awesome-privilege-escalation/README.md

Awesome Privilege Escalation

A curated list of awesome privilege escalation

Table of Contents

• Linux
  • Escape restricted shells
  • SUDO and SUID
  • Capabilities
  • Tools
    • Find CVEs
  • Chkrootkit
  • NFS
  • Presentations
• Windows
  • Hot Potato
  • Unquoted services with spaces
  • Groups.xml
  • Tools
  • Presentations
• Linux and Windows
• Docker
  • Docker socks
• AWS

Linux

• Basic Linux Privilege Escalation
• Linux elevation of privileges ToC
• Pentest Book - Privilege Escalation: common Linux privilege escalation techniques.
• A guide to Linux Privilege Escalation
• Enumeration is the Key
• My 5 Top Ways to Escalate Privileges: Bruno Oliveira's top 5 favorite ways for accomplishing privilege escalation in the most practical ways possible.
• Understanding Privilege Escalation: Some techniques malicious users employ to escalate their privileges on a Linux system.
• How privileges work in operating systems?
• Linux Privilege Escalation via Dynamically Linked Shared Object Library: How RPATH and Weak File Permissions can lead to a system compromise.
• Reach the root! How to gain privileges in Linux?
• Linux Privilege Escalation: an introduction to Linux escalation techniques, mainly focusing on file/process permissions, but along with some other stuff too.
• Local Linux Enumeration & Privilege Escalation Cheatsheet: a few Linux commands that may come in useful when trying to escalate privileges on a target system.
• PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS
• Local Linux privilege escalation overview: This article will give an overview of the basic Linux privilege escalation techniques. It separates the local Linux privilege escalation in different scopes: kernel, process, mining credentials, sudo, cron, NFS, and file permission.
• Attack and Defend: LinuxPrivilege Escalation Techniques of 2016: This paper will examine Linux privilege escalation techniques used throughout 2016 in detail, highlighting how these techniques work and how adversaries are using them.
• Local Linux Enumeration & Privilege Escalation: a few Linux commands that may come in useful when trying to escalate privileges on a target system.
• Back To The Future: Unix Wildcards Gone Wild: This article will cover one interesting old-school Unix hacking technique, that will still work in 2013.
• POST CATEGORY : Privilege Escalation: Privilege escalation post category in Raj Chandel's Blog.
• Privilege Escalation & Post-Exploitation
• Linux - Privilege Escalation
• Hackers Hut: Some random hacking hints, mainly from a Linux point of view.
• Hacking Linux Part I: Privilege Escalation

Escape restricted shells

• Escaping Restricted Linux Shells: Resource for penetration testers to assist them when confronted with a restricted shell.
• Restricted Linux Shell Escaping Techniques: The focus of this article is on discussing and summarizing different techniques to escape common Linux restricted shells and also simple recommendations for administrators to protect against it.
• Linux Restricted Shell Bypass
• Escaping from Restricted Shell and Gaining Root Access to SolarWinds Log & Event Manager (SIEM) Product
• Breaking out of rbash using scp

SUDO and SUID

• GTFOBins: GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
• Abusing SUDO: Some of the binary which helps you to escalate privilege using the sudo command.
• Sudo (LD_PRELOAD): Privilege Escalation from an LD_PRELOAD environment variable.
• How I got root with Sudo

Capabilities

• http://blog.sevagas.com/?POSIX-file-capabilities-the-dark-side
• http://blog.sevagas.com/IMG/pdf/exploiting_capabilities_the_dark_side.pdf
• https://www.insecure.ws/linux/getcap_setcap.html
• https://wiki.archlinux.org/index.php/Capabilities
• https://www.redpill-linpro.com/sysadvent/2016/12/06/spicing-up-your-access.html
• https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/
• https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/
• https://dl.packetstormsecurity.net/papers/attack/exploiting_capabilities_the_dark_side.pdf
• https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Privilege%20Escalation/linux.md
• https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux

Tools

• https://github.com/rebootuser/LinEnum
• http://pentestmonkey.net/tools/audit/unix-privesc-check
• https://github.com/mzet-/linux-exploit-suggester
• https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
• https://github.com/jondonas/linux-exploit-suggester-2
• https://github.com/sleventyeleven/linuxprivchecker
• https://github.com/belane/linux-soft-exploit-suggester
• https://github.com/pentestmonkey/exploit-suggester
• https://github.com/AlessandroZ/BeRoot
• https://github.com/spencerdodd/kernelpop
• https://github.com/ngalongc/AutoLocalPrivilegeEscalation
• https://github.com/linted/linuxprivchecker
• https://github.com/initstring/uptux
• https://github.com/Ignitetechnologies/Privilege-Escalation
• https://github.com/AusJock/Privilege-Escalation
• https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
• https://github.com/ngalongc/AutoLocalPrivilegeEscalation
• https://github.com/1N3/PrivEsc
• https://github.com/diego-treitos/linux-smart-enumeration
• https://github.com/pentestmonkey/unix-privesc-check
• https://github.com/SecWiki/linux-kernel-exploits

Find CVEs

• https://github.com/lwindolf/lpvs
• https://github.com/davbo/active-cve-check
• https://github.com/clearlinux/cve-check-tool
• https://www.2daygeek.com/arch-audit-a-tool-to-check-vulnerable-packages-in-arch-linux/

Chkrootkit

• https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/

NFS

• https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/
• https://www.computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson4/index.html
• https://blog.hackersonlineclub.com/2018/07/beroot-post-exploitation-tool-to-check.html
• https://touhidshaikh.com/blog/?p=788

Presentations

• https://www.youtube.com/watch?v=oYHAi0cgur4
• https://www.irongeek.com/i.php?page=videos/bsidesaugusta2016/its-too-funky-in-here04-linux-privilege-escalation-for-fun-profit-and-all-around-mischief-jake-williams
• https://www.youtube.com/watch?v=yXe4X-AIbps

Windows

• https://www.fuzzysecurity.com/tutorials/16.html
• https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
• https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
• https://lolbas-project.github.io/
• https://guif.re/windowseop
• https://www.youtube.com/watch?v=DlJyKgfkoKQ
• https://pt.slideshare.net/jakx_/level-up-practical-windows-privilege-escalation
• https://github.com/chryzsh/awesome-windows-security
• https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-windows
• https://www.exploit-db.com/docs/46131
• https://lolbas-project.github.io/#
• https://github.com/frizb/Windows-Privilege-Escalation

Hot Potato

• https://foxglovesecurity.com/2016/01/16/hot-potato/
• https://pentestlab.blog/2017/04/13/hot-potato/
• https://securityonline.info/hot-potato-windows-privilege-escalation-metasploit-powershellhot-potato-windows-privilege-escalation/

Unquoted services with spaces

• https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
• https://pentestlab.blog/2017/03/09/unquoted-service-path/
• https://www.commonexploits.com/unquoted-service-paths/
• https://hausec.com/2018/10/05/windows-privilege-escalation-via-unquoted-service-paths/
• https://www.gracefulsecurity.com/privesc-unquoted-service-path/
• https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
• https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
• https://www.ethicalhacker.net/community/windows-privilege-escalation-unquoted-services/

Groups.xml

• https://tools.kali.org/password-attacks/gpp-decrypt
• https://adsecurity.org/?p=2288

Tools

• https://github.com/411Hall/JAWS
• https://github.com/rasta-mouse/Sherlock/
• https://github.com/PowerShellMafia/PowerSploit
• https://github.com/foxglovesec/Potato
• https://github.com/foxglovesec/RottenPotato
• https://github.com/Kevin-Robertson/Tater
• https://github.com/Arvanaghi/SessionGopher
• https://github.com/pentestmonkey/windows-privesc-check
• https://github.com/rootm0s/WinPwnage
• https://github.com/absolomb/WindowsEnum
• https://github.com/ohpe/juicy-potato

Presentations

• https://www.youtube.com/watch?v=bAnohAiAQ7U
• https://www.youtube.com/watch?v=G9yn3qNq7Vw
• https://www.youtube.com/watch?v=jfZ8FKTFNTE
• https://www.youtube.com/watch?v=RORaqh1DIco

Linux and Windows

• https://github.com/vitalysim/Awesome-Hacking-Resources#privilege-escalation

Docker

• https://gist.github.com/FrankSpierings/5c79523ba693aaa38bc963083f48456c
• https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/
• https://www.twistlock.com/labs-blog/escaping-docker-container-using-waitid-cve-2017-5123/
• https://pt.slideshare.net/BorgHan/hacking-docker-the-easy-way
• https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html

Docker socks

• https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
• https://gist.github.com/FrankSpierings/5c79523ba693aaa38bc963083f48456c
• https://www.bleepingcomputer.com/news/security/escaping-containers-to-execute-commands-on-play-with-docker-servers/
• https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/

AWS

• https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation