Preview Mode Links will not work in preview mode

Jun 1, 2020

**If Derek told you about us at SANS, send a DM to @brakeSec or email for an invite to our slack**

OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system. 

Far different in the 'real' world.


Privilege escalation in Windows:

*as of June 2020, many of these items still work, may not work completely in the future*

*even so, many of these may not work if other mitigating controls are in place*






Redteam methodology:


Enumerate the machine


Network connections





Software installed (putty, git, MSO, etc) *older software may install with improper permissions*

Service paths (along with users services are ran as)

Windows Features (WSL, SSH, etc)

Patch level (Build 1703, etc)

Wifi networks and passwords (netsh wlan show profile <SSID> key=clear)

Powershell history

Bash History (if WSL is used)

Incognito tokens

Stored credentials (cmdkey /list)

Powershell transcripts (search text files for "Windows PowerShell transcript start")


Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore


Linux EoP:



Mostly the same as above

Bash history or profile files

           Writable scripts (tampering with paths or environment variables)

Setuid/Setgid binaries

Sticky bit directories


Email spools

World writable/readable files

.ssh config files (keys, active sessions)

Tmux/screen sessions

Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc)

VPN profiles

GNOME keyrings-


Ways to defend against those kinds of EoP.

Something cool:  -- high Rollers


Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) -


Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June)