PrivEsc - Linux Task

Methodology and Resources/Linux - Privilege Escalation.md

@@ -13,7 +13,9 @@
 ## Summary
 
 * [Checklist](#checklist)
-* [Cron jobs](#cron-jobs)
+* [Scheduled tasks](#scheduled-tasks)
+    * [Cron jobs](#cron-jobs)
+    * [Systemd timers](#systemd-timers)
 * [SUID](#suid)
     * [Find SUID binaries](#find-suid-binaries)
     * [Create a SUID binary](#create-a-suid-binary)
@@ -108,7 +110,9 @@
   * Checks to see if the host has Docker installed
   * Checks to determine if we're in an LXC container
 
-## Cron jobs
+## Scheduled tasks
+
+### Cron jobs
 
 Check if you have access with write permission on these files.   
 Check inside the file, to find other paths with write permissions.   
@@ -133,6 +137,18 @@ Check inside the file, to find other paths with write permissions.
 /var/spool/cron/crontabs/root
 ```
 
+## Systemd timers
+
+```powershell
+systemctl list-timers --all
+NEXT                          LEFT     LAST                          PASSED             UNIT                         ACTIVATES
+Mon 2019-04-01 02:59:14 CEST  15h left Sun 2019-03-31 10:52:49 CEST  24min ago          apt-daily.timer              apt-daily.service
+Mon 2019-04-01 06:20:40 CEST  19h left Sun 2019-03-31 10:52:49 CEST  24min ago          apt-daily-upgrade.timer      apt-daily-upgrade.service
+Mon 2019-04-01 07:36:10 CEST  20h left Sat 2019-03-09 14:28:25 CET   3 weeks 0 days ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
+
+3 timers listed.
+```
+
 ## SUID
 
 SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is ran, the uid will be changed by the owner one. If the file owner is `root`, the uid will be changed to `root` even if it was executed from user `bob`. SUID bit is represented by an `s`.

Methodology and Resources/Windows - Privilege Escalation.md

@@ -591,4 +591,5 @@ $ computer = "<hostname>"
 * [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
 * [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
 * [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
-* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
+* [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
+* [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)