awesome-privilege-escalation/README.md

Awesome Privilege Escalation

A curated list of awesome privilege escalation

Table of Contents

• Linux
  • Escape restricted shells
  • SUDO and SUID
  • Capabilities
  • Tools
    • Find CVEs
  • Chkrootkit
  • NFS
  • Presentations
• Windows
  • Hot Potato
  • Unquoted services with spaces
  • Groups.xml
  • Tools
  • Presentations
• Linux and Windows
• Docker
  • Docker socks
• AWS

Linux

• Basic Linux Privilege Escalation
• Linux elevation of privileges ToC
• Pentest Book - Privilege Escalation: common Linux privilege escalation techniques.
• A guide to Linux Privilege Escalation
• Enumeration is the Key
• My 5 Top Ways to Escalate Privileges: Bruno Oliveira's top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.
• Understanding Privilege Escalation: Some techniques malicious users employ to escalate their privileges on a Linux system.
• How privileges work in operating systems?
• Linux Privilege Escalation via Dynamically Linked Shared Object Library: How RPATH and Weak File Permissions can lead to a system compromise.
• Reach the root! How to gain privileges in Linux?
• Linux Privilege Escalation: an introduction to Linux escalation techniques, mainly focusing on file/process permissions, but along with some other stuff too.
• Local Linux Enumeration & Privilege Escalation Cheatsheet: a few Linux commands that may come in useful when trying to escalate privileges on a target system.
• PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS
• Local Linux privilege escalation overview: This article will give an overview of the basic Linux privilege escalation techniques. It separates the local Linux privilege escalation in different scopes: kernel, process, mining credentials, sudo, cron, NFS, and file permission.
• Attack and Defend: LinuxPrivilege Escalation Techniques of 2016: This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them.
• Local Linux Enumeration & Privilege Escalation: a few Linux commands that may come in useful when trying to escalate privileges on a target system.
• Back To The Future: Unix Wildcards Gone Wild: This article will cover one interesting old-school Unix hacking technique, that will still work in 2013.
• POST CATEGORY : Privilege Escalation: Privilege escalation post category in Raj Chandel's Blog.
• Privilege Escalation & Post-Exploitation
• Linux - Privilege Escalation
• Privilege escalation: Linux
• Penetration-Testing-Grimoire/Privilege Escalation/linux.md
• Privilege Escalation Cheatsheet (Vulnhub): This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples.
• Hackers Hut: Some random hacking hints, mainly from a Linux point of view.
• Hacking Linux Part I: Privilege Escalation

Escape restricted shells

• Escaping Restricted Linux Shells: Resource for penetration testers to assist them when confronted with a restricted shell.
• Restricted Linux Shell Escaping Techniques: The focus of this article is on discussing and summarizing different techniques to escape common Linux restricted shells and also simple recommendations for administrators to protect against it.
• Linux Restricted Shell Bypass
• Escaping from Restricted Shell and Gaining Root Access to SolarWinds Log & Event Manager (SIEM) Product
• Breaking out of rbash using scp

SUDO and SUID

• GTFOBins: GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
• Abusing SUDO: Some of the binary which helps you to escalate privilege using the sudo command.
• Sudo (LD_PRELOAD): Privilege Escalation from an LD_PRELOAD environment variable.
• How I got root with Sudo
• Gaining a Root shell using MySQL User Defined Functions and SETUID Binaries: How a MySQL User Defined Function (UDF) and a SETUID binary can be used to elevate user privilege to a root shell.

Capabilities

• Exploiting capabilities: Parcel root power, the dark side of capabilities
• getcap, setcap and file capabilities
• Capabilities
• Spicing up your own access with capabilities
• An Interesting Privilege Escalation vector (getcap/setcap)

Tools

• LinEnum
• pspy: unprivileged Linux process snooping
• LES: LES: Linux privilege escalation auditing tool
• Linux_Exploit_Suggester: Linux Exploit Suggester; based on operating system release number.
• Linux Exploit Suggester 2: Next-generation exploit suggester based on Linux_Exploit_Suggester
• linuxprivchecker.py: Linux Privilege Escalation Check Script
• linux-soft-exploit-suggester: linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation.
• exploit-suggester: This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try.
• unix-privesc-check: Shell script to check for simple privilege escalation vectors on Unix systems
• BeRoot: BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
• kernelpop: kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation.
• AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically.
• Linux Privilege Escalation Check Script: Originally forked from the linuxprivchecker.py (Mike Czumak), this script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as word writable files, misconfigurations, clear-text password and applicable exploits.
• uptux: Specialized privilege escalation checks for Linux systems.
• Unix-Privilege-Escalation-Exploits-Pack: Exploits for getting local root on Linux, BSD, AIX, HP-UX, Solaris, RHEL, SUSE etc.
• AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically
• PrivEsc: A collection of Windows, Linux and MySQL privilege escalation scripts and exploits.
• linux-smart-enumeration: Linux enumeration tools for pentesting and CTFs
• linux-kernel-exploits

Find CVEs

• LPVS: Linux Package Vulnerability Scanner for CentOS and Ubuntu
• active-cve-check: Checks a list of packages against the "active" (not yet patched) CVE's as listed in the Ubuntu CVE Tracker.
• cve-check-tool: Original Automated CVE Checking Tool
• Arch-Audit: A tool to check vulnerable packages in Arch Linux

Chkrootkit

• https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/

NFS

• https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
• https://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson4/index.html
• https://blog.hackersonlineclub.com/2018/07/beroot-post-exploitation-tool-to-check.html
• https://touhidshaikh.com/blog/?p=788

Presentations

• Linux Privilege Escalation - Tradecraft Security Weekly #22: Methodology for performing various privilege escalation techniques against Linux-based systems.
• Linux privilege escalation for fun, profit, and all around mischief: Examine opportunities for privilege escalation that can vault you from zero to hero in a few easy steps.
• Privilege Escalation FTW: Demonstrate various privilege escalation techniques that are possible primarily due to misconfigurations.

Windows

• Windows Privilege Escalation Fundamentals
• Privilege Escalation Windows
• Windows Privilege Escalation Guide
• Windows - Privilege Escalation
• LOLBAS: Living Off The Land Binaries and Scripts (and also Libraries)
• Windows elevation of privileges ToC
• awesome-windows-security
• [Privilege escalation: Windows](https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-windows
• Windows Privilege Escalations
• Windows-Privilege-Escalation: Step-by-step windows privlege escalation methodology.
• Privilege Escalation: There are also various other (local) exploits that can be used to also escalate privileges.
• Windows Post Gather Modules: Metasploit offers a number of post exploitation modules that allow for further information gathering on your target network.

Hot Potato

• https://foxglovesecurity.com/2016/01/16/hot-potato/
• https://pentestlab.blog/2017/04/13/hot-potato/
• https://securityonline.info/hot-potato-windows-privilege-escalation-metasploit-powershellhot-potato-windows-privilege-escalation/

Unquoted services with spaces

• https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
• https://pentestlab.blog/2017/03/09/unquoted-service-path/
• https://www.commonexploits.com/unquoted-service-paths/
• https://hausec.com/2018/10/05/windows-privilege-escalation-via-unquoted-service-paths/
• https://www.gracefulsecurity.com/privesc-unquoted-service-path/
• https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
• https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
• https://www.ethicalhacker.net/community/windows-privilege-escalation-unquoted-services/

Groups.xml

• https://tools.kali.org/password-attacks/gpp-decrypt
• https://adsecurity.org/?p=2288

Tools

• https://github.com/411Hall/JAWS
• https://github.com/rasta-mouse/Sherlock/
• https://github.com/PowerShellMafia/PowerSploit
• https://github.com/foxglovesec/Potato
• https://github.com/foxglovesec/RottenPotato
• https://github.com/Kevin-Robertson/Tater
• https://github.com/Arvanaghi/SessionGopher
• https://github.com/pentestmonkey/windows-privesc-check
• https://github.com/rootm0s/WinPwnage
• https://github.com/absolomb/WindowsEnum
• https://github.com/ohpe/juicy-potato

Presentations

• https://www.youtube.com/watch?v=bAnohAiAQ7U
• https://www.youtube.com/watch?v=G9yn3qNq7Vw
• https://www.youtube.com/watch?v=jfZ8FKTFNTE
• https://www.youtube.com/watch?v=RORaqh1DIco
• https://www.youtube.com/watch?v=DlJyKgfkoKQ
• https://www.youtube.com/watch?v=PC_iMqiuIRQ
• https://pt.slideshare.net/jakx_/level-up-practical-windows-privilege-escalation

Linux and Windows

• https://github.com/vitalysim/Awesome-Hacking-Resources#privilege-escalation
• https://blog.rapid7.com/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more/

Docker

• https://gist.github.com/FrankSpierings/5c79523ba693aaa38bc963083f48456c
• https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/
• https://www.twistlock.com/labs-blog/escaping-docker-container-using-waitid-cve-2017-5123/
• https://pt.slideshare.net/BorgHan/hacking-docker-the-easy-way
• https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html

Docker socks

• https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
• https://gist.github.com/FrankSpierings/5c79523ba693aaa38bc963083f48456c
• https://www.bleepingcomputer.com/news/security/escaping-containers-to-execute-commands-on-play-with-docker-servers/
• https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/

AWS

• https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation