-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
23 changed files
with
869 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
name: Publish Monkeys using Sphinx | ||
|
||
on: | ||
push: | ||
branches: | ||
- 'main' | ||
|
||
jobs: | ||
build-docs: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
- uses: actions/setup-python@v3 | ||
- name: Install dependencies | ||
run: | | ||
pip install sphinx==5.1.0 sphinx_rtd_theme myst-parser sphinx-markdown-tables | ||
- name: Build documentation | ||
run: | | ||
make html | ||
- name: Deploy | ||
uses: peaceiris/actions-gh-pages@v3 | ||
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | ||
with: | ||
publish_branch: gh-pages | ||
github_token: ${{ secrets.GITHUB_TOKEN }} | ||
publish_dir: build/html/ | ||
force_orphan: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Byte-compiled / optimized / DLL files | ||
__pycache__/ | ||
*.py[cod] | ||
*$py.class | ||
|
||
# Mac custom attributes file (Desktop Service Store) | ||
.DS_Store | ||
|
||
# PyCharm files | ||
.idea/ | ||
|
||
# Instance Folder - used for run-time files | ||
instance/*.cfg | ||
instance/*.db | ||
instance/*.log | ||
instance/*.log* | ||
|
||
# Log Files | ||
instance/logs/ | ||
*.log | ||
|
||
# Coverage output | ||
.coverage | ||
htmlcov/ | ||
|
||
# Virtual Environment | ||
/venv/ | ||
|
||
# pytest files | ||
.pytest_cache/ | ||
|
||
# Not the static site, will be generated on push | ||
build/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Minimal makefile for Sphinx documentation | ||
# | ||
|
||
# You can set these variables from the command line, and also | ||
# from the environment for the first two. | ||
SPHINXOPTS ?= | ||
SPHINXBUILD ?= sphinx-build | ||
SOURCEDIR = source | ||
BUILDDIR = build | ||
|
||
# Put it first so that "make" without argument is like "make help". | ||
help: | ||
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) | ||
|
||
.PHONY: help Makefile | ||
|
||
# Catch-all target: route all unknown targets to Sphinx using the new | ||
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). | ||
%: Makefile | ||
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,32 @@ | ||
# red-escalation | ||
Privilege escalation | ||
# Monkeys | ||
|
||
![Publish Monkeys using Sphinx](https://github.com/tymyrddin/red-escalation/workflows/Publish%20Monkeys%20using%20Sphinx/badge.svg?branch=main) | ||
Deployed: https://tymyrddin.github.io/red-escalation/ | ||
|
||
Built with [Sphinx](https://www.sphinx-doc.org) using a [theme](https://github.com/readthedocs/sphinx_rtd_theme) provided | ||
by [Read the Docs](https://readthedocs.org/). | ||
|
||
## Requirements | ||
|
||
* sphinx — sphinx package | ||
* sphinx-rtd-theme — a theme package | ||
* myst-parser — parsing `.md` files | ||
* sphinx-markdown-tables — package for Markdown tables support | ||
|
||
## Usage | ||
|
||
Add or change documents in the source folder. | ||
|
||
Make the build: | ||
```bash | ||
$ make html | ||
``` | ||
|
||
## Problems or Suggestions | ||
|
||
This project welcomes contributions and suggestions. | ||
|
||
[Open an issue here](https://github.com/tymyrddin/red-escalation/issues) | ||
|
||
## Mind | ||
Where you stand depends on where you sit, and all threats are cross-vector threats. Without a clear mandate for testing, measuring and reporting actual improvements in security, attempts at improving security makes absolutely no sense, not even for the low-hanging fruit. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
@ECHO OFF | ||
|
||
pushd %~dp0 | ||
|
||
REM Command file for Sphinx documentation | ||
|
||
if "%SPHINXBUILD%" == "" ( | ||
set SPHINXBUILD=sphinx-build | ||
) | ||
set SOURCEDIR=source | ||
set BUILDDIR=build | ||
|
||
%SPHINXBUILD% >NUL 2>NUL | ||
if errorlevel 9009 ( | ||
echo. | ||
echo.The 'sphinx-build' command was not found. Make sure you have Sphinx | ||
echo.installed, then set the SPHINXBUILD environment variable to point | ||
echo.to the full path of the 'sphinx-build' executable. Alternatively you | ||
echo.may add the Sphinx directory to PATH. | ||
echo. | ||
echo.If you don't have Sphinx installed, grab it from | ||
echo.https://www.sphinx-doc.org/ | ||
exit /b 1 | ||
) | ||
|
||
if "%1" == "" goto help | ||
|
||
%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% | ||
goto end | ||
|
||
:help | ||
%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% | ||
|
||
:end | ||
popd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
h1 { | ||
color: #DD0000; | ||
} | ||
|
||
a { | ||
color: #DD0000; | ||
} | ||
|
||
a:hover { | ||
color: #FF0000; | ||
} | ||
|
||
.wy-nav .wy-menu-vertical header { | ||
color: #DD0000 | ||
} | ||
|
||
.wy-menu-vertical header, .wy-menu-vertical p.caption { | ||
color: #DD0000; | ||
} | ||
|
||
.wy-side-nav-search { | ||
background-color: #333333; | ||
color: #fcfcfc; | ||
} | ||
|
||
.wy-side-nav-search input[type="text"] { | ||
width: 100%; | ||
border-radius: 0px; | ||
padding: 6px 12px; | ||
border-color: #DD0000; | ||
} | ||
|
||
.highlight { | ||
background: #333; | ||
color: #ddd; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
{% extends "!footer.html" %} | ||
{%- block contentinfo %} | ||
<a href="https://uu.tymyrddin.dev">Unseen University</a>, 2022 | ||
{% endblock %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
# Configuration file for the Sphinx documentation builder. | ||
# | ||
# For the full list of built-in configuration values, see the documentation: | ||
# https://www.sphinx-doc.org/en/master/usage/configuration.html | ||
|
||
# -- Project information ----------------------------------------------------- | ||
# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information | ||
|
||
project = 'Monkeys know what tree to climb' | ||
copyright = '2022, Ty Myrddin' | ||
author = 'Ty Myrddin' | ||
release = '0.1' | ||
|
||
# -- General configuration --------------------------------------------------- | ||
|
||
# Add any Sphinx extension module names here, as strings. They can be | ||
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom | ||
# ones. | ||
extensions = [ | ||
'myst_parser', | ||
'sphinx_markdown_tables', | ||
'sphinx.ext.intersphinx', | ||
] | ||
|
||
source_suffix = ['.rst', '.md'] | ||
|
||
# Add any paths that contain templates here, relative to this directory. | ||
templates_path = ['_templates'] | ||
|
||
# List of patterns, relative to source directory, that match files and | ||
# directories to ignore when looking for source files. | ||
# This pattern also affects html_static_path and html_extra_path. | ||
exclude_patterns = [] | ||
|
||
|
||
# -- Options for HTML output ------------------------------------------------- | ||
|
||
# The theme to use for HTML and HTML Help pages. See the documentation for | ||
# a list of builtin themes. | ||
# | ||
html_theme = 'sphinx_rtd_theme' | ||
|
||
html_theme_options = { | ||
'display_version': True, | ||
'prev_next_buttons_location': 'bottom', | ||
'style_external_links': True, | ||
# Toc options | ||
'collapse_navigation': False, | ||
'sticky_navigation': False, | ||
'navigation_depth': 3, | ||
'includehidden': True, | ||
'titles_only': False | ||
} | ||
|
||
html_title = "Monkeys know what tree to climb" | ||
html_logo = "img/logo.png" | ||
html_favicon = "img/favicon.ico" | ||
|
||
|
||
# Add any paths that contain custom static files (such as style sheets) here, | ||
# relative to this directory. They are copied after the builtin static files, | ||
# so a file named "default.css" will overwrite the builtin "default.css". | ||
html_static_path = ['_static'] | ||
|
||
# These paths are either relative to html_static_path | ||
# or fully qualified paths (eg. https://...) | ||
html_css_files = [ | ||
'css/custom.css', | ||
] | ||
|
||
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. | ||
html_show_sphinx = False | ||
|
||
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. | ||
html_show_copyright = False | ||
|
||
|
||
# Intersphinx | ||
intersphinx_mapping = { | ||
"attack-trees": ("https://tymyrddin.github.io/attack-trees/", None), | ||
"cheatsheets": ("https://tymyrddin.github.io/cheatsheets/", None), | ||
"e2ee-threat-model":("https://tymyrddin.github.io/e2ee-threat-model/", None), | ||
"da-threat-model":("https://tymyrddin.github.io/da-threat-model/", None), | ||
"se-threat-model":("https://tymyrddin.github.io/se-threat-model/", None), | ||
"app-threat-model":("https://tymyrddin.github.io/app-threat-model/", None), | ||
"cicd-threat-model":("https://tymyrddin.github.io/cicd-threat-model/", None), | ||
"linux-pc-mitigations":("https://tymyrddin.github.io/linux-pc-mitigations/", None), | ||
"linux-server-mitigations":("https://tymyrddin.github.io/linux-server-mitigations/", None), | ||
"data-mitigations":("https://tymyrddin.github.io/data-mitigations/", None), | ||
"webserver-mitigations":("https://tymyrddin.github.io/webserver-mitigations/", None), | ||
"mailserver-mitigations":("https://tymyrddin.github.io/mailserver-mitigations/", None), | ||
"network-mitigations":("https://tymyrddin.github.io/network-mitigations/", None), | ||
"app-mitigations": ("https://tymyrddin.github.io/app-mitigations/", None), | ||
"android-mitigations": ("https://tymyrddin.github.io/android-mitigations/", None), | ||
"windows-pc-mitigations": ("https://tymyrddin.github.io/windows-pc-mitigations/", None), | ||
"macos-mitigations": ("https://tymyrddin.github.io/macos-mitigations/", None), | ||
"ios-mitigations": ("https://tymyrddin.github.io/ios-mitigations/", None), | ||
} | ||
myst_url_schemes = ["http", "https", ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Introduction | ||
|
||
## What? | ||
|
||
There are many ways to escalate linux privileges. These are the most common methods based on common real-world | ||
misconfigurations and flaws. | ||
|
||
## Why? | ||
|
||
Gain access to additional users, hosts, and resources, be able to take action, like install software, to get user | ||
data that can possibly give access to even more sites or systems, destroy or alter audit trails to hide tracks of | ||
having been there, etc. | ||
|
||
## How? | ||
|
||
* [Kernel vulnerability exploits](kernel.md) | ||
* [Exploit sudo misconfigurations](sudo.md) | ||
* [SUID and SGID exploits](suid.md) | ||
* [Exploit capable programs](capabilities.md) | ||
* [Cron jobs exploits](cron.md) | ||
* [Path exploits](path.md) | ||
* [NFS exploits](nfs.md) | ||
* [Linux escalation resources](resources.md) | ||
|
||
|
||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# Exploit capable programs | ||
|
||
## Attack tree | ||
|
||
```text | ||
1 Become root on Linux via capabilities | ||
1.1 Check for capable programs | ||
1.2 Leverage program | ||
``` | ||
|
||
## Example: vim | ||
|
||
To check for capable programs, use the `getcap` tool: | ||
```text | ||
karen@target:~$ getcap -r / 2>/dev/null | ||
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep | ||
/usr/bin/traceroute6.iputils = cap_net_raw+ep | ||
/usr/bin/mtr-packet = cap_net_raw+ep | ||
/usr/bin/ping = cap_net_raw+ep | ||
/home/karen/vim = cap_setuid+ep | ||
/home/ubuntu/view = cap_setuid+ep | ||
``` | ||
|
||
[Leverage vim](https://gtfobins.github.io/gtfobins/vim/) and execute a shell using python: | ||
|
||
```text | ||
vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' | ||
``` | ||
|
||
## Notes | ||
|
||
Another method system administrators can use to increase the privilege level of a process or binary is by capabilities. | ||
Capabilities help manage privileges at a more granular level. If a SOC analyst needs to use a tool that needs to | ||
initiate socket connections, the capabilities of the binary can be changed such that it would get through its task | ||
without needing a higher privilege user. |
Oops, something went wrong.