[FEATURE] expert(s) - eg. linux/privesc/mitigations/remediations #5
Description
Should probably add "expert" related skills that utilize tools. they should have domain specific knowledge
The following is an example linux privesc / exploitation SKILL.md skill request
Feature Type
- New skill request
Description
A Linux system exploitation and privilege escalation skill that provides automated enumeration, vulnerability identification, and exploitation guidance for offensive security operations on Linux systems.
Use Case
Problem it solves:
Automates Linux post-exploitation enumeration, identifies privilege escalation vectors, and suggests exploitation techniques for penetration testing and red team operations.
Target users:
Penetration testers, red team operators, security researchers, CTF players
Security context:
Post-exploitation phase of penetration tests
For New Skill Requests
Proposed Tool: LinPEAS (Linux Privilege Escalation Awesome Script) + Manual enumeration commands
Tool Repository/Documentation:
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation
Category: offsec (offensive security)
Security Frameworks: MITRE ATT&CK (TA0004 - Privilege Escalation, TA0007 - Discovery)
Key Capabilities:
- System enumeration (kernel, OS, architecture)
- SUID/SGID binary identification
- Sudo misconfigurations detection
- Capabilities abuse vectors
- Cron job exploitation paths
- Writable service files discovery
- Password hunting (history, configs, logs)
- Network configuration analysis
- Container breakout detection
Expected Workflow
- Initial access gained → Agent executes enumeration
- LinPEAS scan → Identifies privilege escalation vectors
- Risk prioritization → Ranks findings by exploitability
- Exploitation guidance → Provides specific commands/techniques
- Verification → Tests privilege escalation success
Example Commands:
# Automated scan
linpeas.sh -a > linpeas_report.txt
# Manual checks
find / -perm -4000 -type f 2>/dev/null # SUID binaries
sudo -l # Sudo permissions
getcap -r / 2>/dev/null # CapabilitiesAlternatives Considered
- LinEnum - Older, less maintained
- Linux Smart Enumeration (LSE) - Good but less comprehensive
- Unix-privesc-check - Outdated
- Manual enumeration scripts - Time-consuming, inconsistent
Why LinPEAS:
- ✅ Most comprehensive (checks 200+ vectors)
- ✅ Actively maintained
- ✅ Color-coded severity ratings
- ✅ GTFOBins integration
- ✅ Container-aware
Additional Context
Critical skill components:
- Kernel exploit detection (CVE mapping)
- Service misconfigurations (MySQL, Docker, systemd)
- NFS shares with no_root_squash
- Wildcard injection opportunities
- LD_PRELOAD/LD_LIBRARY_PATH hijacking
- PATH manipulation vectors
Safety considerations:
- Non-destructive enumeration only
- Logging of all actions
Output formats:
- Parseable JSON for tool integration
- Human-readable reports
- MITRE ATT&CK technique mapping
- able to be ingested into different skills/tools
Willingness to Contribute
- I am willing to submit a PR for this feature
- I can help test this feature
- I can provide domain expertise/guidance