This blog post will serve as a cheatsheet to help in my future pentesting experiments and wargames when I am stuck and don't know how to proceed. I hope it will be of use for some people out there. This document will likely change and evolve in future revisions.

In this blog post I will discuss common privilege escalation techniques. I assume that an attack got a foothold into the server by spawning a webshell over SQL-Injections or similar web exploitation vectors.

Helpful resources

Other people have published great information about privilege escalation process.

• https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#credentials
• https://github.com/PenturaLabs/Linux_Exploit_Suggester
• http://www.rebootuser.com/?p=1623#.V64XaN_S30p
• Script for common checks and detailed security report: LinEnum

Make use of discovered credentials

Often you can find login credentials to a custom admin web interface in the database. Because humans tend to reuse the same credentials on different services, it's always worth to check if the discovered login credentials work on other services such as SSH or Telnet. If you can access /etc/passwd, you can try all found credentials on all running services on all user accounts in the passwd file …

Walkthrough of nebula wargame from level 10 to level 19

In this blog post we will walk through the solutions of the levels 0 to 9 of the Nebula wargame, which is hosted on http://exploit-exercises.com. This writeup will force me to memorize commands better and exercise a bit. I fear that this writeup is of no use for other people, since you hopefully want to solve those exercises on your own :)

Level 0 - Finding setuid programs in the filesystem

As the descriptions states you need to find a setuid binary that gets a shell for the flag00 user. We can find setuid executables with a command such as the following:

find / -type f -perm -4000 -user flag00 2>/dev/null

This command suppresses error messages (The 2>/dev/null part redirects error output to /dev/null). Furthermore the -perm -4000 flag is responsible for

All  of  the  permission bits mode are set for the file.  Symbolic modes are accepted in this form, and this is usually the way in which would want to use
them.  You must specify `u', `g' or `o' if you use a symbolic mode.   See the EXAMPLES section for some illustrative examples.

Now execute the found binary and run getflag and you should be …

First post in the new year!

Hey

Happy new year to all of you and let 2015 be a succesful year for us all!

My New Year's resolution is to write at least two blog posts every month and try to get my scraping service on scrapeulous.com up and running!

Good program to record the desktop/audio on linux

But what I really wanted to share today is an awesome way to record your desktop with audio on Linux. I tried my luck several times with VLC, but it's a freaking pain in the ass to use. Furthermore, VLC will probably never be able to capture the desktop with audio (See this stackoverflow thread for more info).

But I just found an wonderful alternative (one could almost assume that I am advertisting, which is not the case, I swear!):

http://wiki.ubuntuusers.de/recordMyDesktop

If you want to visit the home page of the program, click here. Although the home page is very ugly and the program is not longer in active development, it just works like a charm. On Ubuntu you may install it like this:

sudo apt-get install recordmydesktop

Then go to a directory very you want …