system

Skill

System exploitation testing - Active Directory attacks, privilege escalation (Linux/Windows), and exploit development.

Files116
  • @skills/system/SKILL.md
  • @skills/system/reference/INDEX.md
  • @skills/system/reference/foothold-patterns.md
  • @skills/system/reference/format-string-exploitation.md
  • @skills/system/reference/heap-exploitation.md
  • @skills/system/reference/scenarios/ad/acl-abuse-chains.md
  • @skills/system/reference/scenarios/ad/adcs-esc1.md
  • @skills/system/reference/scenarios/ad/adcs-esc15.md
  • @skills/system/reference/scenarios/ad/adcs-esc16.md
  • @skills/system/reference/scenarios/ad/adcs-esc3.md
  • @skills/system/reference/scenarios/ad/adcs-esc4.md
  • @skills/system/reference/scenarios/ad/adcs-esc6.md
  • @skills/system/reference/scenarios/ad/adcs-esc7.md
  • @skills/system/reference/scenarios/ad/adcs-esc8-kerb-relay.md
  • @skills/system/reference/scenarios/ad/adfs-golden-saml.md
  • @skills/system/reference/scenarios/ad/as-rep-roast.md
  • @skills/system/reference/scenarios/ad/badsuccessor-dmsa.md
  • @skills/system/reference/scenarios/ad/certipy-ldap-shell-fallback.md
  • @skills/system/reference/scenarios/ad/constrained-delegation.md
  • @skills/system/reference/scenarios/ad/cross-forest-trust.md
  • @skills/system/reference/scenarios/ad/cross-session-ntlm-relay.md
  • @skills/system/reference/scenarios/ad/dcsync.md
  • @skills/system/reference/scenarios/ad/dns-record-poisoning.md
  • @skills/system/reference/scenarios/ad/gmsa.md
  • @skills/system/reference/scenarios/ad/golden-ticket.md
  • @skills/system/reference/scenarios/ad/kerberoast.md
  • @skills/system/reference/scenarios/ad/kerberos-only-domain.md
  • @skills/system/reference/scenarios/ad/kpasswd-expired-password-reset.md
  • @skills/system/reference/scenarios/ad/lansweeper-cred-mapping-honeypot.md
  • @skills/system/reference/scenarios/ad/laps-readers.md
  • @skills/system/reference/scenarios/ad/ldap-simple-bind-capture.md
  • @skills/system/reference/scenarios/ad/ldap-via-gc-when-389-filtered.md
  • @skills/system/reference/scenarios/ad/ntlm-relay.md
  • @skills/system/reference/scenarios/ad/openssh-key-drop-via-smb-home.md
  • @skills/system/reference/scenarios/ad/pass-the-hash.md
  • @skills/system/reference/scenarios/ad/pass-the-ticket-impacket.md
  • @skills/system/reference/scenarios/ad/pkinit.md
  • @skills/system/reference/scenarios/ad/pre-windows-2000-access.md
  • @skills/system/reference/scenarios/ad/protected-users-bypass.md
  • @skills/system/reference/scenarios/ad/rbcd.md
  • @skills/system/reference/scenarios/ad/rodc-exploitation.md
  • @skills/system/reference/scenarios/ad/shadow-credentials.md
  • @skills/system/reference/scenarios/ad/silver-ticket.md
  • @skills/system/reference/scenarios/ad/spn-less-rbcd-nthash-trick.md
  • @skills/system/reference/scenarios/ad/unconstrained-delegation.md
  • @skills/system/reference/scenarios/ad/wim-image-credential-extraction.md
  • @skills/system/reference/scenarios/ad/wsus-mitm.md
  • @skills/system/reference/scenarios/dtv-poisoning-via-worker-uaf.md
  • @skills/system/reference/scenarios/foothold-access-db-vba.md
  • @skills/system/reference/scenarios/fsop-house-of-apple-2-vfprintf-flag-mods.md
  • @skills/system/reference/scenarios/glibc-tcache-info-leak-via-small-chunk-overlap.md
  • @skills/system/reference/scenarios/house-of-botcake-glibc-237-safe-linking-bypass.md
  • @skills/system/reference/scenarios/linux-privesc/apparmor-hat-bypass.md
  • @skills/system/reference/scenarios/linux-privesc/asterisk-runuser-respawn-root.md
  • @skills/system/reference/scenarios/linux-privesc/baron-samedit.md
  • @skills/system/reference/scenarios/linux-privesc/binfmt-misc-suid-laundering.md
  • @skills/system/reference/scenarios/linux-privesc/buffer-overflow.md
  • @skills/system/reference/scenarios/linux-privesc/cap-dac-override.md
  • @skills/system/reference/scenarios/linux-privesc/clamav-debug-xxe.md
  • @skills/system/reference/scenarios/linux-privesc/credential-files-hunt.md
  • @skills/system/reference/scenarios/linux-privesc/docker-escape.md
  • @skills/system/reference/scenarios/linux-privesc/fail2ban-action-hijack.md
  • @skills/system/reference/scenarios/linux-privesc/info-zip-symlink-follow.md
  • @skills/system/reference/scenarios/linux-privesc/jenkins-anon-script-console.md
  • @skills/system/reference/scenarios/linux-privesc/log-and-tmux-credential-reuse.md
  • @skills/system/reference/scenarios/linux-privesc/lxd-privesc.md
  • @skills/system/reference/scenarios/linux-privesc/nifi-anon-rest-rce.md
  • @skills/system/reference/scenarios/linux-privesc/nodejs-inspector-abuse.md
  • @skills/system/reference/scenarios/linux-privesc/polkit-race.md
  • @skills/system/reference/scenarios/linux-privesc/postgres-tablespace-symlink-zip.md
  • @skills/system/reference/scenarios/linux-privesc/pwnkit.md
  • @skills/system/reference/scenarios/linux-privesc/pycache-poisoning.md
  • @skills/system/reference/scenarios/linux-privesc/rbash-escape.md
  • @skills/system/reference/scenarios/linux-privesc/snap-confine-race.md
  • @skills/system/reference/scenarios/linux-privesc/ssh-ca-forgery.md
  • @skills/system/reference/scenarios/linux-privesc/ssh-controlmaster-hijack.md
  • @skills/system/reference/scenarios/linux-privesc/sudo-cve-2025-32463-chwoot.md
  • @skills/system/reference/scenarios/linux-privesc/sudo-git-apply-symlink.md
  • @skills/system/reference/scenarios/linux-privesc/sudo-python-sitedir-pth.md
  • @skills/system/reference/scenarios/linux-privesc/sudo-symlink.md
  • @skills/system/reference/scenarios/linux-privesc/suid-binary-exploitation.md
  • @skills/system/reference/scenarios/linux-privesc/toctou-cron-md5-symlink-flip.md
  • @skills/system/reference/scenarios/linux-privesc/udisks2-polkit.md
  • @skills/system/reference/scenarios/linux-privesc/vault-otp-ssh-role.md
  • @skills/system/reference/scenarios/linux-privesc/wcf-soap-localhost.md
  • @skills/system/reference/scenarios/linux-privesc/webmin-packageup-rce.md
  • @skills/system/reference/scenarios/mssql/errorlog-secrets.md
  • @skills/system/reference/scenarios/mssql/linked-server-chain.md
  • @skills/system/reference/scenarios/mssql/xp-cmdshell.md
  • @skills/system/reference/scenarios/mssql/xp-dirtree-coercion.md
  • @skills/system/reference/scenarios/oob-write-via-state-power-index.md
  • @skills/system/reference/scenarios/qsort-r-multi-resort-table-shift.md
  • @skills/system/reference/scenarios/windows-privesc/autoadminlogon.md
  • @skills/system/reference/scenarios/windows-privesc/dll-hijacking.md
  • @skills/system/reference/scenarios/windows-privesc/dpapi-browser-creds.md
  • @skills/system/reference/scenarios/windows-privesc/file-transfer-ssh-pty.md
  • @skills/system/reference/scenarios/windows-privesc/forgotten-backup-zip.md
  • @skills/system/reference/scenarios/windows-privesc/iis-log-credentials.md
  • @skills/system/reference/scenarios/windows-privesc/kernel-eop.md
  • @skills/system/reference/scenarios/windows-privesc/kiosk-and-applocker-escape.md
  • @skills/system/reference/scenarios/windows-privesc/memory-dump-creds.md
  • @skills/system/reference/scenarios/windows-privesc/msi-repair-toctou.md
  • @skills/system/reference/scenarios/windows-privesc/multi-user-flag-sweep.md
  • @skills/system/reference/scenarios/windows-privesc/perflib-dll-hijack.md
  • @skills/system/reference/scenarios/windows-privesc/potatoes-sanity-check.md
  • @skills/system/reference/scenarios/windows-privesc/printnightmare.md
  • @skills/system/reference/scenarios/windows-privesc/psreadline-history.md
  • @skills/system/reference/scenarios/windows-privesc/scheduled-task-zip-poll.md
  • @skills/system/reference/scenarios/windows-privesc/sebackuprivilege.md
  • @skills/system/reference/scenarios/windows-privesc/seh-overflow-static-binary.md
  • @skills/system/reference/scenarios/windows-privesc/server-operators-imagepath.md
  • @skills/system/reference/scenarios/windows-privesc/service-required-privileges.md
  • @skills/system/reference/scenarios/windows-privesc/unquoted-service-path.md
  • @skills/system/reference/scenarios/windows-privesc/wcf-named-pipe.md
  • @skills/system/reference/scenarios/windows-privesc/writable-service-binary-race.md
  • @skills/system/reference/system-exploitation-principles.md

System

Test system-level security including Active Directory, privilege escalation, and exploit development.

Techniques

TypeKey Vectors
Active DirectoryKerberoasting, AS-REP roasting, DCSync, PtH, Golden/RODC Ticket, RBCD, ACL abuse, KeyList, Shadow Credentials, ADCS (ESC1-9/16)
Privilege EscalationSUID/sudo abuse, kernel exploits, service misconfig, token manipulation
Exploit DevelopmentBuffer overflow, format string, ROP chains, shellcode, heap exploitation

Workflow

  1. Enumerate system and domain information
  2. Identify escalation paths and misconfigurations
  3. Exploit with appropriate techniques
  4. Demonstrate impact (domain admin, root access)
  5. Document attack chain with evidence

Reference

  • reference/INDEX.md - Router for AD attacks, privilege escalation, and exploit-dev scenarios (see reference/scenarios/)
  • reference/format-string-exploitation.md - Format string read/write primitives, architecture differences, mitigation bypass
  • reference/heap-exploitation.md - Modern glibc heap techniques (tcache poison, unsorted bin leak, environ stack leak, ROP)
system — Kortix Marketplace | Kortix