# Privilege Escalation & Man-in-the-Middle

* Privilege Escalation
  * Gain access to what you should not be able to access.
  * Start as a normal user, and grant yourself more permissions
  * Inject code into a “privileged” app or service
  * Sudo / “Run as administrator”. Built in privilege escalation.
  * Mitigation?
    * Passwords, MFA, least privilege, sanitize input, patching, change default credentials
* Pass the hash attack
  * Once captured, present the hash value instead of the password.
  * Older versions of Windows (LM hashes)
  * Newer versions with backwards-compatible configurations
* Golden Ticket
  * One ticket to rule them all
  * Applies to Kerberos
  * Can grant Admin permissions to AD
  * On vulnerable versions, dumping the AD data store (NTDS.DIT) reveals the krbtgt hashes
  * These hashes can be used to create a “golden ticket” for any user in AD
  * “Kerberoasting”
* Man in the middle attack
  * Network traffic interception. Optional redirection
  * Software: code injection. Man in the browser.
  * Keyloggers
  * ARP poisoning
* DNS Attacks
  * Buffer overflows
  * DNS amplification
  * Mitigation?
    * Patching
    * Block malicious sources
* Rootkits
  * Kernel level malware
  * Replaces OS files with malicious ones
  * Require root access
  * Mitigation: antivirus. File integrity monitoring.
  * Tripwire – File integrity monitoring for Linux.
  * File-sight for Windows FIM.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cysa.coantech.net/privilege-escalation-and-man-in-the-middle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.