Chapter 1 / Empty Cup Mind

After an attacker has identified a specific computer and compiled a list

of listening services, he'll try to find some way to gain shell access. This

will allow him to cxecutc arbitrary commands and perhaps further escalate

his rights, preferably to that of the root account (although, on a Windows

machine, sometimes being a Power User is sufficient). For example, if the

machine under attack is a web server, the attacker might launch a Structured

Query Language (SQL) injection attack against a poorly written web applica¬

tion to compromise the security of the associated database server. Then, he

can leverage his access to the database server to acquire administrative rights.

Perhaps the password to the root account is the same as that of the database

administrator?

The exploit-based approach isn't the only attack methodology. There are

myriad ways to get access and privilege. In the end, it's all about achieving

some sort of interface to the target (see Figure 1.1) and then increasing your

rights.�

Figure 1.1

6. mxatonc, "Analyzing local privilege escalations in win32k," Uninformed, October 2008.