[Asooka]

I am confused how having read access to the registry allows local privilege escalation. As a Linux user, having read access to the registry sounds like having read access to /etc, which every user already has. What sensitive data is stored in SAM that allows that?

[aj3]

Password hashes. /etc/shadow isn’t world readable in Linux dither

[ylyn]

It seems like there are some cases where Windows accepts a password hash for authentication as a user though. So by having the hash of an administrator, you can escalate privileges.

I don't think there are such cases in Linux.

[cjones26]

Agreed. The article also does not seem to explain it. From what I understood the SAM only stores encrypted password hashes, nothing that could be readily exploited for local privilege escalation.

[jesboat]

There's a video (bleh) which appears to extract the hash and then use a pass-the-hash. I'm not clear on exactly what the preconditions are (are NTLMv1/v2 hashes still stored by default? Does PTH work with newer hashes? Etc) or if there's another way to escalate