AgentSkillsCN

vulnerability-escalation

分析特权提升路径与漏洞链。当您需要研究漏洞利用后的后续行动或提升技术时,可使用此功能。

SKILL.md
--- frontmatter
name: vulnerability-escalation
description: Analyze privilege escalation paths and vulnerability chains. Use when researching post-exploitation or escalation techniques.
allowed-tools: Bash(python *), Bash(uv *), Bash(pipx *)

Vulnerability Escalation

Research and analyze privilege escalation techniques and vulnerability chains for security assessment. Find where vulnerable software is deployed across your infrastructure.

Prerequisites

Install the assetquery CLI tool:

bash
# Recommended — works on all platforms
uv tool install "assetquery[all]"

# Alternative
pipx install "assetquery[all]"

Warning: Do not use bare pip install on macOS or Linux — it will fail due to PEP 668 externally-managed environment restrictions. Use uv tool install or pipx install instead.

Then check provider health and configure credentials:

bash
assetquery providers

Configuration: ~/.mallory/assetquery/config.yaml

Provider credentials use ambient environment variables (AWS_PROFILE, GITHUB_TOKEN, CROWDSTRIKE_CLIENT_ID, etc.). See reference.md for details.

Tools

Use the escalation script to find where vulnerable software is deployed:

bash
# Find where a specific package is deployed (by PURL)
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py find "pkg:pypi/requests@2.28.0"

# Find by CPE
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py find "cpe:2.3:a:apache:log4j:2.14.0:*:*:*:*:*:*:*"

# Find by vendor/product/version
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py find --vendor apache --product log4j --version 2.14.0

# List all assets and their vulnerabilities
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py list

# List vulnerability definitions only
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py list --type definitions

# Check provider health
python ${CLAUDE_PLUGIN_ROOT}/skills/vulnerability-escalation/scripts/escalation.py providers

Output defaults to JSON. Use --output table for human-readable output.

When to Use

  • Research privilege escalation techniques for a platform
  • Analyze vulnerability chains (initial access to full compromise)
  • Find where vulnerable software is deployed across infrastructure
  • Document post-exploitation paths
  • Assess lateral movement opportunities
  • Evaluate defense-in-depth effectiveness

Analysis Workflow

  1. Identify Entry Point: Get vulnerability details from Mallory API
  2. Find Deployed Instances: Use escalation.py find with the CVE's CPE or PURL
  3. Map Local Escalation: Find privilege escalation paths on affected assets
  4. Assess Lateral Movement: Identify network propagation vectors
  5. Document Chain: Create full attack chain diagram
  6. Recommend Mitigations: Suggest defensive controls prioritized by exposure

Common Escalation Categories

Linux/Unix

  • SUID/SGID binaries
  • Sudo misconfigurations
  • Kernel exploits
  • Cron job abuse
  • Writable service files

Windows

  • Token impersonation
  • Service misconfigurations
  • UAC bypass
  • Unquoted service paths
  • DLL hijacking

Cloud/Container

  • IAM policy abuse
  • Container escape
  • Metadata service access
  • Cross-account pivoting

Resources

  • GTFOBins - Unix binaries for escalation
  • LOLBAS - Windows living-off-the-land binaries
  • HackTricks - Escalation techniques reference

Data Access

Mallory API (vulnerability intelligence)

Use the mallory-api skill for vulnerability details, exploitation activity, and exploit data:

  • client.vulnerabilities.get("identifier") — Vulnerability details
  • client.vulnerabilities.exploitations("identifier") — Exploitation activity
  • client.vulnerabilities.exploits("identifier") — Known exploits
  • client.vulnerabilities.export("identifier") — Full profile with relationships
  • client.search.query(q="...", types="vulnerability") — Search for vulnerabilities

assetquery (deployed asset discovery)

Use escalation.py to find where affected software is running:

  • find <CPE|PURL> — Locate deployed instances of a vulnerable package
  • find --vendor V --product P --version V — Search by component
  • list — Inventory all assets from enabled providers
  • list --type definitions — List vulnerability definitions across providers
  • providers — Check which providers are configured and healthy

Combined workflow

  1. Look up the CVE in Mallory to get affected products, CVSS score, and exploit availability
  2. Use the CPE or PURL from the vulnerability to find deployed instances
  3. Assess exposure: which assets are affected, in which environments
  4. Prioritize remediation based on exploitability and deployment scope