commit
18a1fc4f20
|
@ -0,0 +1,47 @@
|
|||
id: privesc-aa-exec
|
||||
|
||||
info:
|
||||
name: aa-exec - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
aa-exec is used to launch a program confined by the specified profile and or namespace.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/aa-exec/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,aa-exec,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
aa-exec whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo aa-exec whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-ash
|
||||
|
||||
info:
|
||||
name: Ash - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Ash allows the value of a variable to be set at the same time it is marked read only by writing readonly name=value With no arguments
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/ash/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,ash,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
ash -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo ash -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-awk
|
||||
|
||||
info:
|
||||
name: awk - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
AWK is a domain-specific language designed for text processing and typically used as a data extraction and reporting tool. Like sed and grep, it is a filter, and is a standard feature of most Unix-like operating systems.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/awk/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,awk,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
awk 'BEGIN {system("whoami")}'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo awk 'BEGIN {system("whoami")}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-bash
|
||||
|
||||
info:
|
||||
name: Bash - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. The shell's name is an acronym for Bourne Again Shell, a pun on the name of the Bourne shell that it replaces and the notion of being born again.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/bash/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,bash,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
bash -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo bash -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-cdist
|
||||
|
||||
info:
|
||||
name: Cdist - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
cdist is a free software configuration management tool for Unix-like systems. It manages nodes over SSH using the Bourne Shell, and does not require any additional software to be installed on target nodes.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/cdist/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,cdist,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
cdist shell -s whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo cdist shell -s whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-choom
|
||||
|
||||
info:
|
||||
name: choom - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
choom is a command-line utility in Linux that allows users to change the memory limits of a process. It can be used for privilege escalation by manipulating the memory limits of a process to gain elevated privileges.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/choom/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,choom,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
choom -n 0 whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo choom -n 0 whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-cpulimit
|
||||
|
||||
info:
|
||||
name: CPUlimit - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
cpulimit is a command-line utility in Linux that allows users to limit the CPU usage of a process. It can be used to control and limit the CPU usage of a specific process, which can be helpful in various scenarios such as preventing a process from consuming excessive CPU resources.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/cpulimit/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,cpulimit,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
cpulimit -l 100 -f whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo cpulimit -l 100 -f whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-csh
|
||||
|
||||
info:
|
||||
name: csh - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
csh stands for C Shell, which is a Unix shell with C-like syntax. It is a command-line interpreter that provides a command-line interface for Unix-like operating systems. It has features similar to other Unix shells such as bash and sh, but with a different syntax and set of features.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/csh/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,csh,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
csh -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo csh -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-csvtool
|
||||
|
||||
info:
|
||||
name: csvtool - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
csvtool is a command-line utility in Unix-like operating systems that provides various tools for working with CSV (Comma-Separated Values) files. It can be used to manipulate, process, and analyze CSV data from the command line, making it a useful tool for tasks such as data extraction, transformation, and loading.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/csvtool/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,csvtool,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
csvtool call 'whoami;false' /etc/passwd
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo csvtool call 'whoami;false' /etc/passwd
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-dash
|
||||
|
||||
info:
|
||||
name: Dash - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
dash is a POSIX-compliant shell that is commonly used as the default system shell on Debian-based systems. It is designed to be a lightweight and fast shell, suitable for scripting and system administration tasks. It aims to be compatible with the POSIX standard for shells, providing a minimalistic and efficient environment for running shell scripts.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/dash/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,dash,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
dash -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo dash -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-dc
|
||||
|
||||
info:
|
||||
name: dc - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
dc is a command-line calculator in Unix and Unix-like operating systems. It uses reverse Polish notation (RPN) and provides a simple and efficient way to perform arithmetic operations from the command line. It can be used for basic and advanced mathematical calculations, making it a handy tool for scripting and quick calculations in the terminal.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/dc/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,dc,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
dc -e '!whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo dc -e '!whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-distcc
|
||||
|
||||
info:
|
||||
name: distcc - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
distcc is a distributed compilation tool for C, C++, and Objective-C. It allows a user to distribute compilation of these languages across several machines on a network, which can significantly speed up the compilation process for large projects.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/distcc/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,distcc,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
distcc whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo distcc whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-elvish
|
||||
|
||||
info:
|
||||
name: elvish - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
elvish is a Unix shell that emphasizes expressiveness and extensibility. It aims to provide a more user-friendly and programmable shell experience, with features such as a powerful scripting language, a rich set of data types, and a clean and consistent syntax.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/elvish/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,elvish,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
elvish -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo elvish -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-enscript
|
||||
|
||||
info:
|
||||
name: enscript - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
enscript is a command-line tool used for converting text files to PostScript format for printing. It provides various options for formatting and manipulating the output, making it a useful tool for generating high-quality printed documents from text files.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/enscript/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,enscript,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
enscript /dev/null -qo /dev/null -I 'whoami >&2'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-env
|
||||
|
||||
info:
|
||||
name: env - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
In Linux, the env command is used to display or modify the environment variables for a command. It can be used to set environment variables for a specific command or to print the current environment variables.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/env/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,env,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
expect -c 'spawn whoami;interact'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo expect -c 'spawn whoami;interact'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-expect
|
||||
|
||||
info:
|
||||
name: expect - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
expect is a Unix scripting and testing utility that automates interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, and more. It uses scripts to control interactive applications, making it useful for automating tasks that involve user input.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/expect/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,expect,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
expect -c 'spawn whoami;interact'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo expect -c 'spawn whoami;interact'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-find
|
||||
|
||||
info:
|
||||
name: find - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The find command in Linux is used to search for files and directories in a directory hierarchy based on various criteria such as name, type, size, and permissions. It is a powerful tool for locating files and performing operations on them, such as executing commands or applying changes.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/find/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,find,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
find . -exec whoami \; -quit
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo find . -exec whoami \; -quit
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-fish
|
||||
|
||||
info:
|
||||
name: fish - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
fish is a user-friendly command-line shell for Unix-like operating systems. It provides features such as syntax highlighting, autosuggestions, and a built-in scripting language. Fish aims to be easy to use and learn, making it a popular choice for both interactive shell usage and scripting.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/fish/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,fish,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
fish -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo fish -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-flock
|
||||
|
||||
info:
|
||||
name: Flock - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
flock is a command-line utility in Unix-like operating systems that is used to manage file locks. It can be used to synchronize access to a file among multiple processes, preventing conflicts and ensuring data integrity. Additionally, flock can be used in shell scripts to control access to critical sections of code.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/flock/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,flock,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
flock -u / whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo flock -u / whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-gawk
|
||||
|
||||
info:
|
||||
name: gawk - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
gawk is the GNU implementation of the AWK programming language. It is a powerful text processing tool that allows for pattern scanning and processing of text files. gawk is commonly used for data extraction, reporting, and manipulation tasks in shell scripts and command-line environments.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/gawk/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,gawk,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
gawk 'BEGIN {system("whoami")}'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo gawk 'BEGIN {system("whoami")}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-grc
|
||||
|
||||
info:
|
||||
name: grc - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
grc is a command-line utility that enhances the output of other commands with color and style. It is commonly used to improve the readability of command output by adding color highlighting and formatting. grc can be configured to work with various commands and is often used to make log files and command output easier to interpret.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/grc/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,grc,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
grc --pty whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo grc --pty whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-ionice
|
||||
|
||||
info:
|
||||
name: ionice - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
ionice is a command-line utility in Linux that is used to set or get the I/O scheduling class and priority for a program. It allows users to control the I/O priority of a process, which can be useful for managing system resources and improving overall system performance.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/ionice/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,ionice,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
ionice whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo ionice whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-julia
|
||||
|
||||
info:
|
||||
name: Julia - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Julia is a high-level, high-performance programming language for technical computing. It is designed for numerical and scientific computing, but it is also used for general-purpose programming. Julia is known for its speed and ease of use, and it has a growing community of users and developers.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/julia/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,julia,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
julia -e 'run(`whoami`)'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo julia -e 'run(`whoami`)'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-lftp
|
||||
|
||||
info:
|
||||
name: lftp - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
lftp is a command-line file transfer program for Unix-like systems. It supports various protocols such as FTP, HTTP, SFTP, and FISH, and provides a range of features for file transfer and mirroring. lftp is known for its reliability and scriptability, making it a popular choice for automated file transfer tasks.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/lftp/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,lftp,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
lftp -c '!whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo lftp -c '!whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-ltrace
|
||||
|
||||
info:
|
||||
name: ltrace - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
ltrace is a debugging utility in Linux that is used to intercept and record dynamic library calls made by a process. It can be used to trace the library calls made by a program, which is helpful for debugging and understanding its behavior.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/ltrace/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,ltrace,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
ltrace -b -L whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo ltrace -b -L whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-lua
|
||||
|
||||
info:
|
||||
name: lua - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Lua is a powerful, efficient, lightweight, embeddable scripting language. It is often used as a scripting language for game development and other applications that require a customizable and extensible scripting interface. Lua is known for its simplicity, speed, and ease of integration with other languages and systems.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/lua/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,lua,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
lua -e 'os.execute("whoami")'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo lua -e 'os.execute("whoami")'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-mawk
|
||||
|
||||
info:
|
||||
name: mawk - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
mawk is an efficient and fast implementation of the AWK programming language. It is designed to be smaller and faster than the original AWK implementation, making it suitable for large data processing tasks. mawk is commonly used for text processing and pattern scanning in shell scripts and command-line environments.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/mawk/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,mawk,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
mawk 'BEGIN {system("whoami")}'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo mawk 'BEGIN {system("whoami")}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-multitime
|
||||
|
||||
info:
|
||||
name: Multitime - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
multitime is a command-line utility that allows for the timing and execution of commands multiple times. It is often used for benchmarking and performance testing of commands and scripts, providing a convenient way to measure the execution time of a given task.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/multitime/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,multitime,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
multitime whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo multitime whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-mysql
|
||||
|
||||
info:
|
||||
name: MySQL - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
MySQL is an open-source relational database management system (RDBMS) that uses structured query language (SQL) for managing and manipulating data. It is widely used for web applications and is known for its reliability, ease of use, and performance. MySQL is a popular choice for database-driven applications and is supported on various platforms.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/mysql/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,mysql,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
mysql -e '\! whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo mysql -e '\! whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-nawk
|
||||
|
||||
info:
|
||||
name: nawk - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
nawk is an implementation of the AWK programming language. It is a text-processing language that is commonly used for pattern scanning and processing of text files. nawk provides powerful features for data extraction, reporting, and manipulation, making it a valuable tool for text processing tasks in shell scripts and command-line environments.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/nawk/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,nawk,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
nawk 'BEGIN {system("whoami")}'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo nawk 'BEGIN {system("whoami")}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-nice
|
||||
|
||||
info:
|
||||
name: Nice - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
In Unix-like operating systems, the nice command is used to execute a program with a modified scheduling priority. It allows users to start a process with a specified priority level, which can influence the allocation of CPU resources. This can be useful for managing system resources and controlling the impact of a process on system performance.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/nice/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,nice,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
nice whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo nice whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,54 @@
|
|||
id: privesc-node
|
||||
|
||||
info:
|
||||
name: Node - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Node.js is a popular open-source, cross-platform JavaScript runtime environment that executes JavaScript code outside of a web browser. It is commonly used for building scalable network applications and is known for its event-driven, non-blocking I/O model. Node.js is widely used for server-side scripting and has a large ecosystem of libraries and frameworks.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/node/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,node,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
- 'contains(code_4_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-nsenter
|
||||
|
||||
info:
|
||||
name: Nsenter - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
nsenter is a command-line utility in Linux that allows a user to enter into an existing namespace. It is commonly used for troubleshooting and managing namespaces in containerized environments. By using nsenter, users can enter into a specific namespace and execute commands within that namespace, which can be helpful for various system administration tasks.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/nsenter/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,nsenter,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
nsenter whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo nsenter whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,54 @@
|
|||
id: privesc-perl
|
||||
|
||||
info:
|
||||
name: Perl - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Perl is a high-level, general-purpose programming language known for its powerful text processing capabilities. It is often used for system administration, web development, and network programming. Perl's syntax and features make it well-suited for tasks such as parsing and manipulating text, making it a popular choice for various scripting and automation tasks.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/perl/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,perl,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
perl -e 'exec "whoami";'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo perl -e 'exec "whoami";'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
- 'contains(code_4_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-pexec
|
||||
|
||||
info:
|
||||
name: pexec - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The term "pexec" typically refers to the "privileged execution" of a command or program.
|
||||
reference: |
|
||||
https://gtfobins.github.io/gtfobins/pexec/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,pexec,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
pexec whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo pexec whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,54 @@
|
|||
id: privesc-php
|
||||
|
||||
info:
|
||||
name: PHP - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
PHP is a popular server-side scripting language that is widely used for web development. It is known for its ease of use, flexibility, and broad support for web frameworks and content management systems. PHP is commonly used to create dynamic web pages, process form data, manage sessions, and interact with databases.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/php/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,php,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
php -r 'system("whoami");'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo php -r 'system("whoami");'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
php -r "posix_setuid(0); system("whoami");"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
- 'contains(code_4_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-posh
|
||||
|
||||
info:
|
||||
name: posh - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
"posh" typically refers to the "Policy-compliant Ordinary SHell," which is a restricted shell designed to provide a limited set of commands and features for users with restricted access. It is often used in environments where users require limited functionality and access to system resources.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/posh/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,posh,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
posh -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo posh -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,54 @@
|
|||
id: privesc-python
|
||||
|
||||
info:
|
||||
name: PHP - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Python is a high-level, general-purpose programming language known for its readability and simplicity. It is widely used for web development, scientific computing, artificial intelligence, and system automation. Python's versatility, extensive standard library, and large community make it a popular choice for a wide range of applications.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/python/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,php,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
python -c 'import os; os.system("whoami")'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo python -c 'import os; os.system("whoami")'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
python -c 'import os; os.setuid(0); os.system("whoami")'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
- 'contains(code_4_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-rake
|
||||
|
||||
info:
|
||||
name: Rake - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Rake is a build automation tool written in Ruby. It is similar to Make, Ant, or MSBuild, but uses a Ruby syntax. Rake is often used for automating tasks in software development, such as building, testing, and deploying applications.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/rake/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,rake,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
rake -p '`whoami 1>&0`'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo rake -p '`whoami 1>&0`'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-rc
|
||||
|
||||
info:
|
||||
name: RC - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
the rc command is a shell command interpreter that is used to execute commands and scripts. It is commonly used for scripting and automation tasks, and it provides a set of built-in commands and features for interacting with the system.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/rc/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,rc,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
rc -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo rc -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-rlwrap
|
||||
|
||||
info:
|
||||
name: rlwrap - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
rlwrap is a utility that provides readline functionality to commands that lack it, allowing for command-line editing and history capabilities. It is commonly used to enhance the user experience when working with command-line tools that do not have built-in readline support.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/rlwrap/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,rlwrap,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
rlwrap whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo rlwrap whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-rpm
|
||||
|
||||
info:
|
||||
name: rpm - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
rpm stands for "Red Hat Package Manager." It is a command-line package management utility used in Red Hat-based Linux distributions to install, update, and manage software packages. rpm is also used to query package information, verify package integrity, and perform various administrative tasks related to software packages.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/rpm/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,rpm,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
rpm --pipe 'whoami 0<&1'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo rpm --pipe 'whoami 0<&1'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-rpmdb
|
||||
|
||||
info:
|
||||
name: rpmdb - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The rpmdb is the database used by the RPM Package Manager to store metadata about installed packages on a Linux system. It is used to track information about installed packages, including their files, dependencies, and other attributes. The rpmdb is a critical component of package management on RPM-based Linux distributions.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/rpmdb/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,rpmdb,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
rpmdb --eval '%(whoami 1>&2)'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo rpmdb --eval '%(whoami 1>&2)'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-rpmverify
|
||||
|
||||
info:
|
||||
name: rpmverify - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The rpmverify command is used to verify the integrity and authenticity of installed RPM packages on a Linux system. It checks the files in the installed packages against the information stored in the RPM database to detect any modifications or discrepancies. This helps ensure the security and stability of the system by identifying any unauthorized changes to the installed packages.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/rpmverify/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,rpmverify,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
rpmverify --eval '%(whoami 1>&2)'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo rpmverify --eval '%(whoami 1>&2)'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,54 @@
|
|||
id: privesc-ruby
|
||||
|
||||
info:
|
||||
name: Ruby - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Ruby is a dynamic, open-source programming language known for its simplicity and productivity. It is often used for web development, scripting, and software development. Ruby's elegant syntax and focus on developer happiness have made it a popular choice for building web applications and other software projects.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/ruby/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,ruby,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
ruby -e 'exec "whoami"'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo ruby -e 'exec "whoami"'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
ruby -e 'Process::Sys.setuid(0); exec "whoami"'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
- 'contains(code_4_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,46 @@
|
|||
id: privesc-run-parts
|
||||
|
||||
info:
|
||||
name: run-parts - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
|
||||
reference: https://gtfobins.github.io/gtfobins/run-parts/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,run-parts,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
run-parts --new-session --regex 'whoami' /bin
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo run-parts --new-session --regex 'whoami' /bin
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-sash
|
||||
|
||||
info:
|
||||
name: sash - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
sash is a stand-alone shell that is commonly used for system recovery and maintenance. It provides a minimal set of commands and features, making it useful in situations where the regular shell environment may not be available or functional. sash is often used in emergency situations to troubleshoot and repair systems.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/sash/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,sash,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sash -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo sash -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-slsh
|
||||
|
||||
info:
|
||||
name: slsh - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
slsh is a command-line shell that is designed to provide a secure environment for executing shell commands. It is often used in scenarios where security and privilege separation are important, such as in web hosting environments or when running untrusted code. slsh aims to provide a secure and restricted shell environment for executing commands.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/slsh/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,slsh,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
slsh -e 'system("whoami")'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo slsh -e 'system("whoami")'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-socat
|
||||
|
||||
info:
|
||||
name: Socat - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It can be used for a wide range of networking tasks, such as file transfer, port forwarding, and network testing. Socat is known for its versatility and is often used for creating complex network connections and proxies.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/socat/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,socat,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
socat stdin exec:whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo socat stdin exec:whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-softlimit
|
||||
|
||||
info:
|
||||
name: softlimit - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The softlimit command is used in conjunction with the daemontools software to set resource limits for a process. It is commonly used to control the resource usage of a process, such as limiting its memory or CPU usage. The softlimit command helps in managing and controlling the resource consumption of a process, which can be useful for ensuring system stability and preventing resource exhaustion.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/softlimit/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,softlimit,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
softlimit whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo softlimit whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-sqlite3
|
||||
|
||||
info:
|
||||
name: sqlite3 - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
sqlite3 is a lightweight, self-contained, and serverless SQL database engine. It is widely used in embedded systems, mobile devices, and small to medium-sized applications.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/sqlite3/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,sqlite3,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sqlite3 /dev/null '.shell whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo sqlite3 /dev/null '.shell whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-ssh-agent
|
||||
|
||||
info:
|
||||
name: ssh-agent - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
ssh-agent is a program that helps manage and store private keys used for SSH authentication. It is often used to hold the decrypted private keys in memory, allowing for seamless authentication to remote servers without the need to re-enter passphrases for the keys.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/ssh-agent/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,ssh-agent,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
ssh-agent whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo ssh-agent whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-sshpass
|
||||
|
||||
info:
|
||||
name: sshpass - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
sshpass is a command-line tool that provides a way to automatically input SSH passwords for password authentication. It is commonly used in scripts and automated processes where interactive password entry is not feasible.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/sshpass/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,sshpass,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sshpass whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo sshpass whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-stdbuf
|
||||
|
||||
info:
|
||||
name: stdbuf - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The stdbuf command is used to modify the buffering operations of another command. It can be used to adjust the input/output buffering of a command, which can be useful for controlling the flow of data and improving the performance of certain operations.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/stdbuf/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,stdbuf,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
stdbuf -i0 whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo stdbuf -i0 whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-strace
|
||||
|
||||
info:
|
||||
name: strace - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
strace is a diagnostic, debugging, and instructional utility for Linux. It is used to monitor the system calls and signals that a program receives, allowing users to trace and analyze its interactions with the kernel.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/strace/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,strace,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
strace -o /dev/null whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo strace -o /dev/null whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-tar
|
||||
|
||||
info:
|
||||
name: tar - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
tar is a command-line utility used to create and manipulate archive files. It is commonly used for bundling multiple files and directories into a single archive, often used in conjunction with compression tools like gzip or bzip2.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/tar/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,tar,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-tcsh
|
||||
|
||||
info:
|
||||
name: tcsh - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
tcsh is a Unix shell based on and compatible with the C shell (csh). It provides a command-line interface for interacting with the operating system and executing commands.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/tcsh/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,tcsh,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
tcsh -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo tcsh -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-time
|
||||
|
||||
info:
|
||||
name: Time - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The time command is used to determine the amount of time taken by a command to execute.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/time/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,time,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
time whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo time whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-timeout
|
||||
|
||||
info:
|
||||
name: Timeout - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The timeout command is used to run a command with a specified time limit. It is commonly used to prevent a command from running indefinitely and to enforce a time restriction on its execution.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/timeout/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,timeout,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
timeout 7d whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo timeout 7d whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-tmate
|
||||
|
||||
info:
|
||||
name: tmate - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
tmate is a terminal multiplexer that allows multiple users to access and collaborate in the same terminal session.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/tmate/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,tmate,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
tmate -c whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo tmate -c whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-torify
|
||||
|
||||
info:
|
||||
name: Torify - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
torify is a command-line utility that is used to transparently route network traffic through the Tor network. It is commonly used to anonymize the network connections of other command-line programs, allowing them to communicate over the Tor network for enhanced privacy and security.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/torify/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,torify,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
torify whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo torify whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-torsocks
|
||||
|
||||
info:
|
||||
name: Torsocks - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
torsocks is a wrapper that enables the use of the Tor network for any program, including those that do not natively support proxy settings. It intercepts and redirects network calls from the target program through the Tor network, providing a way to anonymize the network traffic of various applications.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/torsocks/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,torsocks,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
torsocks whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo torsocks whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-unshare
|
||||
|
||||
info:
|
||||
name: Unshare - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The unshare command is used to run a command in a new namespace, which can isolate various aspects of the system, such as the mount namespace, network namespace, user namespace, and more.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/unshare/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,unshare,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
unshare whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo unshare whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-vi
|
||||
|
||||
info:
|
||||
name: Vi - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
vi is a classic text editor in Unix and Unix-like operating systems. It is known for its modal editing capabilities and is often used for editing configuration files, scripts, and other text-based content in a terminal environment.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/vi/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,vi,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
vi -c '!whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo vi -c '!whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-view
|
||||
|
||||
info:
|
||||
name: View - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
view is a command that is often associated with the vi text editor. When invoked as "view," vi starts in read-only mode, allowing users to view files without the ability to modify them.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/view/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,view,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
view -c ':!whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo view -c ':!whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-vim
|
||||
|
||||
info:
|
||||
name: Vim - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
Vim is a highly configurable, modal text editor based on the vi editor.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/vim/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,vim,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
vim -c '!whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo vim -c '!whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-xargs
|
||||
|
||||
info:
|
||||
name: Xargs - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
xargs is a command in Unix and Unix-like operating systems used to build and execute command lines from standard input.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/xargs/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,xargs,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
xargs -a /dev/null whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo xargs -a /dev/null whoami
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-xdg-user-dir
|
||||
|
||||
info:
|
||||
name: xdg-user-dir - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
The xdg-user-dir command is used to retrieve the path of a user's special directories, such as the user's home directory, desktop directory, download directory, and others, based on the XDG Base Directory Specification.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/xdg-user-dir/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,xdg-user-dir,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
xdg-user-dir '}; whoami #'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo xdg-user-dir '}; whoami #'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-yash
|
||||
|
||||
info:
|
||||
name: Yash - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
yash is a POSIX-compliant command shell that aims to be a lightweight and efficient alternative to other shells such as Bash or Zsh.
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/yash/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,yash,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
yash -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo yash -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,47 @@
|
|||
id: privesc-zsh
|
||||
|
||||
info:
|
||||
name: Zsh - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: |
|
||||
zsh is a powerful and feature-rich shell for Unix-like operating systems. It offers advanced interactive features, extensive customization options, and robust scripting capabilities
|
||||
reference:
|
||||
- https://gtfobins.github.io/gtfobins/zsh/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,zsh,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
zsh -c 'whoami'
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo zsh -c 'whoami'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(code_2_response, "root")'
|
||||
- 'contains(code_3_response, "root")'
|
||||
condition: or
|
|
@ -0,0 +1,43 @@
|
|||
id: rw-shadow
|
||||
|
||||
info:
|
||||
name: /etc/shadow writable or readabel - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
reference:
|
||||
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
[ -r "/etc/shadow" ] || [ -w "/etc/shadow" ] && echo "Either readable or writable" || echo "Not readable and not writable"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
part: code_2_response
|
||||
words:
|
||||
- "Either readable or writable"
|
||||
|
||||
- type: word
|
||||
part: code_2_response
|
||||
words:
|
||||
- "Not readable and not writable"
|
||||
negative: true
|
|
@ -0,0 +1,43 @@
|
|||
id: rw-sudoers
|
||||
|
||||
info:
|
||||
name: /etc/sudoers writable or readable - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
reference:
|
||||
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#etc-sudoers-etc-sudoers.d
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
whoami
|
||||
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
[ -r "/etc/sudoers" ] || [ -w "/etc/sudoers" ] && echo "Either readable or writable" || echo "Not readable and not writable"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "root"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
part: code_2_response
|
||||
words:
|
||||
- "Either readable or writable"
|
||||
|
||||
- type: word
|
||||
part: code_2_response
|
||||
words:
|
||||
- "Not readable and not writable"
|
||||
negative: true
|
|
@ -0,0 +1,26 @@
|
|||
id: sudo-nopasswd
|
||||
|
||||
info:
|
||||
name: Sudo NOPASSWD - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password.
|
||||
reference:
|
||||
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#nopasswd
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,sudo,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
sudo -l
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "(root) NOPASSWD:"
|
|
@ -0,0 +1,31 @@
|
|||
id: writable-etc-passwd
|
||||
|
||||
info:
|
||||
name: /etc/passwd writable - Privilege Escalation
|
||||
author: daffainfo
|
||||
severity: high
|
||||
reference:
|
||||
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-passwd
|
||||
metadata:
|
||||
verified: true
|
||||
tags: code,linux,privesc
|
||||
|
||||
self-contained: true
|
||||
code:
|
||||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: |
|
||||
[ -w "/etc/passwd" ] && echo "Writable" || echo "Not writable"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "Writable"
|
||||
|
||||
- type: word
|
||||
part: code_1_response
|
||||
words:
|
||||
- "Not writable"
|
||||
negative: true
|
Loading…
Reference in New Issue