mirror of
https://github.com/anotherhadi/blog.git
synced 2026-07-06 16:52:33 +02:00
new notes
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
This commit is contained in:
@@ -0,0 +1,67 @@
|
|||||||
|
---
|
||||||
|
title: "GRUB Boot Bypass"
|
||||||
|
description: "Physical access techniques to get a root shell by editing GRUB boot parameters."
|
||||||
|
tags: ["linux", "grub", "physical-access", "privesc"]
|
||||||
|
publishDate: 2026-05-18
|
||||||
|
---
|
||||||
|
|
||||||
|
When GRUB is not password-protected, anyone with physical access can edit boot parameters and bypass authentication entirely.
|
||||||
|
|
||||||
|
At the GRUB menu, press **`e`** to edit the selected entry. Modify the line starting with `linux`, then press **`F10`** to boot.
|
||||||
|
|
||||||
|
## Techniques
|
||||||
|
|
||||||
|
### init=/bin/sh
|
||||||
|
|
||||||
|
Replaces the init process with a shell; drops directly into a root shell before any login prompt.
|
||||||
|
|
||||||
|
```
|
||||||
|
linux ... init=/bin/sh
|
||||||
|
```
|
||||||
|
|
||||||
|
Filesystem is mounted read-only by default. Remount to make changes:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -o remount,rw /
|
||||||
|
```
|
||||||
|
|
||||||
|
### init=/bin/bash
|
||||||
|
|
||||||
|
Same as above but uses bash. Add `rw` on the `linux` line to mount read-write from the start:
|
||||||
|
|
||||||
|
```
|
||||||
|
linux ... rw init=/bin/bash
|
||||||
|
```
|
||||||
|
|
||||||
|
### rd.break (systemd)
|
||||||
|
|
||||||
|
Interrupts the boot process in the initramfs, before the real root filesystem is mounted. Useful for resetting the root password.
|
||||||
|
|
||||||
|
```
|
||||||
|
linux ... rd.break
|
||||||
|
```
|
||||||
|
|
||||||
|
From the initramfs shell:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -o remount,rw /sysroot
|
||||||
|
chroot /sysroot
|
||||||
|
passwd root
|
||||||
|
exit
|
||||||
|
```
|
||||||
|
|
||||||
|
### single (single-user mode)
|
||||||
|
|
||||||
|
Boots into maintenance mode. On some distros this drops to a root shell without a password prompt (not Debian/Ubuntu).
|
||||||
|
|
||||||
|
```
|
||||||
|
linux ... single
|
||||||
|
```
|
||||||
|
|
||||||
|
### systemd.unit=rescue.target
|
||||||
|
|
||||||
|
systemd equivalent of single-user mode: minimal services, root shell.
|
||||||
|
|
||||||
|
```
|
||||||
|
linux ... systemd.unit=rescue.target
|
||||||
|
```
|
||||||
@@ -0,0 +1,80 @@
|
|||||||
|
---
|
||||||
|
title: "Linux Privilege Escalation"
|
||||||
|
description: "Common misconfigurations and weaknesses to check when escalating privileges on Linux."
|
||||||
|
tags: ["linux", "privesc", "post-exploitation"]
|
||||||
|
publishDate: 2026-05-18
|
||||||
|
---
|
||||||
|
|
||||||
|
## Sudo
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo -l
|
||||||
|
```
|
||||||
|
|
||||||
|
Check [GTFOBins](https://gtfobins.github.io) for any listed binary.
|
||||||
|
|
||||||
|
If `env_keep+=LD_PRELOAD` is set:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# compile a shared lib that spawns a shell
|
||||||
|
gcc -fPIC -shared -o /tmp/shell.so shell.c -nostartfiles
|
||||||
|
sudo LD_PRELOAD=/tmp/shell.so <allowed_binary>
|
||||||
|
```
|
||||||
|
|
||||||
|
## SUID / SGID
|
||||||
|
|
||||||
|
```bash
|
||||||
|
find / -user root -perm -4000 -ls 2>/dev/null # SUID
|
||||||
|
find / -group root -perm -2000 -ls 2>/dev/null # SGID
|
||||||
|
```
|
||||||
|
|
||||||
|
Check any non-standard binary on GTFOBins.
|
||||||
|
|
||||||
|
## Misconfiguration
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# World-writable directories
|
||||||
|
find / -type d -perm -2 -ls 2>/dev/null
|
||||||
|
|
||||||
|
# World-writable files owned by root
|
||||||
|
find / -user root -perm -2 ! -type l -ls 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
## Cron Jobs
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat /etc/crontab
|
||||||
|
ls -la /etc/cron.*
|
||||||
|
crontab -l
|
||||||
|
```
|
||||||
|
|
||||||
|
If a cron runs a script you can write to, replace its content:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo 'chmod +s /bin/bash' >> /path/to/script.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
If the cron uses a relative PATH and a directory is writable, drop a malicious binary earlier in `$PATH`.
|
||||||
|
|
||||||
|
## Capabilities
|
||||||
|
|
||||||
|
```bash
|
||||||
|
getcap -r / 2>/dev/null
|
||||||
|
```
|
||||||
|
|
||||||
|
Dangerous capabilities: `cap_setuid`, `cap_net_raw`, `cap_dac_override`.
|
||||||
|
Check [GTFOBins](https://gtfobins.github.io) for exploitation.
|
||||||
|
|
||||||
|
## Kernel Exploits
|
||||||
|
|
||||||
|
```bash
|
||||||
|
uname -r
|
||||||
|
searchsploit linux kernel $(uname -r)
|
||||||
|
```
|
||||||
|
|
||||||
|
## LinPEAS / WinPEAS
|
||||||
|
|
||||||
|
Automated enumeration scripts to surface privesc vectors quickly.
|
||||||
|
|
||||||
|
- [LinPEAS (linux)](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS)
|
||||||
|
- [WinPEAS (windows)](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS)
|
||||||
@@ -5,8 +5,6 @@ tags: ["ftp", "network", "service"]
|
|||||||
publishDate: 2026-04-29
|
publishDate: 2026-04-29
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive).
|
FTP runs on **port 21** (control) and uses a secondary data channel (port 20 for active, ephemeral port for passive).
|
||||||
Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP.
|
Common implementations: vsftpd, ProFTPD, Pure-FTPd, FileZilla Server, IIS FTP.
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,79 @@
|
|||||||
|
---
|
||||||
|
title: "NFS"
|
||||||
|
description: "Enumeration, mounting and privilege escalation techniques for NFS shares."
|
||||||
|
tags: ["nfs", "network", "service"]
|
||||||
|
publishDate: 2026-05-18
|
||||||
|
---
|
||||||
|
|
||||||
|
NFS (Network File System) runs on **port 2049** and allows remote filesystem mounting over the network.
|
||||||
|
Common on Linux/Unix environments. Access control is defined in `/etc/exports` on the server.
|
||||||
|
|
||||||
|
## Enumeration
|
||||||
|
|
||||||
|
### Nmap
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sV -p 111,2049 $IP
|
||||||
|
nmap -p 111,2049 --script nfs-* $IP
|
||||||
|
```
|
||||||
|
|
||||||
|
Key scripts:
|
||||||
|
|
||||||
|
- `nfs-showmount`: lists exported shares
|
||||||
|
- `nfs-ls`: lists files in shares
|
||||||
|
- `nfs-statfs`: retrieves disk stats
|
||||||
|
|
||||||
|
### List shares
|
||||||
|
|
||||||
|
```bash
|
||||||
|
showmount -e $IP
|
||||||
|
rpcinfo -p $IP
|
||||||
|
```
|
||||||
|
|
||||||
|
## Mount
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mkdir /mnt/nfs
|
||||||
|
mount -t nfs $IP:/share /mnt/nfs
|
||||||
|
mount -t nfs -o vers=2 $IP:/share /mnt/nfs # force NFSv2
|
||||||
|
umount /mnt/nfs
|
||||||
|
```
|
||||||
|
|
||||||
|
## Privilege Escalation
|
||||||
|
|
||||||
|
### no_root_squash
|
||||||
|
|
||||||
|
If the share is exported with `no_root_squash`, the remote root user keeps root privileges on the share.
|
||||||
|
|
||||||
|
Check `/etc/exports` on the server (if readable):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat /etc/exports
|
||||||
|
```
|
||||||
|
|
||||||
|
Look for:
|
||||||
|
|
||||||
|
```
|
||||||
|
/share *(rw,no_root_squash)
|
||||||
|
```
|
||||||
|
|
||||||
|
If present, copy a SUID binary onto the share as root from your attacker machine:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cp /bin/bash /mnt/nfs/bash
|
||||||
|
chmod +s /mnt/nfs/bash
|
||||||
|
```
|
||||||
|
|
||||||
|
Then execute it on the target with `-p` to keep the SUID effective UID:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
/tmp/nfs/bash -p
|
||||||
|
```
|
||||||
|
|
||||||
|
### UID spoofing
|
||||||
|
|
||||||
|
NFS authenticates by UID. If you know a file is owned by UID 1001 on the server, impersonate it directly:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
python3 -c "import os; os.setuid(1001); os.system('/bin/bash')"
|
||||||
|
```
|
||||||
@@ -0,0 +1,108 @@
|
|||||||
|
---
|
||||||
|
title: "Nmap"
|
||||||
|
description: "Host discovery, port scanning, service detection and NSE scripting"
|
||||||
|
tags: ["nmap", "network", "enumeration"]
|
||||||
|
publishDate: 2026-05-18
|
||||||
|
---
|
||||||
|
|
||||||
|
Nmap is a network scanner used for host discovery, port scanning, service/version detection, OS fingerprinting, and vulnerability scripting via NSE.
|
||||||
|
|
||||||
|
## Host Discovery
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sn 192.168.1.0/24 # ping sweep, no port scan
|
||||||
|
nmap -sn -PR 192.168.1.0/24 # ARP ping (local network)
|
||||||
|
nmap -Pn $IP # skip host discovery, treat as up
|
||||||
|
```
|
||||||
|
|
||||||
|
## Port Scanning
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap $IP # top 1000 ports (SYN scan if root)
|
||||||
|
nmap -p 80,443,8080 $IP # specific ports
|
||||||
|
nmap -p 1-65535 $IP # all ports
|
||||||
|
nmap -p- $IP # shorthand for all ports
|
||||||
|
nmap -sU $IP # UDP scan
|
||||||
|
nmap -sU -sS $IP # UDP + SYN together
|
||||||
|
```
|
||||||
|
|
||||||
|
Scan types:
|
||||||
|
|
||||||
|
- `-sS`: SYN scan (stealth, requires root)
|
||||||
|
- `-sT`: TCP connect scan (no root needed)
|
||||||
|
- `-sU`: UDP scan
|
||||||
|
- `-sA`: ACK scan (firewall rule mapping)
|
||||||
|
- `-sN/sF/sX`: Null, FIN, Xmas (evasion, unreliable on Windows)
|
||||||
|
|
||||||
|
## Service & Version Detection
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sV $IP
|
||||||
|
nmap -sV --version-intensity 9 $IP # more aggressive probing
|
||||||
|
```
|
||||||
|
|
||||||
|
## OS Detection
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -O $IP
|
||||||
|
nmap -O --osscan-guess $IP # guess if not confident
|
||||||
|
```
|
||||||
|
|
||||||
|
## Aggressive Scan
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -A $IP # -sV -O --script=default --traceroute
|
||||||
|
```
|
||||||
|
|
||||||
|
## Timing Templates
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -T0 $IP # paranoid (IDS evasion, very slow)
|
||||||
|
nmap -T1 $IP # sneaky
|
||||||
|
nmap -T3 $IP # normal (default)
|
||||||
|
nmap -T4 $IP # aggressive (faster, good for CTFs)
|
||||||
|
nmap -T5 $IP # insane (may miss results)
|
||||||
|
```
|
||||||
|
|
||||||
|
## NSE Scripts
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap --script default $IP
|
||||||
|
nmap --script vuln $IP
|
||||||
|
nmap --script "ftp-*" $IP
|
||||||
|
nmap --script safe $IP
|
||||||
|
nmap --script $script --script-args user=$user,pass=$password $IP
|
||||||
|
```
|
||||||
|
|
||||||
|
Common script categories: `auth`, `brute`, `default`, `discovery`, `dos`, `exploit`, `intrusive`, `safe`, `version`, `vuln`.
|
||||||
|
|
||||||
|
Scripts are located in `/usr/share/nmap/scripts/`.
|
||||||
|
|
||||||
|
## Output Formats
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -oN output.txt $IP # normal
|
||||||
|
nmap -oX output.xml $IP # XML
|
||||||
|
nmap -oG output.gnmap $IP # grepable
|
||||||
|
nmap -oA output $IP # all three at once
|
||||||
|
```
|
||||||
|
|
||||||
|
## Common Profiles
|
||||||
|
|
||||||
|
Quick full scan:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -p- -T4 --min-rate 5000 -sV -sC -oA full $IP
|
||||||
|
```
|
||||||
|
|
||||||
|
CTF/lab initial recon:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sV -sC -p- --open $IP
|
||||||
|
```
|
||||||
|
|
||||||
|
UDP top ports:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nmap -sU --top-ports 100 $IP
|
||||||
|
```
|
||||||
@@ -5,8 +5,6 @@ tags: ["rdp", "network", "service"]
|
|||||||
publishDate: 2026-05-04
|
publishDate: 2026-05-04
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session.
|
RDP (Remote Desktop Protocol) runs on **port 3389** and provides a graphical remote session.
|
||||||
Common on Windows servers and workstations.
|
Common on Windows servers and workstations.
|
||||||
|
|
||||||
|
|||||||
@@ -5,8 +5,6 @@ tags: ["ssh", "network", "service"]
|
|||||||
publishDate: 2026-05-04
|
publishDate: 2026-05-04
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
SSH runs on **port 22** and provides an encrypted remote shell.
|
SSH runs on **port 22** and provides an encrypted remote shell.
|
||||||
Common implementations: OpenSSH, Dropbear, Bitvise.
|
Common implementations: OpenSSH, Dropbear, Bitvise.
|
||||||
|
|
||||||
|
|||||||
@@ -5,8 +5,6 @@ tags: ["telnet", "network", "service"]
|
|||||||
publishDate: 2026-05-04
|
publishDate: 2026-05-04
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**.
|
Telnet runs on **port 23** and transmits all data (including credentials) in **cleartext**.
|
||||||
Common on embedded devices, legacy systems, routers, and IoT equipment.
|
Common on embedded devices, legacy systems, routers, and IoT equipment.
|
||||||
|
|
||||||
|
|||||||
@@ -32,7 +32,7 @@ If the page has been taken down or modified, the cached version may still show t
|
|||||||
|
|
||||||
## Domain History
|
## Domain History
|
||||||
|
|
||||||
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domain — useful when a site has moved or been taken down.
|
[VirusTotal](https://www.virustotal.com) shows the historical DNS records, subdomains, and associated IPs for any domaint useful when a site has moved or been taken down.
|
||||||
|
|
||||||
[ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface.
|
[ViewDNS.info](https://viewdns.info) covers WHOIS history, reverse IP, reverse MX, and port scans from a single interface.
|
||||||
|
|
||||||
|
|||||||
@@ -44,9 +44,9 @@ tweet_id = 1234567890123456789
|
|||||||
timestamp_ms = (tweet_id >> 22) + 1288834974657
|
timestamp_ms = (tweet_id >> 22) + 1288834974657
|
||||||
```
|
```
|
||||||
|
|
||||||
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs — useful to confirm account creation date without needing profile metadata.
|
`1288834974657` is Twitter's custom epoch (Nov 4, 2010). Works on both tweet IDs and user IDs: useful to confirm account creation date without needing profile metadata.
|
||||||
|
|
||||||
Several online converters exist if you don't want to do it manually — search "snowflake id decoder".
|
Several online converters exist if you don't want to do it manually: search "snowflake id decoder".
|
||||||
|
|
||||||
### Direct profile URL by ID
|
### Direct profile URL by ID
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user