in the scope of this article. The article touches on the security aspect of Kerberos but it is not the focus. The detailed analysis from a security perspective is not the intent of the article. The article provides parameters on a broader level around the strength and weaknesses of the mechanism. Rather, the discussion should be taken as advantages and disadvantages at the ground level. Overall, the article describes the authentication process in detail for Kerberos.

When the GDPR Meets (Public) Blockchains: Looking through the Lens of Public Communications to Users

by Shujun Li and Rahime Belem Sağlam

The tension between blockchains and the GDPR has been noticed by the blockchain community. In October 2018, the EU Blockchain Observatory & Forum published a thematic report “Blockchain and the GDPR” to summarise the collective understanding of the community on this issue. This report acknowledges that the problem is particularly problematic for public blockchains, and recommends storing personal data off chain when possible or at least in an encrypted/anonymised form. The report also recommends that blockchain system developers and service providers should “be as clear and transparent as possible with users”.

How to NOT Achieve Solid Digital Identity?

by Hitoshi Kokumai

We hear that there are people who do not view the PIN as a member of the password family and allege that the PIN tied/linked to hardware is more secure than the password not tied/linked to a hardware. It might sound superb to some people, but we wonder what we would see if someone starts linking the password to the same hardware.

VDI Security in 2021: Threats and Solutions

by Gilad David Mayaan

VDI is a central priority for security teams in almost every organization that deploys it. This is because VDI servers run a large number of desktops, which contain sensitive applications and data. In many cases, senior employees and privileged roles use the VDI system, and a breach could grant attackers data to the organization’s “crown jewels”. Apart from this, VDI availability is critical for the organization’s productivity, and any disruption could cause major damage.

“You Always Hear About the Human Element, Habit and Predictability.”

an interview with Mike Muscatell

We in cyber continuously remind folks that they are the target. All of those characteristics factor into the security posture of the individual.  Couple that individual posture with how those same folks would conduct themselves in their companies. You then have potentially flawed operational security. I have seen cases where there was a strong technical defense in depth strategy in place but they still fell victim to attacks that were attributed to poor operational habits.


There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023