🎃
Jackmeister's Playbook
  • Welcome
  • Web Pentest
    • Mind Maps
    • Server Site Attacks
      • php type juggling
      • SSTI
      • SQL
        • PSG SQL
        • SQL Database Uses
        • SQL Injection
        • Blind SQL injection
        • SQLITE injection
      • psy shell
    • Recon
      • DNS Hunting
      • Web Tech Hunting
      • Credentials Harvesting
      • Subdomain Hunting
      • Javascript Hunting
    • Directory Brute Forcing
    • File Upload Tricks
      • PHP htaccess and ASP web.config bypass
      • PHP Exiftool edit and upload
      • PHP Extensions payloads / Cheatsheet
      • PHP disable_functions bypass
    • Client Site Attacks
      • Case Study - XSS-GPT
      • XSS
        • XSS All in one
        • XSS cookie stealing
        • Payloads / Cheatsheet
      • Javascript Crafting
      • PDF
    • CMS / Framework
      • apache / xampp
      • Django
      • Manegto
      • Joomla
      • Jenkins
      • Flask jinja2
      • tomcat
      • Drupal
      • nodejs
      • wordpress
    • Google Dorking
    • API
    • Command Injection
      • Command Injection Payloads/Cheatsheet
    • Rewrite URL
    • HTTP Request Smuggling (CL.TE)
  • Network Pentest
    • Linux
      • Internal Port Scanning
      • Privileges Escalation
      • Finding files
      • OVA2ROOT
    • Window
      • AV Evading
      • Chrome Password Extract
      • Internal Port Scanning
      • Privileges Escalation
      • ALL IN ONE
      • THM Priv Esc
      • Post Compromise
    • Port Forwarding
      • Playground Setup
    • Exploit Hunting
      • Searchsploit
    • tty-interactive-shell
    • Active Directory (AD)
      • Crackmapexec
  • Wireless Pentest
    • Airgeddon
    • Evil Twin
    • Aircrack
  • Vulnerability Assessment
    • Nmap
    • Nessus
  • General
    • Kiosk Escaping
    • Credential Bruteforcing
  • System Hardening
  • Phishing
    • Gophish
    • Mailing Server
    • SMS Server
    • DNS Server
Powered by GitBook
On this page
  • Kernel Exploits
  • Sudo
  • SUID
  • Cron Jobs
  • PATH
  • Capabilities
  • NFS
  • Mind Map

Was this helpful?

  1. Network Pentest
  2. Linux

Privileges Escalation

Kernel Exploits

   1) uname -a
   2) /proc/version
   3) /etc/issue
      1- Look for an exploit for the kernel
      2- Compile and run the code

Sudo

   1) sudo -l
      1- look for files you can execute as root. use gtfobins
   2) LD_PRELOAD
      1- if env-keep is set can generate and execute custom lib when running command
         1> compile code as shared object (.so) 
         2> run command with sudo pointing LD_PRELOAD to you .so file

SUID

   1) find / -type f -perm -04000 -ls 2>/dev/null 
   2) find / -perm -u=s -type f 2>/dev/null
      1- find SUID enabled files
      2- use gtfobins to find out how to exploit them

Cron Jobs

   1) cat /etc/crontab
      1- look for jobs being run as a user with higher privs than you
      2- see if you can write to the file being executed
      3- If the job dosent specify full path, will use PATH listed in crontab. If can write to any dir in the PATH, can hijack the Cron Job

PATH

   1) echo $PATH
   2) Can you write to and Dirs in $PATH?
   3) Can you modify your path?
   4) Is there a script you can run that will be effected by this?
      1- if you can modify PATH you can ad d/tmp to beggining and hijack and binary being run with higher privs than you have

Capabilities

  1) getcap -r / 2>
      1- recursively get capabilities for every file starting from /

NFS

   1) cat /etc/exports
      1- must have “no_root_squash” enabled on a share
         1>  showmount -e 10.10.135.31
         2> mkdir /tmp/mnt 
         3> mount -o rw IP:SHARE /tmp/mnt
         4> make and compile and an exploit
         5> Add the SUID bit
         6> transfer file to mounted share
         7> Execute as user on target

Mind Map

PreviousInternal Port ScanningNextFinding files

Last updated 1 year ago

Was this helpful?