Privilege Escalation

The Privilege Escalation RPT step executes local privilege escalation attacks on connected agents not running as the super user or the administrator. This macro automatically selects and executes exploits from the Exploits/Local module folder and some modules from the Exploits/Tools folder, such as Revert To Self or Chroot Breaker.

After successfully running Privilege Escalation, you may want to run the Local Information Gathering step to obtain more information from the compromised hosts. If an in-depth penetration test is being performed (and depending on the target network's topology), it is possible to change the current source agent and cycle back to the Information Gathering step. Refer to Set as Source for information regarding the source agent. All the initial 4 steps will execute from any Core Impact agent.

To run the Privilege Escalation RPT step, follow this procedure:

1. Make sure that the Network RPT is active.

2. Click on LPrivilege Escalationg to open up the Privilege Escalation Wizard and press Next to start.

   The Agent Selection screen displays.

   

   Specify which agents will run the Privilege Escalation macro. By default, all currently-connected agents will perform this step (All agents will perform a check to see if they are already running as SYSTEM or root. If they are, they will not attempt to perform Privilege Escalation.) An agent name will be automatically set if the macro was dropped over a specific agent. To choose one or more specific agents select the Selected agents radio button, then click the ellipsis () button to the right of the field. Follow the prompts to select your desired agents.

   Then click the Next button.

3. The Exploit Selection screen displays.

   For each target host, this macro selects relevant attacks from the Exploits/Local Module folder based on the target's platform. The default selections on the Exploit selection screen are intended to minimize the risk of exploits leaving services unavailable and/or alter the modules' performance. For example, by checking the Do not use exploits for patched vulnerabilities option, Core Impact will potentially have less work to do, as it can skip exploits that it detects have been patched.

   

   Press Next to continue.

4. The Exploit Configuration screen displays.

   Select whether you want Core Impact to automatically run a module on agents as they are deployed. If you check this option, then click the Change ... button to select the specific Module to autorun.

   

5. Click Finish. The module will run and information will be displayed on the Module Output and Module Log panels.