Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
142 changes: 78 additions & 64 deletions src/SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,70 +117,84 @@

# 🐧 Linux Hardening

- [Linux Basics](linux-hardening/linux-basics.md)
- [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
- [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
- [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
- [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
- [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
- [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
- [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
- [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
- [Container Security](linux-hardening/privilege-escalation/container-security/README.md)
- [Runtimes And Engines](linux-hardening/privilege-escalation/container-security/runtimes-and-engines.md)
- [Runtime API And Daemon Exposure](linux-hardening/privilege-escalation/container-security/runtime-api-and-daemon-exposure.md)
- [Authorization Plugins](linux-hardening/privilege-escalation/container-security/authorization-plugins.md)
- [Image Security And Secrets](linux-hardening/privilege-escalation/container-security/image-security-and-secrets.md)
- [Assessment And Hardening](linux-hardening/privilege-escalation/container-security/assessment-and-hardening.md)
- [Sensitive Host Mounts](linux-hardening/privilege-escalation/container-security/sensitive-host-mounts.md)
- [Privileged Containers](linux-hardening/privilege-escalation/container-security/privileged-containers.md)
- [Distroless](linux-hardening/privilege-escalation/container-security/distroless.md)
- [Protections](linux-hardening/privilege-escalation/container-security/protections/README.md)
- [AppArmor](linux-hardening/privilege-escalation/container-security/protections/apparmor.md)
- [Capabilities](linux-hardening/privilege-escalation/container-security/protections/capabilities.md)
- [CGroups](linux-hardening/privilege-escalation/container-security/protections/cgroups.md)
- [Masked Paths](linux-hardening/privilege-escalation/container-security/protections/masked-paths.md)
- [No New Privileges](linux-hardening/privilege-escalation/container-security/protections/no-new-privileges.md)
- [Read Only Paths](linux-hardening/privilege-escalation/container-security/protections/read-only-paths.md)
- [Seccomp](linux-hardening/privilege-escalation/container-security/protections/seccomp.md)
- [SELinux](linux-hardening/privilege-escalation/container-security/protections/selinux.md)
- [Namespaces](linux-hardening/privilege-escalation/container-security/protections/namespaces/README.md)
- [CGroup Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/cgroup-namespace.md)
- [IPC Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/ipc-namespace.md)
- [PID Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/pid-namespace.md)
- [Mount Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/mount-namespace.md)
- [Network Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/network-namespace.md)
- [Time Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/time-namespace.md)
- [User Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/user-namespace.md)
- [UTS Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/uts-namespace.md)
- [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
- [Copy Fail Af Alg Splice Page Cache Overwrite Cve 2026 31431](linux-hardening/privilege-escalation/linux-kernel-exploitation/copy-fail-af_alg-splice-page-cache-overwrite-cve-2026-31431.md)
- [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
- [Linux Ptrace Exit Race Pidfd Getfd Fd Theft](linux-hardening/privilege-escalation/linux-kernel-exploitation/linux-ptrace-exit-race-pidfd_getfd-fd-theft.md)
- [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
- [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
- [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
- [Logstash](linux-hardening/privilege-escalation/logstash.md)
- [ld.so privesc exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md)
- [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
- [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md)
- [NFS no_root_squash/no_all_squash misconfiguration PE](linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
- [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
- [Payloads to execute](linux-hardening/privilege-escalation/payloads-to-execute.md)
- [RunC Privilege Escalation](linux-hardening/privilege-escalation/runc-privilege-escalation.md)
- [SELinux](linux-hardening/privilege-escalation/selinux.md)
- [Socket Command Injection](linux-hardening/privilege-escalation/socket-command-injection.md)
- [Splunk LPE and Persistence](linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
- [SSH Forward Agent exploitation](linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md)
- [Wildcards Spare tricks](linux-hardening/privilege-escalation/wildcards-spare-tricks.md)
- [Useful Linux Commands](linux-hardening/useful-linux-commands.md)
- [Bypass Linux Restrictions](linux-hardening/bypass-bash-restrictions/README.md)
- [Bypass FS protections: read-only / no-exec / Distroless](linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md)
- [DDexec / EverythingExec](linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.md)
- [Linux Environment Variables](linux-hardening/linux-environment-variables.md)
- [Linux Post-Exploitation](linux-hardening/linux-post-exploitation/README.md)
- [PAM - Pluggable Authentication Modules](linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)
- [FreeIPA Pentesting](linux-hardening/freeipa-pentesting.md)
- 1. Linux Basics
- [Linux Privilege Escalation](linux-hardening/linux-basics/linux-privilege-escalation/README.md)
- [Useful Linux Commands](linux-hardening/linux-basics/useful-linux-commands.md)
- [Linux Environment Variables](linux-hardening/linux-basics/linux-environment-variables.md)
- [Bypass Linux Restrictions](linux-hardening/linux-basics/bypass-linux-restrictions/README.md)
- [Bypass FS protections: read-only / no-exec / Distroless](linux-hardening/linux-basics/bypass-linux-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md)
- [DDexec / EverythingExec](linux-hardening/linux-basics/bypass-linux-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.md)
- 2. Main System Information
- [Kernel Modules and modprobe Abuse](linux-hardening/main-system-information/kernel-modules-and-modprobe.md)
- [Sudo Command Abuse](linux-hardening/main-system-information/sudo-command-abuse.md)
- [Filesystem, Inodes and Recovery](linux-hardening/main-system-information/filesystem-inodes-and-recovery.md)
- [Checklist - Linux Privilege Escalation](linux-hardening/main-system-information/linux-privilege-escalation-checklist.md)
- [Escaping from Jails](linux-hardening/main-system-information/escaping-from-limited-bash.md)
- Kernel/LPE/CVE material
- [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/main-system-information/kernel-lpe-cves/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
- [Copy Fail Af Alg Splice Page Cache Overwrite Cve 2026 31431](linux-hardening/main-system-information/kernel-lpe-cves/copy-fail-af_alg-splice-page-cache-overwrite-cve-2026-31431.md)
- [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/main-system-information/kernel-lpe-cves/posix-cpu-timers-toctou-cve-2025-38352.md)
- [Linux Ptrace Exit Race Pidfd Getfd Fd Theft](linux-hardening/main-system-information/kernel-lpe-cves/linux-ptrace-exit-race-pidfd_getfd-fd-theft.md)
- 3. User Information
- [euid, ruid, suid](linux-hardening/user-information/euid-ruid-suid.md)
- [Interesting Groups - Linux Privesc](linux-hardening/user-information/interesting-groups-linux-pe/README.md)
- [lxd/lxc Group - Privilege escalation](linux-hardening/user-information/interesting-groups-linux-pe/lxd-privilege-escalation.md)
- [SSH Forward Agent exploitation](linux-hardening/user-information/ssh-forward-agent-exploitation.md)
- [Linux Active Directory](linux-hardening/user-information/linux-active-directory.md)
- 4. Interesting Files & Permissions
- [Arbitrary File Write to Root](linux-hardening/interesting-files-permissions/write-to-root.md)
- [Linux Capabilities](linux-hardening/interesting-files-permissions/linux-capabilities.md)
- [SUID Shared Library and Linker Abuse](linux-hardening/interesting-files-permissions/suid-shared-library-and-linker-abuse.md)
- [ld.so privesc exploit example](linux-hardening/interesting-files-permissions/ld.so.conf-example.md)
- [NFS no_root_squash/no_all_squash misconfiguration PE](linux-hardening/interesting-files-permissions/nfs-no_root_squash-misconfiguration-pe.md)
- [Wildcards Spare tricks](linux-hardening/interesting-files-permissions/wildcards-spare-tricks.md)
- [SELinux](linux-hardening/interesting-files-permissions/selinux.md)
- 5. Network Information
- [Local Network and Socket Triage](linux-hardening/network-information/local-network-and-socket-triage.md)
- [Socket Command Injection](linux-hardening/network-information/socket-command-injection.md)
- [Cisco - vmanage](linux-hardening/network-information/cisco-vmanage.md)
- 6. Software Information
- [PAM - Pluggable Authentication Modules](linux-hardening/software-information/pam-pluggable-authentication-modules.md)
- [FreeIPA Pentesting](linux-hardening/software-information/freeipa-pentesting.md)
- [Logstash](linux-hardening/software-information/logstash.md)
- [Splunk LPE and Persistence](linux-hardening/software-information/splunk-lpe-and-persistence.md)
- [Node inspector/CEF debug abuse](linux-hardening/software-information/electron-cef-chromium-debugger-abuse.md)
- [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/software-information/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
- 7. Processes, Crontab, Systemd, D-Bus
- [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/processes-crontab-systemd-dbus/d-bus-enumeration-and-command-injection-privilege-escalation.md)
- [Payloads to execute](linux-hardening/processes-crontab-systemd-dbus/payloads-to-execute.md)
- 8. Containers, Namespaces
- [Containerd (ctr) Privilege Escalation](linux-hardening/containers-namespaces/containerd-ctr-privilege-escalation.md)
- [RunC Privilege Escalation](linux-hardening/containers-namespaces/runc-privilege-escalation.md)
- [Container Security](linux-hardening/containers-namespaces/container-security/README.md)
- [Runtimes And Engines](linux-hardening/containers-namespaces/container-security/runtimes-and-engines.md)
- [Runtime API And Daemon Exposure](linux-hardening/containers-namespaces/container-security/runtime-api-and-daemon-exposure.md)
- [Authorization Plugins](linux-hardening/containers-namespaces/container-security/authorization-plugins.md)
- [Image Security And Secrets](linux-hardening/containers-namespaces/container-security/image-security-and-secrets.md)
- [Assessment And Hardening](linux-hardening/containers-namespaces/container-security/assessment-and-hardening.md)
- [Sensitive Host Mounts](linux-hardening/containers-namespaces/container-security/sensitive-host-mounts.md)
- [Privileged Containers](linux-hardening/containers-namespaces/container-security/privileged-containers.md)
- [Distroless](linux-hardening/containers-namespaces/container-security/distroless.md)
- [Protections](linux-hardening/containers-namespaces/container-security/protections/README.md)
- [AppArmor](linux-hardening/containers-namespaces/container-security/protections/apparmor.md)
- [Capabilities](linux-hardening/containers-namespaces/container-security/protections/capabilities.md)
- [CGroups](linux-hardening/containers-namespaces/container-security/protections/cgroups.md)
- [Masked Paths](linux-hardening/containers-namespaces/container-security/protections/masked-paths.md)
- [No New Privileges](linux-hardening/containers-namespaces/container-security/protections/no-new-privileges.md)
- [Read Only Paths](linux-hardening/containers-namespaces/container-security/protections/read-only-paths.md)
- [Seccomp](linux-hardening/containers-namespaces/container-security/protections/seccomp.md)
- [SELinux](linux-hardening/containers-namespaces/container-security/protections/selinux.md)
- [Namespaces](linux-hardening/containers-namespaces/container-security/protections/namespaces/README.md)
- [CGroup Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/cgroup-namespace.md)
- [IPC Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/ipc-namespace.md)
- [PID Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/pid-namespace.md)
- [Mount Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/mount-namespace.md)
- [Network Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/network-namespace.md)
- [Time Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/time-namespace.md)
- [User Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/user-namespace.md)
- [UTS Namespace](linux-hardening/containers-namespaces/container-security/protections/namespaces/uts-namespace.md)
- 9. Post-Exploitation
- [Linux Post-Exploitation](linux-hardening/post-exploitation/linux-post-exploitation/README.md)

# 🍏 MacOS Hardening

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; don

Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`

Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/index.html#process-memory).
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/1-linux-basics/linux-privilege-escalation/index.html#process-memory).


{{#include ../../banners/hacktricks-training.md}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -639,7 +639,7 @@ Forensic leads:
- If you need exploitation details for DevTools-style browser abuse, review:

{{#ref}}
../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md
../../linux-hardening/6-software-information/electron-cef-chromium-debugger-abuse.md
{{#endref}}

{{#ref}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ Specially in Windows you could need some help to **avoid antiviruses**: [**Check

If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:

- [**Linux**](../linux-hardening/useful-linux-commands.md)
- [**Linux**](../linux-hardening/1-linux-basics/useful-linux-commands.md)
- [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
- [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/index.html)

Expand All @@ -177,7 +177,7 @@ You will probably need to **extract some data from the victim** or even **introd
#### **10.1- Local Privesc**

If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/index.html) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/index.html)**.**\
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/1-linux-basics/linux-privilege-escalation/index.html) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/index.html)**.**\
You should also check this pages about how does **Windows work**:

- [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs/index.html)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ nmap -6 -sS -Pn -p 22,23,80,443,7547 [2001:db8:abcd::1]


{{#ref}}
../../linux-hardening/privilege-escalation/wildcards-spare-tricks.md
../../linux-hardening/4-interesting-files-permissions/wildcards-spare-tricks.md
{{#endref}}

Defences/notes:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,33 @@ What is interesting here:
- If `supplementalGroupsPolicy` is set to `Strict`, the pod should avoid silently inheriting extra group memberships from `/etc/group` inside the image, which makes group-based volume and file access behavior more predictable.
- Namespace labels such as `pod-security.kubernetes.io/enforce=restricted` are worth checking directly. `warn` and `audit` are useful, but they do not stop a risky pod from being created.

## Runtime Baseline Triage

A runtime baseline is the quick pass that tells you whether a container looks like an ordinary isolated workload or like a host-impacting control plane foothold. It should collect enough facts to prioritize the next page to read: runtime socket abuse, host mounts, namespaces, cgroups, capabilities, or image-secret review.

Useful checks from inside a workload:

```bash
id
hostname
cat /proc/1/cgroup 2>/dev/null
cat /proc/self/uid_map 2>/dev/null
grep -E 'CapEff|Seccomp|NoNewPrivs' /proc/self/status
stat -fc %T /sys/fs/cgroup 2>/dev/null
cat /sys/fs/cgroup/memory.max 2>/dev/null
cat /sys/fs/cgroup/pids.max 2>/dev/null
readlink /proc/self/ns/{pid,mnt,net,ipc,cgroup,user} 2>/dev/null
mount
find /run /var/run -maxdepth 3 \( -name docker.sock -o -name containerd.sock -o -name crio.sock -o -name podman.sock \) 2>/dev/null
```

Interpretation:

- Missing or unlimited `memory.max` / `pids.max` points to weak blast-radius controls even without a clean escape.
- A root shell with `NoNewPrivs: 0`, broad capabilities, and permissive seccomp is much more interesting than a narrow non-root workload.
- Runtime sockets and writable host mounts usually outrank kernel exploits because they already expose a management or filesystem control path.
- Shared PID, network, IPC, or cgroup namespaces are not always full escapes by themselves, but they make the next step easier to find.

## Resource-Exhaustion Examples

Resource controls are not glamorous, but they are part of container security because they limit the blast radius of compromise. Without memory, CPU, or PID limits, a simple shell may be enough to degrade the host or neighboring workloads.
Expand Down
Loading