search

Privilege Escalation & Client-Side Exploits

hashtag
1. Introduction

Privilege escalation is a technique attackers use to gain elevated access to a system. This can be achieved through various exploits, misconfigurations, or vulnerable software.

Client-side exploits, on the other hand, target users by exploiting vulnerabilities in applications such as web browsers, PDF readers, or email clients.

This document provides a structured proof-of-concept (PoC) for privilege escalation and a client-side exploit.

hashtag
2. Privilege Escalation Exploit (Windows)

hashtag
Step 1: Identifying a Vulnerable System

Run the following command to check current privileges:

whoami /priv

If the output shows SeImpersonatePrivilege enabled, the system might be vulnerable to token impersonation attacks.

hashtag
Step 2: Exploiting the Vulnerability (JuicyPotato Attack)

Use JuicyPotato to escalate privileges:

JuicyPotato.exe -t * -p cmd.exe -l 1337 -c {clsid} -a "/c whoami"

If successful, the output should show NT AUTHORITY\SYSTEM, indicating privilege escalation.

hashtag
Step 3: Maintaining Access

To create a new administrative user:

Now, the attacker has persistent administrative access.

hashtag
Mitigation Strategies

  • Apply latest security patches to prevent privilege escalation exploits.

  • Disable unnecessary privileges like SeImpersonatePrivilege.

  • Use Windows Defender Exploit Guard to restrict token manipulation.

hashtag
3. Client-Side Exploit (Browser-Based Attack)

hashtag
Step 1: Setting Up a Malicious Webpage

An attacker can create a malicious HTML page to exploit browser vulnerabilities:

When a victim visits this page, their session cookies are stolen.

hashtag
Step 2: Hosting the Exploit

Host the malicious page using Python:

The attacker waits for the victim to visit the site.

hashtag
Step 3: Exploiting the User

If the victim's browser is vulnerable, their session cookies are sent to the attacker's server.

hashtag
Mitigation Strategies

  • Use Content Security Policy (CSP) to restrict script execution.

  • Enable HTTPOnly and Secure flags on cookies.

  • Keep browsers updated to patch known vulnerabilities.

PreviousProof-of-Concept Exploit: EternalBlue (MS17-010)NextBuffer Overflow Vulnerability