mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 08:57:55 +00:00
GITBOOK-4282: change request with no subject merged in GitBook
This commit is contained in:
parent
a2fa88b1ad
commit
6d800c7507
3 changed files with 19 additions and 6 deletions
|
@ -83,8 +83,10 @@
|
|||
|
||||
* [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
|
||||
* [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
|
||||
* [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
|
||||
* [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
|
||||
* [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
|
||||
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
|
||||
* [Docker Security](linux-hardening/privilege-escalation/docker-security/README.md)
|
||||
* [Abusing Docker Socket for Privilege Escalation](linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md)
|
||||
* [AppArmor](linux-hardening/privilege-escalation/docker-security/apparmor.md)
|
||||
|
@ -108,15 +110,14 @@
|
|||
* [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md)
|
||||
* [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
|
||||
* [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
|
||||
* [Logstash](linux-hardening/privilege-escalation/logstash.md)
|
||||
* [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
|
||||
* [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
|
||||
* [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
|
||||
* [Logstash](linux-hardening/privilege-escalation/logstash.md)
|
||||
* [ld.so privesc exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md)
|
||||
* [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
|
||||
* [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md)
|
||||
* [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)
|
||||
* [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||
* [Payloads to execute](linux-hardening/privilege-escalation/payloads-to-execute.md)
|
||||
* [RunC Privilege Escalation](linux-hardening/privilege-escalation/runc-privilege-escalation.md)
|
||||
* [SELinux](linux-hardening/privilege-escalation/selinux.md)
|
||||
|
@ -124,7 +125,6 @@
|
|||
* [Splunk LPE and Persistence](linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
|
||||
* [SSH Forward Agent exploitation](linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md)
|
||||
* [Wildcards Spare tricks](linux-hardening/privilege-escalation/wildcards-spare-tricks.md)
|
||||
* [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
|
||||
* [Useful Linux Commands](linux-hardening/useful-linux-commands/README.md)
|
||||
* [Bypass Linux Restrictions](linux-hardening/useful-linux-commands/bypass-bash-restrictions.md)
|
||||
* [Bypass FS protections: read-only / no-exec / Distroless](linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md)
|
||||
|
|
|
@ -9,7 +9,7 @@ Other ways to support HackTricks:
|
|||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
@ -49,6 +49,18 @@ chmod +x pre-commit
|
|||
```
|
||||
{% endcode %}
|
||||
|
||||
### Cron & Time files
|
||||
|
||||
TODO
|
||||
|
||||
### Service & Socket files
|
||||
|
||||
TODO
|
||||
|
||||
### binfmt\_misc
|
||||
|
||||
The file located in `/proc/sys/fs/binfmt_misc` indicates which binary should execute whic type of files. TODO: check the requirements to abuse this to execute a rev shell when a common file type is open.
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -58,7 +70,7 @@ Other ways to support HackTricks:
|
|||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
|
|
@ -49,6 +49,7 @@ ARM64 has **31 general-purpose registers**, labeled `x0` through `x30`. Each can
|
|||
* This register can also be used as a **general-purpose registry** although it's usually used as reference to **local variables**.
|
||||
8. **`x30`** or **`lr`**- **Link register** . It holds the **return address** when a `BL` (Branch with Link) or `BLR` (Branch with Link to Register) instruction is executed by storing the **`pc`** value in this register.
|
||||
* It could also be used like any other register.
|
||||
* If the current function is going to call a new function and therefore overwrite `lr`, it will store it in the stack at the beginning, this is the epilogue (`stp x29, x30 , [sp, #-48]; mov x29, sp` -> Store `fp` and `lr`, generate space and get new `fp`) and recover it at the end, this is the prologue (`ldp x29, x30, [sp], #48; ret` -> Recover `fp` and `lr` and return).
|
||||
9. **`sp`** - **Stack pointer**, used to keep track of the top of the stack.
|
||||
* the **`sp`** value should always be kept to at least a **quadword** **alignment** or a alignment exception may occur.
|
||||
10. **`pc`** - **Program counter**, which points to the next instruction. This register can only be updates through exception generations, exception returns, and branches. The only ordinary instructions that can read this register are branch with link instructions (BL, BLR) to store the **`pc`** address in **`lr`** (Link Register).
|
||||
|
|
Loading…
Reference in a new issue