2019-12-02 11:09:31 +00:00
# Awesome Privilege Escalation
2019-12-02 10:22:52 +00:00
A curated list of awesome privilege escalation
2019-12-02 11:09:31 +00:00
2019-12-02 13:09:45 +00:00
Table of Contents
=================
* [Linux ](#linux )
* [Escape restricted shells ](#escape-restricted-shells )
* [SUDO and SUID ](#sudo-and-suid )
* [Capabilities ](#capabilities )
* [Tools ](#tools )
* [Find CVEs ](#find-cves )
* [Chkrootkit ](#chkrootkit )
* [NFS ](#nfs )
* [Presentations ](#presentations )
* [Windows ](#windows )
* [Hot Potato ](#hot-potato )
* [Unquoted services with spaces ](#unquoted-services-with-spaces )
* [Groups.xml ](#groupsxml )
* [Tools ](#tools-1 )
* [Presentations ](#presentations-1 )
* [Linux and Windows ](#linux-and-windows )
* [Docker ](#docker )
* [Docker socks ](#docker-socks )
* [AWS ](#aws )
2019-12-02 11:09:31 +00:00
## Linux
2019-12-05 12:34:57 +00:00
- [Basic Linux Privilege Escalation ](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ )
- [Linux elevation of privileges ToC ](https://guif.re/linuxeop )
2019-12-05 17:36:43 +00:00
- [Pentest Book - Privilege Escalation ](https://chryzsh.gitbooks.io/pentestbook/privilege_escalation_-_linux.html ): common Linux privilege escalation techniques.
2019-12-05 12:34:57 +00:00
- [A guide to Linux Privilege Escalation ](https://payatu.com/guide-linux-privilege-escalation/ )
- [Enumeration is the Key ](https://medium.com/basic-linux-privilege-escalation/basic-linux-privilege-escalation-966de11f9997 )
2019-12-05 17:36:43 +00:00
- [My 5 Top Ways to Escalate Privileges ](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/my-5-top-ways-to-escalate-privileges/ ): Bruno Oliveira's top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.
- [Understanding Privilege Escalation ](http://www.admin-magazine.com/Articles/Understanding-Privilege-Escalation ):
Some techniques malicious users employ to escalate their privileges on a Linux system.
2019-12-05 12:34:57 +00:00
- [How privileges work in operating systems? ](https://www.future-processing.pl/blog/privilege-escalation/ )
2019-12-05 17:36:43 +00:00
- [Linux Privilege Escalation via Dynamically Linked Shared Object Library ](https://www.contextis.com/en/blog/linux-privilege-escalation-via-dynamically-linked-shared-object-library ): How RPATH and Weak File Permissions can lead to a system compromise.
2019-12-05 12:34:57 +00:00
- [Reach the root! How to gain privileges in Linux? ](https://hackmag.com/security/reach-the-root/ )
2019-12-05 17:36:43 +00:00
- [Linux Privilege Escalation ](https://percussiveelbow.github.io/linux-privesc/ ): an introduction to Linux escalation techniques, mainly focusing on file/process permissions, but along with some other stuff too.
- [Local Linux Enumeration & Privilege Escalation Cheatsheet ](https://www.rebootuser.com/?p=1623 ): a few Linux commands that may come in useful when trying to escalate privileges on a target system.
2019-12-05 12:34:57 +00:00
- [PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS ](https://www.amanhardikar.com/mindmaps/Practice.html )
2019-12-05 17:36:43 +00:00
- [Local Linux privilege escalation overview ](https://myexperiments.io/linux-privilege-escalation.html ): This article will give an overview of the basic Linux privilege escalation techniques. It separates the local Linux privilege escalation in different scopes: kernel, process, mining credentials, sudo, cron, NFS, and file permission.
- [Attack and Defend: LinuxPrivilege Escalation Techniques of 2016 ](https://www.sans.org/reading-room/whitepapers/linux/attack-defend-linux-privilege-escalation-techniques-2016-37562 ): This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them.
- [Local Linux Enumeration & Privilege Escalation ](https://hackingandsecurity.blogspot.com/2016/05/local-linux-enumeration-privilege.html ): a few Linux commands that may come in useful when trying to escalate privileges on a target system.
- [Back To The Future: Unix Wildcards Gone Wild ](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt ): This article will cover one interesting
old-school Unix hacking technique, that will still work in 2013.
- [POST CATEGORY : Privilege Escalation ](https://www.hackingarticles.in/category/privilege-escalation/ ): Privilege escalation post category in Raj Chandel's Blog.
2019-12-05 12:34:57 +00:00
- [Privilege Escalation & Post-Exploitation ](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/PrivescPostEx.md )
- [Linux - Privilege Escalation ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md )
2019-12-05 17:36:43 +00:00
- [Hackers Hut ](https://www.win.tue.nl/~aeb/linux/hh/hh.html ): Some random hacking hints, mainly from a Linux point of view.
2019-12-05 12:34:57 +00:00
- [Hacking Linux Part I: Privilege Escalation ](http://www.dankalia.com/tutor/01005/0100501004.htm )
2019-12-02 11:09:31 +00:00
### Escape restricted shells
2019-12-13 09:46:49 +00:00
- [Escaping Restricted Linux Shells ](https://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells ): Resource for penetration testers to assist them when confronted with a restricted shell.
- [Restricted Linux Shell Escaping Techniques ](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/ ): The focus of this article is on discussing and summarizing different techniques to escape common Linux restricted shells and also simple recommendations for administrators to protect against it.
- [Linux Restricted Shell Bypass ](https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf )
- [Escaping from Restricted Shell and Gaining Root Access to SolarWinds Log & Event Manager (SIEM) Product ](https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/ )
- [Breaking out of rbash using scp ](http://pentestmonkey.net/blog/rbash-scp )
2019-12-02 11:09:31 +00:00
### SUDO and SUID
- https://gtfobins.github.io/
- https://touhidshaikh.com/blog/?cat=21
- https://www.securusglobal.com/community/2014/03/17/how-i-got-root-with-sudo/
- https://touhidshaikh.com/blog/?p=790
2019-12-05 12:34:57 +00:00
- https://www.pentestpartners.com/security-blog/exploiting-suid-executables/
2019-12-02 11:09:31 +00:00
### Capabilities
- http://blog.sevagas.com/?POSIX-file-capabilities-the-dark-side
- http://blog.sevagas.com/IMG/pdf/exploiting_capabilities_the_dark_side.pdf
- https://www.insecure.ws/linux/getcap_setcap.html
- https://wiki.archlinux.org/index.php/Capabilities
- https://www.redpill-linpro.com/sysadvent/2016/12/06/spicing-up-your-access.html
- https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/
- https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/
- https://dl.packetstormsecurity.net/papers/attack/exploiting_capabilities_the_dark_side.pdf
- https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Privilege%20Escalation/linux.md
- https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux
### Tools
- https://github.com/rebootuser/LinEnum
- http://pentestmonkey.net/tools/audit/unix-privesc-check
- https://github.com/mzet-/linux-exploit-suggester
- https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
- https://github.com/jondonas/linux-exploit-suggester-2
- https://github.com/sleventyeleven/linuxprivchecker
- https://github.com/belane/linux-soft-exploit-suggester
- https://github.com/pentestmonkey/exploit-suggester
- https://github.com/AlessandroZ/BeRoot
- https://github.com/spencerdodd/kernelpop
- https://github.com/ngalongc/AutoLocalPrivilegeEscalation
- https://github.com/linted/linuxprivchecker
- https://github.com/initstring/uptux
- https://github.com/Ignitetechnologies/Privilege-Escalation
- https://github.com/AusJock/Privilege-Escalation
- https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
- https://github.com/ngalongc/AutoLocalPrivilegeEscalation
- https://github.com/1N3/PrivEsc
- https://github.com/diego-treitos/linux-smart-enumeration
- https://github.com/pentestmonkey/unix-privesc-check
- https://github.com/SecWiki/linux-kernel-exploits
#### Find CVEs
- https://github.com/lwindolf/lpvs
- https://github.com/davbo/active-cve-check
- https://github.com/clearlinux/cve-check-tool
- https://www.2daygeek.com/arch-audit-a-tool-to-check-vulnerable-packages-in-arch-linux/
### Chkrootkit
- https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/
### NFS
- https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
- https://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson4/index.html
- https://blog.hackersonlineclub.com/2018/07/beroot-post-exploitation-tool-to-check.html
- https://touhidshaikh.com/blog/?p=788
### Presentations
- https://www.youtube.com/watch?v=oYHAi0cgur4
- https://www.irongeek.com/i.php?page=videos/bsidesaugusta2016/its-too-funky-in-here04-linux-privilege-escalation-for-fun-profit-and-all-around-mischief-jake-williams
- https://www.youtube.com/watch?v=yXe4X-AIbps
## Windows
- https://www.fuzzysecurity.com/tutorials/16.html
- https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
- https://lolbas-project.github.io/
- https://guif.re/windowseop
- https://www.youtube.com/watch?v=DlJyKgfkoKQ
- https://pt.slideshare.net/jakx_/level-up-practical-windows-privilege-escalation
- https://github.com/chryzsh/awesome-windows-security
- https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-windows
- https://www.exploit-db.com/docs/46131
- https://lolbas-project.github.io/#
- https://github.com/frizb/Windows-Privilege-Escalation
### Hot Potato
- https://foxglovesecurity.com/2016/01/16/hot-potato/
- https://pentestlab.blog/2017/04/13/hot-potato/
- https://securityonline.info/hot-potato-windows-privilege-escalation-metasploit-powershellhot-potato-windows-privilege-escalation/
### Unquoted services with spaces
- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://pentestlab.blog/2017/03/09/unquoted-service-path/
- https://www.commonexploits.com/unquoted-service-paths/
- https://hausec.com/2018/10/05/windows-privilege-escalation-via-unquoted-service-paths/
- https://www.gracefulsecurity.com/privesc-unquoted-service-path/
- https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
- https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
- https://www.ethicalhacker.net/community/windows-privilege-escalation-unquoted-services/
### Groups.xml
- https://tools.kali.org/password-attacks/gpp-decrypt
- https://adsecurity.org/?p=2288
### Tools
- https://github.com/411Hall/JAWS
- https://github.com/rasta-mouse/Sherlock/
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/foxglovesec/Potato
- https://github.com/foxglovesec/RottenPotato
- https://github.com/Kevin-Robertson/Tater
- https://github.com/Arvanaghi/SessionGopher
- https://github.com/pentestmonkey/windows-privesc-check
- https://github.com/rootm0s/WinPwnage
- https://github.com/absolomb/WindowsEnum
- https://github.com/ohpe/juicy-potato
### Presentations
- https://www.youtube.com/watch?v=bAnohAiAQ7U
- https://www.youtube.com/watch?v=G9yn3qNq7Vw
- https://www.youtube.com/watch?v=jfZ8FKTFNTE
- https://www.youtube.com/watch?v=RORaqh1DIco
## Linux and Windows
- https://github.com/vitalysim/Awesome-Hacking-Resources#privilege-escalation
2019-12-02 14:13:47 +00:00
## Docker
2019-12-02 11:09:31 +00:00
- https://gist.github.com/FrankSpierings/5c79523ba693aaa38bc963083f48456c
- https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/
- https://www.twistlock.com/labs-blog/escaping-docker-container-using-waitid-cve-2017-5123/
- https://pt.slideshare.net/BorgHan/hacking-docker-the-easy-way
- https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html
### Docker socks
- https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
- https://gist.github.com/FrankSpierings/5c79523ba693aaa38bc963083f48456c
- https://www.bleepingcomputer.com/news/security/escaping-containers-to-execute-commands-on-play-with-docker-servers/
- https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/
## AWS
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation