Top 23 privilege-escalation Open-Source Projects

• PayloadsAllTheThings

  34 56,831 8.5 Python

  A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Project mention: php shell not executed in wordpress | /r/hacking | 2023-12-08

Also https://github.com/swisskyrepo/PayloadsAllTheThings I'm sure there's a few test php files in here for filter bypasses too

• Awesome-Hacking-Resources

  5 14,677 0.0

  A collection of hacking / penetration testing resources to make you better!

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• traitor

  17 6,491 0.0 Go

  :arrow_up: :skull_and_crossbones: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

Project mention: Traitor – Automatic Linux privesc via exploitation of low-hanging fruits | news.ycombinator.com | 2023-06-12

• Infosec_Reference

  9 5,358 4.2 CSS

  An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.

• linux-kernel-exploitation

  7 5,319 5.4

  A collection of links related to Linux kernel security and exploitation

• Active-Directory-Exploitation-Cheat-Sheet

  2 5,050 4.1

  A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

• CDK

  5 3,638 2.8 Go

  📦 Make security testing of K8s, Docker, and Containerd easier.

  

Project mention: A morning with the Rabbit R1: a fun, funky, unfinished AI gadget | news.ycombinator.com | 2024-04-24

It does show how incompetent the attacker was, I report below what Retr0id wrote in the issue:

"tl;dr: The "leak" seems real, but doesn't prove any of the claims made in the readme.

This statement from Peiyuan Liao, the rabbit CTO, is consistent with what I'm seeing here: https://twitter.com/liaopeiyuan/status/ 1782922595199033662

So the "leak" is a bit of a nothingburger, containing partial code for the relatively boring process of letting users authenticate with online services through a sandboxed browser session, from which auth tokens etc. can be extracted. You can't infer anything about how LAM does or doesn't work from this.

They likely used "kiosk escape" tricks to get code exec within the box that runs the browser. Assuming their sandboxing is all set up correctly, this isn't particularly concerning, but it does expose the code that runs within the sandbox for analysis. That's what we appear to have here.

The attacker left behind a file named cdk.log, which is an artifact of https://github.com/cdk-team/CDK/, a container pentesting tool. They were clearly trying to escape the sandbox and pivot to somewhere more interesting, but I don't think they managed it. I think "part 2" is a bluff, this is all they have (feel free to prove me wrong, lol).

But that doesn't mean there's nothing here. Lets look at what we do have.

The most interesting detail to me is a package name list in repo/ typescript/common/base-tsconfig.json

[...]

The only code actually present is for q-web-minion-

What follows is my speculation based on the names alone:

"q" seems like a codename for the rabbit device (so q-hole rabbit hole). Q might stand for "quantum".

The problem with trying to log into and interface with consumer-facing services from 'the cloud" is that you'll get IP rate limited, blocked as a bot, etc. It would make sense to proxy traffic back out through the user's device, and that's what I'd hope q-proxy is about. The big downside with this is that it ~doubles latency and halves available bandwidth, magnifying any deficiencies of a flaky 4G connection. This is perhaps partly why their doordash demo chugged so hard. (protip to the team; use a caching proxy, with SSL, MitM. Detect CDN URLs and don't proxy those.)

This is a total stab in the dark but my guess is that bunny-host is where the LAM action happens, and bunny-builder is for LAM training.

cm-quantum-peripheral-common might be the wrist-mounted device teased in the launch event.

Addendum:

It's also possible there were some juicy credentials accessible within the container. But if there were, they aren't in this leak. In particular, it looks like they're using GCP "service account keys' (/credentials/ cm-gcp-service-account-quantum-workload/gcp-service-account- quantum-workload.json), which according to google's docs "create a security risk and are not recommended. Unlike the other credential file types, compromised service account keys can be used by a bad actor without any additional information".

There isn't enough information here (and/or my analysis isn't deep enough - "cloud" is not my forte) to determine if that'll cause any issues in practice, but if there really is a "part 2" leak, I'd guess this is how they got it."

I OCR two screenshots that I did so there could be errors.

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• linux-smart-enumeration

  2 3,193 6.2 Shell

  Linux enumeration tool for pentesting and CTFs with verbosity levels

• WinPwn

  1 3,182 5.3 PowerShell

  Automation for internal Windows Penetrationtest / AD-Security

• PrivescCheck

  4 2,614 8.4 PowerShell

  Privilege Escalation Enumeration Script for Windows

• pwncat

  3 2,349 0.0 Python

  Fancy reverse and bind shell handler

Project mention: Take the first steps to harden your Kubernetes cluster | dev.to | 2023-09-09

We're using pwncat-cs to listen for incoming connections and elevate to a shell. Log into the EC2 VM and run:

• juicy-potato

  2 2,246 0.0 C++

  A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

• SUDO_KILLER

  8 2,096 8.8 Shell

  A tool designed to exploit a privilege escalation vulnerability in the sudo program on Unix-like systems. It takes advantage of a specific misconfiguration or flaw in sudo to gain elevated privileges on the system, essentially allowing a regular user to execute commands as the root user.

• A-Red-Teamer-diaries

  1 1,670 3.1

  RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.

• Coercer

  5 1,564 6.7 Python

  A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.

• odat

  4 1,557 0.0 Python

  ODAT: Oracle Database Attacking Tool

• moonwalk

  5 1,290 0.0 Rust

  Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. (by mufeedvh)

• awesome-privilege-escalation

  2 1,114 5.6

  A curated list of awesome privilege escalation

• deepce

  1 1,102 5.5 Shell

  Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)

Project mention: How to Escape a Container | news.ycombinator.com | 2023-12-20

Useful: https://github.com/stealthcopter/deepce

• msdat

  2 803 3.3 Python

  MSDAT: Microsoft SQL Database Attacking Tool

• SUID3NUM

  2 577 0.0 Python

  A standalone python script which utilizes python's built-in modules to enumerate SUID binaries, separate default binaries from custom binaries, cross-match those with bins in GTFO Bin's repository & auto-exploit those, all with colors! ( ͡~ ͜ʖ ͡°)

• GTFONow

  1 491 6.4 Python

  Automatic privilege escalation for misconfigured capabilities, sudo and suid binaries using GTFOBins.

• Lucifer

  1 335 0.0 Python

  A Powerful Penetration Tool For Automating Penetration Tasks Such As Local Privilege Escalation, Enumeration, Exfiltration and More... Use Or Build Automation Modules To Speed Up Your Cyber Security Life

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

privilege-escalation related posts

• Take the first steps to harden your Kubernetes cluster
  4 projects | dev.to | 9 Sep 2023
• Traitor – Automatic Linux privesc via exploitation of low-hanging fruits
  1 project | news.ycombinator.com | 12 Jun 2023
• Windows scheduled task PE
  1 project | /r/oscp | 27 Apr 2023
• Pwncat usage on the exam
  1 project | /r/oscp | 20 Feb 2023
• Specific user being targeted by scammers? + possible network breach? looking for advice..
  2 projects | /r/sysadmin | 1 Feb 2023
• A list of hacking / penetration testing resources to make you better
  1 project | /r/CKsTechNews | 9 Jan 2023
• Awesome Hacking Resources
  1 project | news.ycombinator.com | 9 Jan 2023
• A note from our sponsor - InfluxDB
  www.influxdata.com | 28 Apr 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com