daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

minor -update

patch-1
pussycat0x 2024-01-22 18:59:57 +05:30
parent 4989a2d085
commit 3c325aab11
124 changed files with 2820 additions and 2611 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
code/privilege-escalation/linux/binary/privilege-escalation-aa-exec.yaml → code/privilege-escalation/linux/binary/privesc-aa-exec.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-aa-exec
id: privesc-aa-exec
info:
name: aa-exec - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/aa-exec/
description: |
aa-exec is used to launch a program confined by the specified profile and or namespace.
reference:
- https://gtfobins.github.io/gtfobins/aa-exec/
metadata:
verified: true
tags: code,linux,aa-exec,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
aa-exec whoami
aa-exec whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo aa-exec whoami
sudo aa-exec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

17
code/privilege-escalation/linux/binary/privilege-escalation-awk.yaml → code/privilege-escalation/linux/binary/privesc-awk.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-awk
id: privesc-awk
info:
name: awk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/awk/
description: |
AWK is a domain-specific language designed for text processing and typically used as a data extraction and reporting tool. Like sed and grep, it is a filter, and is a standard feature of most Unix-like operating systems.
reference:
- https://gtfobins.github.io/gtfobins/awk/
metadata:
verified: true
tags: code,linux,awk,privesc
@ -33,11 +36,11 @@ code:
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-bash.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-bash
info:
name: Bash - Privilege Escalation
author: daffainfo
severity: high
description: |
Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. The shell's name is an acronym for Bourne Again Shell, a pun on the name of the Bourne shell that it replaces and the notion of being born again.
reference:
- https://gtfobins.github.io/gtfobins/bash/
metadata:
verified: true
tags: code,linux,bash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
bash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo bash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-cdist.yaml → code/privilege-escalation/linux/binary/privesc-cdist.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-cdist
id: privesc-cdist
info:
name: Cdist - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/cdist/
description: |
cdist is a free software configuration management tool for Unix-like systems. It manages nodes over SSH using the Bourne Shell, and does not require any additional software to be installed on target nodes.
reference:
- https://gtfobins.github.io/gtfobins/cdist/
metadata:
verified: true
tags: code,linux,cdist,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
cdist shell -s whoami
cdist shell -s whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo cdist shell -s whoami
sudo cdist shell -s whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-choom.yaml → code/privilege-escalation/linux/binary/privesc-choom.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-choom
id: privesc-choom
info:
name: choom - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/choom/
description: |
choom is a command-line utility in Linux that allows users to change the memory limits of a process. It can be used for privilege escalation by manipulating the memory limits of a process to gain elevated privileges.
reference:
- https://gtfobins.github.io/gtfobins/choom/
metadata:
verified: true
tags: code,linux,choom,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
choom -n 0 whoami
choom -n 0 whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo choom -n 0 whoami
sudo choom -n 0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-cpulimit.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-cpulimit
info:
name: CPUlimit - Privilege Escalation
author: daffainfo
severity: high
description: |
cpulimit is a command-line utility in Linux that allows users to limit the CPU usage of a process. It can be used to control and limit the CPU usage of a specific process, which can be helpful in various scenarios such as preventing a process from consuming excessive CPU resources.
reference:
- https://gtfobins.github.io/gtfobins/cpulimit/
metadata:
verified: true
tags: code,linux,cpulimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
cpulimit -l 100 -f whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo cpulimit -l 100 -f whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-csh.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-csh
info:
name: csh - Privilege Escalation
author: daffainfo
severity: high
description: |
csh stands for C Shell, which is a Unix shell with C-like syntax. It is a command-line interpreter that provides a command-line interface for Unix-like operating systems. It has features similar to other Unix shells such as bash and sh, but with a different syntax and set of features.
reference:
- https://gtfobins.github.io/gtfobins/csh/
metadata:
verified: true
tags: code,linux,csh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
csh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo csh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-csvtool.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-csvtool
info:
name: csvtool - Privilege Escalation
author: daffainfo
severity: high
description: |
csvtool is a command-line utility in Unix-like operating systems that provides various tools for working with CSV (Comma-Separated Values) files. It can be used to manipulate, process, and analyze CSV data from the command line, making it a useful tool for tasks such as data extraction, transformation, and loading.
reference:
- https://gtfobins.github.io/gtfobins/csvtool/
metadata:
verified: true
tags: code,linux,csvtool,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
csvtool call 'whoami;false' /etc/passwd
#SUDO
- engine:
- sh
- bash
source: |
sudo csvtool call 'whoami;false' /etc/passwd
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-dash.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-dash
info:
name: Dash - Privilege Escalation
author: daffainfo
severity: high
description: |
dash is a POSIX-compliant shell that is commonly used as the default system shell on Debian-based systems. It is designed to be a lightweight and fast shell, suitable for scripting and system administration tasks. It aims to be compatible with the POSIX standard for shells, providing a minimalistic and efficient environment for running shell scripts.
reference:
- https://gtfobins.github.io/gtfobins/dash/
metadata:
verified: true
tags: code,linux,dash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
dash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo dash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-dc.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-dc
info:
name: dc - Privilege Escalation
author: daffainfo
severity: high
description: |
dc is a command-line calculator in Unix and Unix-like operating systems. It uses reverse Polish notation (RPN) and provides a simple and efficient way to perform arithmetic operations from the command line. It can be used for basic and advanced mathematical calculations, making it a handy tool for scripting and quick calculations in the terminal.
reference:
- https://gtfobins.github.io/gtfobins/dc/
metadata:
verified: true
tags: code,linux,dc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
dc -e '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo dc -e '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-distcc.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-distcc
info:
name: distcc - Privilege Escalation
author: daffainfo
severity: high
description: |
distcc is a distributed compilation tool for C, C++, and Objective-C. It allows a user to distribute compilation of these languages across several machines on a network, which can significantly speed up the compilation process for large projects.
reference:
- https://gtfobins.github.io/gtfobins/distcc/
metadata:
verified: true
tags: code,linux,distcc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
distcc whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo distcc whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-elvish.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-elvish
info:
name: elvish - Privilege Escalation
author: daffainfo
severity: high
description: |
elvish is a Unix shell that emphasizes expressiveness and extensibility. It aims to provide a more user-friendly and programmable shell experience, with features such as a powerful scripting language, a rich set of data types, and a clean and consistent syntax.
reference:
- https://gtfobins.github.io/gtfobins/elvish/
metadata:
verified: true
tags: code,linux,elvish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
elvish -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo elvish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-enscript.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-enscript
info:
name: enscript - Privilege Escalation
author: daffainfo
severity: high
description: |
enscript is a command-line tool used for converting text files to PostScript format for printing. It provides various options for formatting and manipulating the output, making it a useful tool for generating high-quality printed documents from text files.
reference:
- https://gtfobins.github.io/gtfobins/enscript/
metadata:
verified: true
tags: code,linux,enscript,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
enscript /dev/null -qo /dev/null -I 'whoami >&2'
#SUDO
- engine:
- sh
- bash
source: |
sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-env.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-env
info:
name: env - Privilege Escalation
author: daffainfo
severity: high
description: |
In Linux, the env command is used to display or modify the environment variables for a command. It can be used to set environment variables for a specific command or to print the current environment variables.
reference:
- https://gtfobins.github.io/gtfobins/env/
metadata:
verified: true
tags: code,linux,env,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
#SUDO
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-expect.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-expect
info:
name: expect - Privilege Escalation
author: daffainfo
severity: high
description: |
expect is a Unix scripting and testing utility that automates interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, and more. It uses scripts to control interactive applications, making it useful for automating tasks that involve user input.
reference:
- https://gtfobins.github.io/gtfobins/expect/
metadata:
verified: true
tags: code,linux,expect,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
#SUDO
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-find.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-find
info:
name: find - Privilege Escalation
author: daffainfo
severity: high
description: |
The find command in Linux is used to search for files and directories in a directory hierarchy based on various criteria such as name, type, size, and permissions. It is a powerful tool for locating files and performing operations on them, such as executing commands or applying changes.
reference:
- https://gtfobins.github.io/gtfobins/find/
metadata:
verified: true
tags: code,linux,find,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
find . -exec whoami \; -quit
#SUDO
- engine:
- sh
- bash
source: |
sudo find . -exec whoami \; -quit
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-fish.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-fish
info:
name: fish - Privilege Escalation
author: daffainfo
severity: high
description: |
fish is a user-friendly command-line shell for Unix-like operating systems. It provides features such as syntax highlighting, autosuggestions, and a built-in scripting language. Fish aims to be easy to use and learn, making it a popular choice for both interactive shell usage and scripting.
reference:
- https://gtfobins.github.io/gtfobins/fish/
metadata:
verified: true
tags: code,linux,fish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
fish -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo fish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-flock.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-flock
info:
name: Flock - Privilege Escalation
author: daffainfo
severity: high
description: |
flock is a command-line utility in Unix-like operating systems that is used to manage file locks. It can be used to synchronize access to a file among multiple processes, preventing conflicts and ensuring data integrity. Additionally, flock can be used in shell scripts to control access to critical sections of code.
reference:
- https://gtfobins.github.io/gtfobins/flock/
metadata:
verified: true
tags: code,linux,flock,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
flock -u / whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo flock -u / whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-gawk.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-gawk
info:
name: gawk - Privilege Escalation
author: daffainfo
severity: high
description: |
gawk is the GNU implementation of the AWK programming language. It is a powerful text processing tool that allows for pattern scanning and processing of text files. gawk is commonly used for data extraction, reporting, and manipulation tasks in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/gawk/
metadata:
verified: true
tags: code,linux,gawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
gawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo gawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-grc.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-grc
info:
name: grc - Privilege Escalation
author: daffainfo
severity: high
description: |
grc is a command-line utility that enhances the output of other commands with color and style. It is commonly used to improve the readability of command output by adding color highlighting and formatting. grc can be configured to work with various commands and is often used to make log files and command output easier to interpret.
reference:
- https://gtfobins.github.io/gtfobins/grc/
metadata:
verified: true
tags: code,linux,grc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
grc --pty whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo grc --pty whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-ionice.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-ionice
info:
name: ionice - Privilege Escalation
author: daffainfo
severity: high
description: |
ionice is a command-line utility in Linux that is used to set or get the I/O scheduling class and priority for a program. It allows users to control the I/O priority of a process, which can be useful for managing system resources and improving overall system performance.
reference:
- https://gtfobins.github.io/gtfobins/ionice/
metadata:
verified: true
tags: code,linux,ionice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ionice whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ionice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-julia.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-julia
info:
name: Julia - Privilege Escalation
author: daffainfo
severity: high
description: |
Julia is a high-level, high-performance programming language for technical computing. It is designed for numerical and scientific computing, but it is also used for general-purpose programming. Julia is known for its speed and ease of use, and it has a growing community of users and developers.
reference:
- https://gtfobins.github.io/gtfobins/julia/
metadata:
verified: true
tags: code,linux,julia,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
julia -e 'run(`whoami`)'
#SUDO
- engine:
- sh
- bash
source: |
sudo julia -e 'run(`whoami`)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-lftp.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-lftp
info:
name: lftp - Privilege Escalation
author: daffainfo
severity: high
description: |
lftp is a command-line file transfer program for Unix-like systems. It supports various protocols such as FTP, HTTP, SFTP, and FISH, and provides a range of features for file transfer and mirroring. lftp is known for its reliability and scriptability, making it a popular choice for automated file transfer tasks.
reference:
- https://gtfobins.github.io/gtfobins/lftp/
metadata:
verified: true
tags: code,linux,lftp,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
lftp -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo lftp -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-ltrace.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-ltrace
info:
name: ltrace - Privilege Escalation
author: daffainfo
severity: high
description: |
ltrace is a debugging utility in Linux that is used to intercept and record dynamic library calls made by a process. It can be used to trace the library calls made by a program, which is helpful for debugging and understanding its behavior.
reference:
- https://gtfobins.github.io/gtfobins/ltrace/
metadata:
verified: true
tags: code,linux,ltrace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ltrace -b -L whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ltrace -b -L whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-lua.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-lua
info:
name: lua - Privilege Escalation
author: daffainfo
severity: high
description: |
Lua is a powerful, efficient, lightweight, embeddable scripting language. It is often used as a scripting language for game development and other applications that require a customizable and extensible scripting interface. Lua is known for its simplicity, speed, and ease of integration with other languages and systems.
reference:
- https://gtfobins.github.io/gtfobins/lua/
metadata:
verified: true
tags: code,linux,lua,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
lua -e 'os.execute("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo lua -e 'os.execute("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-mawk.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-mawk
info:
name: mawk - Privilege Escalation
author: daffainfo
severity: high
description: |
mawk is an efficient and fast implementation of the AWK programming language. It is designed to be smaller and faster than the original AWK implementation, making it suitable for large data processing tasks. mawk is commonly used for text processing and pattern scanning in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/mawk/
metadata:
verified: true
tags: code,linux,mawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
mawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo mawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-multitime.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-multitime
info:
name: Multitime - Privilege Escalation
author: daffainfo
severity: high
description: |
multitime is a command-line utility that allows for the timing and execution of commands multiple times. It is often used for benchmarking and performance testing of commands and scripts, providing a convenient way to measure the execution time of a given task.
reference:
- https://gtfobins.github.io/gtfobins/multitime/
metadata:
verified: true
tags: code,linux,multitime,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
multitime whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo multitime whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-mysql.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-mysql
info:
name: MySQL - Privilege Escalation
author: daffainfo
severity: high
description: |
MySQL is an open-source relational database management system (RDBMS) that uses structured query language (SQL) for managing and manipulating data. It is widely used for web applications and is known for its reliability, ease of use, and performance. MySQL is a popular choice for database-driven applications and is supported on various platforms.
reference:
- https://gtfobins.github.io/gtfobins/mysql/
metadata:
verified: true
tags: code,linux,mysql,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
mysql -e '\! whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo mysql -e '\! whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-nawk.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-nawk
info:
name: nawk - Privilege Escalation
author: daffainfo
severity: high
description: |
nawk is an implementation of the AWK programming language. It is a text-processing language that is commonly used for pattern scanning and processing of text files. nawk provides powerful features for data extraction, reporting, and manipulation, making it a valuable tool for text processing tasks in shell scripts and command-line environments.
reference:
- https://gtfobins.github.io/gtfobins/nawk/
metadata:
verified: true
tags: code,linux,nawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo nawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-nice.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-nice
info:
name: Nice - Privilege Escalation
author: daffainfo
severity: high
description: |
In Unix-like operating systems, the nice command is used to execute a program with a modified scheduling priority. It allows users to start a process with a specified priority level, which can influence the allocation of CPU resources. This can be useful for managing system resources and controlling the impact of a process on system performance.
reference:
- https://gtfobins.github.io/gtfobins/nice/
metadata:
verified: true
tags: code,linux,nice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nice whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo nice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

57
code/privilege-escalation/linux/binary/privesc-node.yaml Normal file
View File

@ -0,0 +1,57 @@
id: privesc-node
info:
name: Node - Privilege Escalation
author: daffainfo
severity: high
description: |
Node.js is a popular open-source, cross-platform JavaScript runtime environment that executes JavaScript code outside of a web browser. It is commonly used for building scalable network applications and is known for its event-driven, non-blocking I/O model. Node.js is widely used for server-side scripting and has a large ecosystem of libraries and frameworks.
reference:
- https://gtfobins.github.io/gtfobins/node/
metadata:
verified: true
tags: code,linux,node,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
#SUDO
- engine:
- sh
- bash
source: |
sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
#Capabilities
- engine:
- sh
- bash
source: |
node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-nsenter.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-nsenter
info:
name: Nsenter - Privilege Escalation
author: daffainfo
severity: high
description: |
nsenter is a command-line utility in Linux that allows a user to enter into an existing namespace. It is commonly used for troubleshooting and managing namespaces in containerized environments. By using nsenter, users can enter into a specific namespace and execute commands within that namespace, which can be helpful for various system administration tasks.
reference:
- https://gtfobins.github.io/gtfobins/nsenter/
metadata:
verified: true
tags: code,linux,nsenter,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nsenter whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo nsenter whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

57
code/privilege-escalation/linux/binary/privesc-perl.yaml Normal file
View File

@ -0,0 +1,57 @@
id: privesc-perl
info:
name: Perl - Privilege Escalation
author: daffainfo
severity: high
description: |
Perl is a high-level, general-purpose programming language known for its powerful text processing capabilities. It is often used for system administration, web development, and network programming. Perl's syntax and features make it well-suited for tasks such as parsing and manipulating text, making it a popular choice for various scripting and automation tasks.
reference:
- https://gtfobins.github.io/gtfobins/perl/
metadata:
verified: true
tags: code,linux,perl,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
perl -e 'exec "whoami";'
#SUDO
- engine:
- sh
- bash
source: |
sudo perl -e 'exec "whoami";'
#Capabilities
- engine:
- sh
- bash
source: |
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-pexec.yaml → code/privilege-escalation/linux/binary/privesc-pexec.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-pexec
id: privesc-pexec
info:
name: pexec - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/pexec/
description: |
The term "pexec" typically refers to the "privileged execution" of a command or program.
reference: |
https://gtfobins.github.io/gtfobins/pexec/
metadata:
verified: true
tags: code,linux,pexec,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
pexec whoami
pexec whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo pexec whoami
sudo pexec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

57
code/privilege-escalation/linux/binary/privesc-php.yaml Normal file
View File

@ -0,0 +1,57 @@
id: privesc-php
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
description: |
PHP is a popular server-side scripting language that is widely used for web development. It is known for its ease of use, flexibility, and broad support for web frameworks and content management systems. PHP is commonly used to create dynamic web pages, process form data, manage sessions, and interact with databases.
reference:
- https://gtfobins.github.io/gtfobins/php/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
php -r 'system("whoami");'
#SUDO
- engine:
- sh
- bash
source: |
sudo php -r 'system("whoami");'
#Capabilities
- engine:
- sh
- bash
source: |
php -r "posix_setuid(0); system("whoami");"
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-posh.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-posh
info:
name: posh - Privilege Escalation
author: daffainfo
severity: high
description: |
"posh" typically refers to the "Policy-compliant Ordinary SHell," which is a restricted shell designed to provide a limited set of commands and features for users with restricted access. It is often used in environments where users require limited functionality and access to system resources.
reference:
- https://gtfobins.github.io/gtfobins/posh/
metadata:
verified: true
tags: code,linux,posh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
posh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo posh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

57
code/privilege-escalation/linux/binary/privesc-python.yaml Normal file
View File

@ -0,0 +1,57 @@
id: privesc-python
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
description: |
Python is a high-level, general-purpose programming language known for its readability and simplicity. It is widely used for web development, scientific computing, artificial intelligence, and system automation. Python's versatility, extensive standard library, and large community make it a popular choice for a wide range of applications.
reference:
- https://gtfobins.github.io/gtfobins/python/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
python -c 'import os; os.system("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo python -c 'import os; os.system("whoami")'
#Capabilities
- engine:
- sh
- bash
source: |
python -c 'import os; os.setuid(0); os.system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-rake.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-rake
info:
name: Rake - Privilege Escalation
author: daffainfo
severity: high
description: |
Rake is a build automation tool written in Ruby. It is similar to Make, Ant, or MSBuild, but uses a Ruby syntax. Rake is often used for automating tasks in software development, such as building, testing, and deploying applications.
reference:
- https://gtfobins.github.io/gtfobins/rake/
metadata:
verified: true
tags: code,linux,rake,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rake -p '`whoami 1>&0`'
#SUDO
- engine:
- sh
- bash
source: |
sudo rake -p '`whoami 1>&0`'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-rc.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-rc
info:
name: RC - Privilege Escalation
author: daffainfo
severity: high
description: |
the rc command is a shell command interpreter that is used to execute commands and scripts. It is commonly used for scripting and automation tasks, and it provides a set of built-in commands and features for interacting with the system.
reference:
- https://gtfobins.github.io/gtfobins/rc/
metadata:
verified: true
tags: code,linux,rc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rc -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo rc -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-rlwrap.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-rlwrap
info:
name: rlwrap - Privilege Escalation
author: daffainfo
severity: high
description: |
rlwrap is a utility that provides readline functionality to commands that lack it, allowing for command-line editing and history capabilities. It is commonly used to enhance the user experience when working with command-line tools that do not have built-in readline support.
reference:
- https://gtfobins.github.io/gtfobins/rlwrap/
metadata:
verified: true
tags: code,linux,rlwrap,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rlwrap whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo rlwrap whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-rpm.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-rpm
info:
name: rpm - Privilege Escalation
author: daffainfo
severity: high
description: |
rpm stands for "Red Hat Package Manager." It is a command-line package management utility used in Red Hat-based Linux distributions to install, update, and manage software packages. rpm is also used to query package information, verify package integrity, and perform various administrative tasks related to software packages.
reference:
- https://gtfobins.github.io/gtfobins/rpm/
metadata:
verified: true
tags: code,linux,rpm,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rpm --pipe 'whoami 0<&1'
#SUDO
- engine:
- sh
- bash
source: |
sudo rpm --pipe 'whoami 0<&1'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-rpmdb.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-rpmdb
info:
name: rpmdb - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmdb is the database used by the RPM Package Manager to store metadata about installed packages on a Linux system. It is used to track information about installed packages, including their files, dependencies, and other attributes. The rpmdb is a critical component of package management on RPM-based Linux distributions.
reference:
- https://gtfobins.github.io/gtfobins/rpmdb/
metadata:
verified: true
tags: code,linux,rpmdb,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rpmdb --eval '%(whoami 1>&2)'
#SUDO
- engine:
- sh
- bash
source: |
sudo rpmdb --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-rpmverify.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-rpmverify
info:
name: rpmverify - Privilege Escalation
author: daffainfo
severity: high
description: |
The rpmverify command is used to verify the integrity and authenticity of installed RPM packages on a Linux system. It checks the files in the installed packages against the information stored in the RPM database to detect any modifications or discrepancies. This helps ensure the security and stability of the system by identifying any unauthorized changes to the installed packages.
reference:
- https://gtfobins.github.io/gtfobins/rpmverify/
metadata:
verified: true
tags: code,linux,rpmverify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rpmverify --eval '%(whoami 1>&2)'
#SUDO
- engine:
- sh
- bash
source: |
sudo rpmverify --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

57
code/privilege-escalation/linux/binary/privesc-ruby.yaml Normal file
View File

@ -0,0 +1,57 @@
id: privesc-ruby
info:
name: Ruby - Privilege Escalation
author: daffainfo
severity: high
description: |
Ruby is a dynamic, open-source programming language known for its simplicity and productivity. It is often used for web development, scripting, and software development. Ruby's elegant syntax and focus on developer happiness have made it a popular choice for building web applications and other software projects.
reference:
- https://gtfobins.github.io/gtfobins/ruby/
metadata:
verified: true
tags: code,linux,ruby,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ruby -e 'exec "whoami"'
#SUDO
- engine:
- sh
- bash
source: |
sudo ruby -e 'exec "whoami"'
#Capabilities
- engine:
- sh
- bash
source: |
ruby -e 'Process::Sys.setuid(0); exec "whoami"'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

48
code/privilege-escalation/linux/binary/privesc-run-parts.yaml Normal file
View File

@ -0,0 +1,48 @@
id: privesc-run-parts
info:
name: run-parts - Privilege Escalation
author: daffainfo
severity: high
description: |
The run-parts command in Linux is used to run all the executable files in a directory. It is commonly used for running scripts or commands located in a specific directory, such as system maintenance scripts in /etc/cron.daily. The run-parts command provides a convenient way to execute multiple scripts or commands in a batch manner.
reference: https://gtfobins.github.io/gtfobins/run-parts/
metadata:
verified: true
tags: code,linux,run-parts,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
run-parts --new-session --regex 'whoami' /bin
#SUDO
- engine:
- sh
- bash
source: |
sudo run-parts --new-session --regex 'whoami' /bin
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-sash.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-sash
info:
name: sash - Privilege Escalation
author: daffainfo
severity: high
description: |
sash is a stand-alone shell that is commonly used for system recovery and maintenance. It provides a minimal set of commands and features, making it useful in situations where the regular shell environment may not be available or functional. sash is often used in emergency situations to troubleshoot and repair systems.
reference:
- https://gtfobins.github.io/gtfobins/sash/
metadata:
verified: true
tags: code,linux,sash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
sash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo sash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-slsh.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-slsh
info:
name: slsh - Privilege Escalation
author: daffainfo
severity: high
description: |
slsh is a command-line shell that is designed to provide a secure environment for executing shell commands. It is often used in scenarios where security and privilege separation are important, such as in web hosting environments or when running untrusted code. slsh aims to provide a secure and restricted shell environment for executing commands.
reference:
- https://gtfobins.github.io/gtfobins/slsh/
metadata:
verified: true
tags: code,linux,slsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
slsh -e 'system("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo slsh -e 'system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-socat.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-socat
info:
name: Socat - Privilege Escalation
author: daffainfo
severity: high
description: |
Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It can be used for a wide range of networking tasks, such as file transfer, port forwarding, and network testing. Socat is known for its versatility and is often used for creating complex network connections and proxies.
reference:
- https://gtfobins.github.io/gtfobins/socat/
metadata:
verified: true
tags: code,linux,socat,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
socat stdin exec:whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo socat stdin exec:whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-softlimit.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-softlimit
info:
name: softlimit - Privilege Escalation
author: daffainfo
severity: high
description: |
The softlimit command is used in conjunction with the daemontools software to set resource limits for a process. It is commonly used to control the resource usage of a process, such as limiting its memory or CPU usage. The softlimit command helps in managing and controlling the resource consumption of a process, which can be useful for ensuring system stability and preventing resource exhaustion.
reference:
- https://gtfobins.github.io/gtfobins/softlimit/
metadata:
verified: true
tags: code,linux,softlimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
softlimit whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo softlimit whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-sqlite3.yaml → code/privilege-escalation/linux/binary/privesc-sqlite3.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-sqlite3
id: privesc-sqlite3
info:
name: sqlite3 - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/sqlite3/
description: |
sqlite3 is a lightweight, self-contained, and serverless SQL database engine. It is widely used in embedded systems, mobile devices, and small to medium-sized applications.
reference:
- https://gtfobins.github.io/gtfobins/sqlite3/
metadata:
verified: true
tags: code,linux,sqlite3,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
sqlite3 /dev/null '.shell whoami'
sqlite3 /dev/null '.shell whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo sqlite3 /dev/null '.shell whoami'
sudo sqlite3 /dev/null '.shell whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-ssh-agent.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-ssh-agent
info:
name: ssh-agent - Privilege Escalation
author: daffainfo
severity: high
description: |
ssh-agent is a program that helps manage and store private keys used for SSH authentication. It is often used to hold the decrypted private keys in memory, allowing for seamless authentication to remote servers without the need to re-enter passphrases for the keys.
reference:
- https://gtfobins.github.io/gtfobins/ssh-agent/
metadata:
verified: true
tags: code,linux,ssh-agent,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ssh-agent whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ssh-agent whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-sshpass.yaml → code/privilege-escalation/linux/binary/privesc-sshpass.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-sshpass
id: privesc-sshpass
info:
name: sshpass - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/sshpass/
description: |
sshpass is a command-line tool that provides a way to automatically input SSH passwords for password authentication. It is commonly used in scripts and automated processes where interactive password entry is not feasible.
reference:
- https://gtfobins.github.io/gtfobins/sshpass/
metadata:
verified: true
tags: code,linux,sshpass,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
sshpass whoami
sshpass whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo sshpass whoami
sudo sshpass whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-stdbuf.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-stdbuf
info:
name: stdbuf - Privilege Escalation
author: daffainfo
severity: high
description: |
The stdbuf command is used to modify the buffering operations of another command. It can be used to adjust the input/output buffering of a command, which can be useful for controlling the flow of data and improving the performance of certain operations.
reference:
- https://gtfobins.github.io/gtfobins/stdbuf/
metadata:
verified: true
tags: code,linux,stdbuf,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
stdbuf -i0 whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo stdbuf -i0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-strace.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-strace
info:
name: strace - Privilege Escalation
author: daffainfo
severity: high
description: |
strace is a diagnostic, debugging, and instructional utility for Linux. It is used to monitor the system calls and signals that a program receives, allowing users to trace and analyze its interactions with the kernel.
reference:
- https://gtfobins.github.io/gtfobins/strace/
metadata:
verified: true
tags: code,linux,strace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
strace -o /dev/null whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo strace -o /dev/null whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-tar.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-tar
info:
name: tar - Privilege Escalation
author: daffainfo
severity: high
description: |
tar is a command-line utility used to create and manipulate archive files. It is commonly used for bundling multiple files and directories into a single archive, often used in conjunction with compression tools like gzip or bzip2.
reference:
- https://gtfobins.github.io/gtfobins/tar/
metadata:
verified: true
tags: code,linux,tar,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-tcsh.yaml → code/privilege-escalation/linux/binary/privesc-tcsh.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-tcsh
id: privesc-tcsh
info:
name: tcsh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/tcsh/
description: |
tcsh is a Unix shell based on and compatible with the C shell (csh). It provides a command-line interface for interacting with the operating system and executing commands.
reference:
- https://gtfobins.github.io/gtfobins/tcsh/
metadata:
verified: true
tags: code,linux,tcsh,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
tcsh -c 'whoami'
tcsh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo tcsh -c 'whoami'
sudo tcsh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-time.yaml → code/privilege-escalation/linux/binary/privesc-time.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-time
id: privesc-time
info:
name: Time - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/time/
description: |
The time command is used to determine the amount of time taken by a command to execute.
reference:
- https://gtfobins.github.io/gtfobins/time/
metadata:
verified: true
tags: code,linux,time,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
time whoami
time whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo time whoami
sudo time whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-timeout.yaml → code/privilege-escalation/linux/binary/privesc-timeout.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-timeout
id: privesc-timeout
info:
name: Timeout - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/timeout/
description: |
The timeout command is used to run a command with a specified time limit. It is commonly used to prevent a command from running indefinitely and to enforce a time restriction on its execution.
reference:
- https://gtfobins.github.io/gtfobins/timeout/
metadata:
verified: true
tags: code,linux,timeout,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
timeout 7d whoami
timeout 7d whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo timeout 7d whoami
sudo timeout 7d whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-tmate.yaml → code/privilege-escalation/linux/binary/privesc-tmate.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-tmate
id: privesc-tmate
info:
name: tmate - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/tmate/
description: |
tmate is a terminal multiplexer that allows multiple users to access and collaborate in the same terminal session.
reference:
- https://gtfobins.github.io/gtfobins/tmate/
metadata:
verified: true
tags: code,linux,tmate,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
tmate -c whoami
tmate -c whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo tmate -c whoami
sudo tmate -c whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-torify.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-torify
info:
name: Torify - Privilege Escalation
author: daffainfo
severity: high
description: |
torify is a command-line utility that is used to transparently route network traffic through the Tor network. It is commonly used to anonymize the network connections of other command-line programs, allowing them to communicate over the Tor network for enhanced privacy and security.
reference:
- https://gtfobins.github.io/gtfobins/torify/
metadata:
verified: true
tags: code,linux,torify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
torify whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo torify whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

49
code/privilege-escalation/linux/binary/privesc-torsocks.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-torsocks
info:
name: Torsocks - Privilege Escalation
author: daffainfo
severity: high
description: |
torsocks is a wrapper that enables the use of the Tor network for any program, including those that do not natively support proxy settings. It intercepts and redirects network calls from the target program through the Tor network, providing a way to anonymize the network traffic of various applications.
reference:
- https://gtfobins.github.io/gtfobins/torsocks/
metadata:
verified: true
tags: code,linux,torsocks,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
torsocks whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo torsocks whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-unshare.yaml → code/privilege-escalation/linux/binary/privesc-unshare.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-unshare
id: privesc-unshare
info:
name: Unshare - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/unshare/
description: |
The unshare command is used to run a command in a new namespace, which can isolate various aspects of the system, such as the mount namespace, network namespace, user namespace, and more.
reference:
- https://gtfobins.github.io/gtfobins/unshare/
metadata:
verified: true
tags: code,linux,unshare,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
unshare whoami
unshare whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo unshare whoami
sudo unshare whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-vi.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-vi
info:
name: Vi - Privilege Escalation
author: daffainfo
severity: high
description: |
vi is a classic text editor in Unix and Unix-like operating systems. It is known for its modal editing capabilities and is often used for editing configuration files, scripts, and other text-based content in a terminal environment.
reference:
- https://gtfobins.github.io/gtfobins/vi/
metadata:
verified: true
tags: code,linux,vi,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
vi -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo vi -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-view.yaml → code/privilege-escalation/linux/binary/privesc-view.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-view
id: privesc-view
info:
name: View - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/view/
description: |
view is a command that is often associated with the vi text editor. When invoked as "view," vi starts in read-only mode, allowing users to view files without the ability to modify them.
reference:
- https://gtfobins.github.io/gtfobins/view/
metadata:
verified: true
tags: code,linux,view,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
view -c ':!whoami'
view -c ':!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo view -c ':!whoami'
sudo view -c ':!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-vim.yaml → code/privilege-escalation/linux/binary/privesc-vim.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-vim
id: privesc-vim
info:
name: Vim - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/vim/
description: |
Vim is a highly configurable, modal text editor based on the vi editor.
reference:
- https://gtfobins.github.io/gtfobins/vim/
metadata:
verified: true
tags: code,linux,vim,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
vim -c '!whoami'
vim -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo vim -c '!whoami'
sudo vim -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-xargs.yaml → code/privilege-escalation/linux/binary/privesc-xargs.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-xargs
id: privesc-xargs
info:
name: Xargs - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/xargs/
description: |
xargs is a command in Unix and Unix-like operating systems used to build and execute command lines from standard input.
reference:
- https://gtfobins.github.io/gtfobins/xargs/
metadata:
verified: true
tags: code,linux,xargs,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
xargs -a /dev/null whoami
xargs -a /dev/null whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo xargs -a /dev/null whoami
sudo xargs -a /dev/null whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

49
code/privilege-escalation/linux/binary/privesc-xdg-user-dir.yaml Normal file
View File

@ -0,0 +1,49 @@
id: privesc-xdg-user-dir
info:
name: xdg-user-dir - Privilege Escalation
author: daffainfo
severity: high
description: |
The xdg-user-dir command is used to retrieve the path of a user's special directories, such as the user's home directory, desktop directory, download directory, and others, based on the XDG Base Directory Specification.
reference:
- https://gtfobins.github.io/gtfobins/xdg-user-dir/
metadata:
verified: true
tags: code,linux,xdg-user-dir,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
xdg-user-dir '}; whoami #'
#SUDO
- engine:
- sh
- bash
source: |
sudo xdg-user-dir '}; whoami #'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

23
code/privilege-escalation/linux/binary/privilege-escalation-yash.yaml → code/privilege-escalation/linux/binary/privesc-yash.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-yash
id: privesc-yash
info:
name: Yash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/yash/
description: |
yash is a POSIX-compliant command shell that aims to be a lightweight and efficient alternative to other shells such as Bash or Zsh.
reference:
- https://gtfobins.github.io/gtfobins/yash/
metadata:
verified: true
tags: code,linux,yash,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
yash -c 'whoami'
yash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo yash -c 'whoami'
sudo yash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-zsh.yaml → code/privilege-escalation/linux/binary/privesc-zsh.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-zsh
id: privesc-zsh
info:
name: Zsh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/zsh/
description: |
zsh is a powerful and feature-rich shell for Unix-like operating systems. It offers advanced interactive features, extensive customization options, and robust scripting capabilities
reference:
- https://gtfobins.github.io/gtfobins/zsh/
metadata:
verified: true
tags: code,linux,zsh,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
zsh -c 'whoami'
zsh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo zsh -c 'whoami'
sudo zsh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

23
code/privilege-escalation/linux/binary/privilege-escalation-ash.yaml → code/privilege-escalation/linux/binary/privesc.yaml
View File

@ -1,10 +1,13 @@
id: privilege-escalation-ash
id: privesc-ash
info:
name: Ash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ash/
description: |
Ash allows the value of a variable to be set at the same time it is marked read only by writing readonly name=value With no arguments
reference:
- https://gtfobins.github.io/gtfobins/ash/
metadata:
verified: true
tags: code,linux,ash,privesc
@ -15,29 +18,29 @@ code:
- sh
- bash
source: |
whoami
whoami
#SUID
- engine:
- sh
- bash
source: |
ash -c 'whoami'
ash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo ash -c 'whoami'
sudo ash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:

46
code/privilege-escalation/linux/binary/privilege-escalation-bash.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-bash
info:
name: Bash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/bash/
metadata:
verified: true
tags: code,linux,bash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
bash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo bash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-cpulimit.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-cpulimit
info:
name: CPUlimit - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/cpulimit/
metadata:
verified: true
tags: code,linux,cpulimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
cpulimit -l 100 -f whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo cpulimit -l 100 -f whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-csh.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-csh
info:
name: csh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/csh/
metadata:
verified: true
tags: code,linux,csh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
csh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo csh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-csvtool.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-csvtool
info:
name: csvtool - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/csvtool/
metadata:
verified: true
tags: code,linux,csvtool,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
csvtool call 'whoami;false' /etc/passwd
#SUDO
- engine:
- sh
- bash
source: |
sudo csvtool call 'whoami;false' /etc/passwd
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-dash.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-dash
info:
name: Dash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/dash/
metadata:
verified: true
tags: code,linux,dash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
dash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo dash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-dc.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-dc
info:
name: dc - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/dc/
metadata:
verified: true
tags: code,linux,dc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
dc -e '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo dc -e '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-distcc.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-distcc
info:
name: distcc - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/distcc/
metadata:
verified: true
tags: code,linux,distcc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
distcc whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo distcc whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-elvish.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-elvish
info:
name: elvish - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/elvish/
metadata:
verified: true
tags: code,linux,elvish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
elvish -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo elvish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-encscript.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-enscript
info:
name: enscript - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/enscript/
metadata:
verified: true
tags: code,linux,enscript,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
enscript /dev/null -qo /dev/null -I 'whoami >&2'
#SUDO
- engine:
- sh
- bash
source: |
sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-env.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-env
info:
name: env - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/env/
metadata:
verified: true
tags: code,linux,env,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
#SUDO
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-expect.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-expect
info:
name: expect - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/expect/
metadata:
verified: true
tags: code,linux,expect,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
#SUDO
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-find.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-find
info:
name: find - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/find/
metadata:
verified: true
tags: code,linux,find,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
find . -exec whoami \; -quit
#SUDO
- engine:
- sh
- bash
source: |
sudo find . -exec whoami \; -quit
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-fish.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-fish
info:
name: fish - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/fish/
metadata:
verified: true
tags: code,linux,fish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
fish -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo fish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-flock.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-flock
info:
name: Flock - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/flock/
metadata:
verified: true
tags: code,linux,flock,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
flock -u / whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo flock -u / whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-gawk.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-gawk
info:
name: gawk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/gawk/
metadata:
verified: true
tags: code,linux,gawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
gawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo gawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-grc.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-grc
info:
name: grc - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/grc/
metadata:
verified: true
tags: code,linux,grc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
grc --pty whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo grc --pty whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-ionice.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-ionice
info:
name: ionice - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ionice/
metadata:
verified: true
tags: code,linux,ionice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ionice whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ionice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-julia.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-julia
info:
name: Julia - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/julia/
metadata:
verified: true
tags: code,linux,julia,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
julia -e 'run(`whoami`)'
#SUDO
- engine:
- sh
- bash
source: |
sudo julia -e 'run(`whoami`)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-lftp.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-lftp
info:
name: lftp - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/lftp/
metadata:
verified: true
tags: code,linux,lftp,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
lftp -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo lftp -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-ltrace.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-ltrace
info:
name: ltrace - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ltrace/
metadata:
verified: true
tags: code,linux,ltrace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ltrace -b -L whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ltrace -b -L whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-lua.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-lua
info:
name: lua - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/lua/
metadata:
verified: true
tags: code,linux,lua,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
lua -e 'os.execute("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo lua -e 'os.execute("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-mawk.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-mawk
info:
name: mawk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/mawk/
metadata:
verified: true
tags: code,linux,mawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
mawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo mawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-multitime.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-multitime
info:
name: Multitime - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/multitime/
metadata:
verified: true
tags: code,linux,multitime,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
multitime whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo multitime whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-mysql.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-mysql
info:
name: MySQL - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/mysql/
metadata:
verified: true
tags: code,linux,mysql,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
mysql -e '\! whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo mysql -e '\! whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-nawk.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-nawk
info:
name: nawk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/nawk/
metadata:
verified: true
tags: code,linux,nawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo nawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-nice.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-nice
info:
name: Nice - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/nice/
metadata:
verified: true
tags: code,linux,nice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nice whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo nice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-node.yaml
View File

@ -1,54 +0,0 @@
id: privilege-escalation-node
info:
name: Node - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/node/
metadata:
verified: true
tags: code,linux,node,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
#SUDO
- engine:
- sh
- bash
source: |
sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
#Capabilities
- engine:
- sh
- bash
source: |
node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-nsenter.yaml
View File

@ -1,46 +0,0 @@
id: privilege-escalation-nsenter
info:
name: Nsenter - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/nsenter/
metadata:
verified: true
tags: code,linux,nsenter,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nsenter whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo nsenter whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-perl.yaml
View File

@ -1,54 +0,0 @@
id: privilege-escalation-perl
info:
name: Perl - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/perl/
metadata:
verified: true
tags: code,linux,perl,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
perl -e 'exec "whoami";'
#SUDO
- engine:
- sh
- bash
source: |
sudo perl -e 'exec "whoami";'
#Capabilities
- engine:
- sh
- bash
source: |
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-php.yaml
View File

@ -1,54 +0,0 @@
id: privilege-escalation-php
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/php/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
php -r 'system("whoami");'
#SUDO
- engine:
- sh
- bash
source: |
sudo php -r 'system("whoami");'
#Capabilities
- engine:
- sh
- bash
source: |
php -r "posix_setuid(0); system("whoami");"
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

Some files were not shown because too many files have changed in this diff Show More