--- name: pentest-privesc description: Privilege escalation methodology — Linux + Windows + container escape advisory. LinPEAS/WinPEAS analizi, SUID/capability abuse, kernel exploit secimi. Triggers on privesc, privilege escalation, LinPEAS, WinPEAS, SUID, capability, sudo abuse, kernel exploit, Windows token, UAC bypass. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents privesc-advisor --- # pentest-privesc Linux + Windows + container privesc analiz. Kullanici LinPEAS/WinPEAS cikti paste eder; skill prioritize eder + exploit yolu onerir. ## Triggers - "linpeas ciktisi" - "winpeas ciktisi" - "privesc nasil" - "SUID binary" - "sudo abuse" - "kernel exploit secimi" - "container escape" - "UAC bypass" ## Linux Privesc Vector Listesi | Vector | Tespit | Exploit Yontemi | |--------|--------|-----------------| | SUID binary | `find / -perm -4000` | GTFOBins lookup | | Capability | `getcap -r /` 2>/dev/null | CAP_SETUID, CAP_DAC_READ_SEARCH | | Sudo rule | `sudo -l` | GTFOBins (NOPASSWD bins) | | Writable /etc/passwd | `ls -la /etc/passwd` | echo "evil:x:0:0..." >> | | Writable cron | `find /etc/cron* -writable` | Script ekle | | Path injection | sudo + relative path | PATH=/tmp:$PATH; ./binary | | Kernel exploit | uname -a | exploit-db version match | | LD_PRELOAD | sudo env_keep | malicious .so | | Docker socket | /var/run/docker.sock readable | Container break | | NFS no_root_squash | mount source | UID 0 file create | | systemd timer writable | /etc/systemd/* | Timer override | | Wildcard injection | tar/rsync wildcard | --checkpoint-action | ## LinPEAS Output Analizi ```bash # Kullanici linpeas ciktisini paste eder, skill su sirayla okur: 1. SUID binary listesi -> GTFOBins'e gore exploitable filtre 2. Capability output -> CAP_SETUID / CAP_NET_ADMIN priorite 3. Sudo rule -> NOPASSWD + GTFOBins 4. Cron + writable -> script ekle yolu 5. PATH analiz -> writable yer var mi 6. Kernel version -> Dirty Pipe, OverlayFS, Sequoia gibi ``` GTFOBins hizli sablon: https://gtfobins.github.io — "shell", "sudo", "suid", "capabilities", "file write" filtreleri. ## Windows Privesc Vector | Vector | Tespit | Exploit | |--------|--------|---------| | Unquoted service path | `wmic service get name,pathname` | Path'te bosluk + binplant | | AlwaysInstallElevated | `reg query HKLM\Software\Policies\Microsoft\Windows\Installer` | MSI ile elevation | | Token impersonation | `whoami /priv` | SeImpersonate / SeAssignPrimaryToken | | Stored creds | `cmdkey /list`, `runas /savecred` | Saved cred kullan | | Weak service ACL | `accesschk.exe -uwcqv "Authenticated Users" *` | Service modify | | Registry autorun | HKLM\...\Run writable | Persistence + elevation | | Scheduled task | `schtasks /query` | Task command override | | DLL hijacking | Process Monitor | Missing DLL plant | | Local admin via UAC bypass | UAC level Auto | fodhelper.exe, eventvwr.exe | | Print Spooler | PrintNightmare CVE-2021-1675 | Lokal driver install | ## WinPEAS Output Analizi WinPEAS renkli output -> kirmizi/sari onceliklendir. Skill kirmizi bulguya GENIS aciklama + sari bulguya konteks verir. ## Token Impersonation (Windows) ``` SeImpersonatePrivilege var mi? -> EVET: JuicyPotato (Win 10 < 1809), RoguePotato, PrintSpoofer (modern) -> Local SYSTEM kazanci SeAssignPrimaryToken: -> CreateProcessAsUser ile SYSTEM yarat ``` ## Kernel Exploit Secimi ```bash # Linux uname -r # version cat /etc/os-release # distro ldd $(which sh) | head -1 # libc # Exploit-DB lookup (offline searchsploit) searchsploit "Linux Kernel Local" searchsploit Sequoia # CVE-2021-33909 searchsploit "Dirty Pipe" # CVE-2022-0847 searchsploit PwnKit # CVE-2021-4034 ``` ```cmd # Windows systeminfo # version, hotfix wmic qfe # patch list # Windows-Exploit-Suggester (offline) python wes.py systeminfo.txt ``` ## Container Escape ```bash # Pod RBAC check kubectl auth can-i --list # Privileged container detection cat /proc/self/status | grep CapEff # cap effective ls /dev | grep -i sd # host disk mount mount | grep /etc/hostname # host mount izi # Common escapes: - privileged: true + mount host / - hostPID: true + nsenter -t 1 ... - Docker socket bind /var/run/docker.sock - CAP_SYS_ADMIN + cgroups release_agent - runc CVE-2024-21626 (leaking file descriptor) ``` ## Output Sablonu ```markdown ## Privesc Path — ### Tespit - Linux Ubuntu 22.04.3 LTS, kernel 5.15.0-86 - User "webapp" -> NOPASSWD sudo for /usr/bin/find - /etc/cron.d/backup writable ### Onceliklendirme 1. [QUICK WIN] sudo find . -exec /bin/sh \; -quit (GTFOBins) -> tek komut, instant root 2. [BACKUP] cron writable, 5dk sonra otomatik root cmd 3. [KERNEL] PwnKit (CVE-2021-4034) — kernel patched mi check, atla varsayilan ### Onerisi (defansif) - find sudo'dan kaldir (NOPASSWD scope cok genis) - cron izinleri root:root 644 - pkexec /usr/bin/pkexec PIE + libc audit ``` ## Out-of-Scope - Persistent backdoor olusturma (engagement disinda) - Production sistemleri compromise sonrasi degisiklik - Yetki disinda exploit calistirma