Mastering Host-Based Attacks: Privilege Escalation and Credential Dumping for PenTest+ PT0-003

Mastering Host-Based Attacks: Privilege Escalation and Credential Dumping for PenTest+ PT0-003

Professor Erica's latest video in the PenTest+ PT0-003 series dives into the critical post-foothold phase of penetration testing: escalating privileges and extracting credentials. Once an attacker gains initial access, the focus shifts to moving from a low-privileged shell to full administrative control and harvesting authentication data for lateral movement.

Automated Enumeration with LinPEAS and WinPEAS

The video kicks off with automated enumeration tools like LinPEAS (Linux Privilege Escalation Awesome Script) and WinPEAS (Windows Privilege Escalation Awesome Script). These scripts scan for misconfigurations, weak permissions, and exploitable services, providing a fast track to potential privilege escalation vectors.

Linux Privilege Escalation: SUID, Sudo, and Writable Paths

On Linux, the lesson covers SUID binaries—executables that run with the file owner's permissions—and how to abuse them to gain root access. It also explores sudo misconfigurations (e.g., allowing commands like sudo -u root /bin/bash without a password), writable PATH entries that can hijack cron jobs or scripts, and kernel exploits. Common examples include the pkexec vulnerability (CVE-2021-4034) and exploiting SUID-enabled cryptsetup or docker.

Windows Privilege Escalation: Services, Tokens, and AlwaysInstallElevated

On the Windows side, common vectors include:

• Unquoted Service Paths: Services with paths containing spaces but no quotes allow an attacker to insert a malicious executable.
• Weak Service Permissions: Services that can be controlled by low-privileged users.
• Token Impersonation: Using SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to impersonate SYSTEM tokens via tools like JuicyPotato or RogueWinRM.
• AlwaysInstallElevated: A registry setting that allows any user to install Microsoft Installer packages with SYSTEM privileges.

Credential Dumping: Mimikatz and secretsdump

The most powerful credential dumping tools are:

• Mimikatz: Extracts plaintext passwords, NTLM hashes, and Kerberos tickets from memory (e.g., sekurlsa::logonpasswords). It can also perform pass-the-hash and overpass-the-hash attacks.
• secretsdump: Remotely dumps the SAM database and domain hashes from the Active Directory database (NTDS.dit).

SolarWinds and the Host-Based Lateral Movement Chain

The video concludes with a real-world case study: the SolarWinds supply chain attack. After compromising a host via a trojanized update, attackers used token manipulation and credential dumping to move laterally, eventually achieving domain admin access. This highlights how host-based attacks feed into larger network compromises.

Quiz Time

A final quiz tests understanding of key concepts, including the differences between Kerberoasting, DCSync, and pass-the-hash attacks.

Summary

Host-based attacks are the backbone of lateral movement. By mastering automated enumeration, manual escalation techniques, and credential dumping, penetration testers can simulate real-world adversarial tactics outlined in CompTIA PenTest+ Domain 4.