diff --git a/linux-hardening/privilege-escalation/README.md b/linux-hardening/privilege-escalation/README.md index 1acf8ee6a..341ad6a39 100644 --- a/linux-hardening/privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/README.md @@ -278,7 +278,7 @@ done #### /proc/$pid/maps & /proc/$pid/mem -For a given process ID, \*\*maps show how memory is mapped within that process's \*\*virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file. +For a given process ID, **maps show how memory is mapped within that process's** virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file. ```bash procdump() @@ -1339,7 +1339,11 @@ Notice that if `Host` is `*` every time the user jumps to a different machine, t The file `/etc/ssh_config` can **override** this **options** and allow or denied this configuration.\ The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding with the keyword `AllowAgentForwarding` (default is allow). -If you Forward Agent configured in an environment \[**check here how to exploit it to escalate privileges**]\(ssh-forward-agent-exploitation.md). +If you find that Forward Agent is configured in an environment read the following page as **you may be able to abuse it to escalate privileges**: + +{% content-ref url="ssh-forward-agent-exploitation.md" %} +[ssh-forward-agent-exploitation.md](ssh-forward-agent-exploitation.md) +{% endcontent-ref %} ## Interesting Files @@ -1459,7 +1463,7 @@ find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null ### \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files ```bash -fils=`find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`Hidden files +find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null ``` ### Hidden files @@ -1487,7 +1491,7 @@ ls -alhR /opt/lampp/htdocs/ 2>/dev/null ### **Backups** ```bash -find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/nulll +find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null ``` ### Known files containing passwords